The resilience of critical infrastructure and critical entities is vital for the functioning of modern societies. Without reliable supplies of energy or predictable transportation, our way of life would not be possible. For this reason, the Commission has long been engaged in supporting the resilience of critical infrastructure against natural and man-made risks.
Directive on the Resilience of Critical Entities
The Directive on the Resilience of Critical Entities entered into force on 16 January 2023. Member States have until 17 October 2024 to adopt national legislation to transpose the Directive.
The Directive aims to strengthen the resilience of critical entities against a range of threats, including natural hazards, terrorist attacks, insider threats, or sabotage, as well as public health emergencies. Under the new rules:
- Member States will need to adopt a national strategy and carry out regular risk assessments to identify entities that are considered critical or vital for the society and the economy.
- In turn, the critical entities will need to carry out risk assessments of their own and take technical, security and organisational measures to enhance their resilience and notify incidents.
- Critical entities in the EU providing essential services in six or more Member States, will benefit from extra advice on how best to meet their obligations to assess risks and take resilience-enhancing measures.
- Member States will need to provide support to critical entities in enhancing their resilience. The Commission will provide complementary support to Member States and critical entities, by developing a Union-level overview of cross-border and cross-sectoral risks, best practices, guidance material, methodologies, cross-border training activities and exercises to test the resilience of critical entities, among others.
The Directive covers eleven sectors:
- Energy
- Transport
- Banking
- Financial market infrastructure
- Health,
- Drinking water
- Waste water
- Digital infrastructure
- Public administration
- Space and
- Production, processing and distribution of food
The Critical Entities Resilience Group (CERG), is established by the Directive and facilitates cooperation among Member States and with the Commisison. It will allow for the exchange of information and good practices on issues relating to the resilience of critical infrastructure and critical entities. The group is chaired by the Commission and consists of representatives of competent authorities in Member States.
Council Recommendation to strengthen the resilience of critical infrastructure
The Council Recommendation on a Union-wide coordinated approach to strengthen the resilience of critical infrastructure, adopted on 8 December 2022, was the reaction to calls for additional measures in the aftermath of acts of sabotage against critical infrastructure in the EU. It builds on the 5-point plan for resilient critical infrastructure presented by President von der Leyen in October 2022. The Council Recommendation urges Member States to enhance preparedness and response against current threats, both by anticipating certain elements of the Critical Entities Resilience Directive and by making use of additional instruments in a coordinated manner.
The recommendation covers three priority areas: preparedness, response and international cooperation. Notably, to enhance preparedness, the recommendation invites Member States to update their risk assessments to reflect current threats and to conduct stress tests based on common principles and joint scenarios at EU level, starting with the energy sector. On the response side, it calls for the development of a Blueprint for a coordinated response to disruptions of critical infrastructure with significant cross-border relevance. Strengthening international cooperation with NATO and key partner countries will help address risks and incidents with significant cross-border relevance.
European Programme for Critical Infrastructure Protection (EPCIP)
The EU’s general framework for securing resilience of critical infrastructure is the European Programme for Critical Infrastructure Protection (EPCIP). The programme was established in 2006 based on the Commission Communication on Critical Infrastructure Protection in the Fight against Terrorism
Through the Programme, the Commission is able to:
- foster cooperation with EU Member States
- foster cooperation with international partners (United States, Canada, neighbouring Countries, including Western Balkans and Eastern European partners)
- support Member States in enhancing the resilience of their critical infrastructure
- provide funding for research, studies and projects. The main pillars are the contribution to the Resilient Infrastructure destination in the security research programme of Horizon Europe, as well as the funding for the European Reference Network for Critical Infrastructure Protection (ERNCIP)
Policy timeline
- 2023Directive on the resilience of critical entities
The Critical Entities Resilience (CER) Directive creates a framework to support Member States in ensuring that critical entities are able to prevent, resist, absorb and recover from disruptive incidents, including those caused by natural hazards, terrorism, insider threats, sabotage, or public health emergencies.
The CER Directive entered into force on 16 January 2023 and shall be transposed into national legislation by Member States by 17 October 2024. The CER Directive shall apply from 18 October 2024 and replace as of that date the European Critical Infrastructure Directive. Pursuant to the CER Directive, Member States shall adopt a national strategy for enhancing the resilience of critical entities and carry out a risk assessment by 17 January 2026. Taking into account the outcomes of the risk assessment, Member States shall identify critical entities by 17 July 2026.
- 2022Council Recommendation to strengthen the resilience of critical infrastructure
The Council Recommendation points to what Member States can do and what can be done at Union level to better preparing, better responding and enhancing international cooperation as regards the resilience of critical infrastructure.
- 2020Proposal for a Directive on the resilience of critical entities
In 2020, the Commission adopted a Proposal for a Directive on the resilience of critical entities (CER Directive)
- 2018Commission Staff Working Document: Evaluation of ECI Directive
Based on the evaluation’s findings, the Commission foresaw in its adjusted work programme for 2020 a new legislative initiative on critical infrastructure resilience.
- 2008European Critical Infrastructure (ECI) Directive
A key pillar of the EPCIP, the European Critical Infrastructure Directive establishes a procedure for identifying and designating ECIs and a common approach for assessing the need to improve their protection.
The Directive applies only to the energy and transport sectors. Among other things, the Directive requires owners and operators of designated ECIs to prepare Operator Security Plans and to nominate Security Liaison Officers, thereby linking the owner and operator with the national authority responsible for critical infrastructure protection.
Documents
- Directive on the resilience of critical entities (CER Directive)
- Political agreement between the European Parliament and the Council on the CER Directive
- Impact Assessment of the proposed CER Directive
- Council Recommendation on a Union-wide coordinated approach to strengthen the resilience of critical infrastructure
- Critical Infrastructure Resilience: stronger rules (press release)
- Commission Staff Working Document: Evaluation of ECI Directive
- European Critical Infrastructure (ECI) Directive