Critical infrastructure resilience

The protection of critical infrastructure and the resilience of critical entities operating that infrastructure are vital for modern societies. Without reliable supplies of energy, safe drinking water, health services, banking and financing services, or predictable transportation, among others, our way of life would not be possible. For this reason, the European Commission has long been engaged in supporting the protection of critical infrastructure and the resilience of critical entities against natural and man-made risks.

The Directive on the Resilience of Critical Entities entered into force on 16 January 2023. Member States have until 17 October 2024 to adopt national legislation to transpose the Directive.

The Directive aims to strengthen the resilience of critical entities against a range of threats, including natural hazards, terrorist attacks, insider threats, or sabotage, as well as public health emergencies. Under the new rules:

• Member States will need to adopt a national strategy and carry out regular risk assessments to identify entities that are considered critical or vital for society and the economy. The Commission adopted a list of essential services in all the sectors covered by the Directive. Risk assessments will be carried out as regards these essential services, so that critical entities in each Member State can be identified.
• In turn, the critical entities will need to carry out risk assessments of their own and take technical, security and organisational measures to enhance their resilience and notify incidents.
• Critical entities in the EU providing essential services in six or more Member States will benefit from extra advice on how best to meet their obligations to assess risks and take resilience-enhancing measures.
• Member States will need to provide support to critical entities in enhancing their resilience. The Commission will provide complementary support to Member States and critical entities, by developing a Union-level overview of cross-border and cross-sectoral risks, best practices, guidance material, methodologies, cross-border training activities and exercises to test the resilience of critical entities, among others.

The Directive covers eleven sectors:

• Energy
• Transport
• Banking
• Financial market infrastructure
• Health
• Drinking water
• Wastewater
• Digital infrastructure
• Public administration
• Space
• Production, processing and distribution of food

The Critical Entities Resilience Group (CERG), is established by the Directive and facilitates cooperation among Member States and with the Commission. It allows for exchange of information and good practices on issues relating to the resilience of critical infrastructure and critical entities. The group is chaired by the Commission and consists of representatives of competent authorities in Member States.

The Council Recommendation on a Union-wide coordinated approach to strengthen the resilience of critical infrastructure, adopted on 8 December 2022, was the reaction to calls for additional measures in the aftermath of acts of sabotage against critical infrastructure in the EU. It builds on the 5-point plan for resilient critical infrastructure presented by President von der Leyen in October 2022. The Council Recommendation puts forward actions to enhance preparedness and response against current threats, both by anticipating certain elements of the Critical Entities Resilience Directive and by making use of additional instruments in a coordinated manner.

The recommendation covers three priority areas: preparedness, response and international cooperation.

Notably, to enhance preparedness, the recommendation invites Member States to update their risk assessments to reflect current threats and to conduct stress tests based on common principles and joint scenarios at EU level, starting with the energy sector. The stress test has been completed by the end of 2023 and its outcome feeds the resilience-enhancing cooperation at EU-level. Another instrument that DG HOME uses to support Member States are the Protective Security Advisory Missions that can be requested for critical infrastructure.

On the response side, it calls for the development of a Blueprint for a coordinated response to disruptions of critical infrastructure with significant cross-border relevance. The Commission adopted a proposal for a Council Recommendation on a Blueprint, which is being discussed with Member States.

Strengthening cooperation with NATO will help address risks and incidents with significant cross-border relevance. An EU-NATO Task Force on resilience of critical infrastructure was launched in 2023 and issued an assessment report with recommendations in this area. Apart from that, there is cooperation with international partners. The priority is the EU neighbourhood in the Western Balkans and Eastern Europe with a particular focus on supporting Ukraine. Apart from that, there is frequent cooperation with the authorities from the USA and Canada.

The Council recommendation also underlines the crucial role of security research for resilient critical infrastructure. Funding for research, studies and projects has been a pillar of the EU-level work in that regard. The main instruments are the contribution to the Resilient Infrastructure destination in the security research programme of Horizon Europe, as well as the funding for the European Reference Network for Critical Infrastructure Protection (ERNCIP).

• Directive on the resilience of critical entities (CER Directive)
  • Political agreement between the European Parliament and the Council on the CER Directive
  • Impact Assessment of the proposed CER Directive
• Council Recommendation on a Union-wide coordinated approach to strengthen the resilience of critical infrastructure
  • Critical Infrastructure Resilience: stronger rules (press release)
• Commission Staff Working Document: Evaluation of ECI Directive
• European Critical Infrastructure (ECI) Directive

Commission welcomes agreement on new rules on cybersecurity