The protection of critical infrastructure and the resilience of critical entities operating that infrastructure are vital for modern societies. Without reliable supplies of energy, safe drinking water, health services, banking and financing services, or predictable transportation, among others, our way of life would not be possible. For this reason, the European Commission has long been engaged in supporting the protection of critical infrastructure and the resilience of critical entities against natural and man-made risks.
Directive on the Resilience of Critical Entities
The Directive on the Resilience of Critical Entities entered into force on 16 January 2023. Member States have until 17 October 2024 to adopt national legislation to transpose the Directive.
The Directive aims to strengthen the resilience of critical entities against a range of threats, including natural hazards, terrorist attacks, insider threats, or sabotage, as well as public health emergencies. Under the new rules:
- Member States will need to adopt a national strategy and carry out regular risk assessments to identify entities that are considered critical or vital for society and the economy. The Commission adopted a list of essential services in all the sectors covered by the Directive. Risk assessments will be carried out as regards these essential services, so that critical entities in each Member State can be identified.
- In turn, the critical entities will need to carry out risk assessments of their own and take technical, security and organisational measures to enhance their resilience and notify incidents.
- Critical entities in the EU providing essential services in six or more Member States will benefit from extra advice on how best to meet their obligations to assess risks and take resilience-enhancing measures.
- Member States will need to provide support to critical entities in enhancing their resilience. The Commission will provide complementary support to Member States and critical entities, by developing a Union-level overview of cross-border and cross-sectoral risks, best practices, guidance material, methodologies, cross-border training activities and exercises to test the resilience of critical entities, among others.
The Directive covers eleven sectors:
- Energy
- Transport
- Banking
- Financial market infrastructure
- Health
- Drinking water
- Wastewater
- Digital infrastructure
- Public administration
- Space
- Production, processing and distribution of food
The Critical Entities Resilience Group (CERG), is established by the Directive and facilitates cooperation among Member States and with the Commission. It allows for exchange of information and good practices on issues relating to the resilience of critical infrastructure and critical entities. The group is chaired by the Commission and consists of representatives of competent authorities in Member States.
Council Recommendation to strengthen the resilience of critical infrastructure
The Council Recommendation on a Union-wide coordinated approach to strengthen the resilience of critical infrastructure, adopted on 8 December 2022, was the reaction to calls for additional measures in the aftermath of acts of sabotage against critical infrastructure in the EU. It builds on the 5-point plan for resilient critical infrastructure presented by President von der Leyen in October 2022. The Council Recommendation puts forward actions to enhance preparedness and response against current threats, both by anticipating certain elements of the Critical Entities Resilience Directive and by making use of additional instruments in a coordinated manner.
The recommendation covers three priority areas: preparedness, response and international cooperation.
Notably, to enhance preparedness, the recommendation invites Member States to update their risk assessments to reflect current threats and to conduct stress tests based on common principles and joint scenarios at EU level, starting with the energy sector. The stress test has been completed by the end of 2023 and its outcome feeds the resilience-enhancing cooperation at EU-level. Another instrument that DG HOME uses to support Member States are the Protective Security Advisory Missions that can be requested for critical infrastructure.
On the response side, on 25 June 2024, the Council adopted a Recommendation for a Critical Infrastructure Blueprint. This was based on a Commission proposal of September 2023. This recommendation will enable the EU to respond in a more coordinated way to significant cross-border critical infrastructure incidents that may disrupt essential services in the Internal Market. The Critical Infrastructure Blueprint provides a roadmap with measures that can be applied when EU countries face significant critical infrastructure incidents, in sectors such as energy, transport, banking, financial market infrastructures, health, digital infrastructure, public administration, space, water and food. This will help improve situational awareness, communication and coordination at EU level.
Strengthening cooperation with NATO will help address risks and incidents with significant cross-border relevance. An EU-NATO Task Force on resilience of critical infrastructure was launched in 2023 and issued an assessment report with recommendations in this area. Apart from that, there is cooperation with international partners. The priority is the EU neighbourhood in the Western Balkans and Eastern Europe with a particular focus on supporting Ukraine. Apart from that, there is frequent cooperation with the authorities from the USA and Canada.
The Council recommendation also underlines the crucial role of security research for resilient critical infrastructure. Funding for research, studies and projects has been a pillar of the EU-level work in that regard. The main instruments are the contribution to the Resilient Infrastructure destination in the security research programme of Horizon Europe, as well as the funding for the European Reference Network for Critical Infrastructure Protection (ERNCIP).
Policy timeline
- 2024
Completion of the resilience stress test in the energy sector.
- 2023Directive on the resilience of critical entities
TheCritical Entities Resilience (CER) Directive creates a framework to support Member States in ensuring that critical entities are able to prevent, resist, absorb and recover from disruptive incidents, including those caused by natural hazards, terrorism, insider threats, sabotage, or public health emergencies.
The CER Directive entered into force on 16 January 2023 and must be transposed into national legislation by Member States by 17 October 2024. The CER Directive shall apply from 18 October 2024 and replace as of that date the European Critical Infrastructure Directive. Pursuant to the CER Directive, Member States shall adopt a national strategy for enhancing the resilience of critical entities and carry out a risk assessment by 17 January 2026. Taking into account the outcomes of the risk assessment, Member States shall identify critical entities by 17 July 2026.
The Commission Delegated Regulation establishes a non-exhaustive list of essential services in all the sectors and sub-sectors of the CER Directive. The list is to be used by the competent authorities for the purpose of carrying out a risk assessment and thereafter the risk assessment is to be used for the purpose of identifying critical entities.
- 2022Council Recommendation to strengthen the resilience of critical infrastructure
The Council Recommendation points to what Member States can do and what can be done at Union level to better preparing, better responding and enhancing international cooperation as regards the resilience of critical infrastructure.
- 2020Proposal for a Directive on the resilience of critical entities
In 2020, the Commission adopted a Proposal for a Directive on the resilience of critical entities (CER Directive).
- 2008European Critical Infrastructure (ECI) Directive
A key pillar of the EPCIP, the European Critical Infrastructure Directive establishes a procedure for identifying and designating ECIs and a common approach for assessing the need to improve their protection.
The Directive applies only to the energy and transport sectors. Among other things, the Directive requires owners and operators of designated ECIs to prepare Operator Security Plans and to nominate Security Liaison Officers, thereby linking the owner and operator with the national authority responsible for critical infrastructure protection.