The European Commission has been engaged in matters relating to critical infrastructure protection/resilience since as early as 2006, when the Commission established the European Programme for Critical Infrastructure Protection (EPCIP), which includes many pillars, including one involving the identification and designation of European critical infrastructures through a directive (Council Directive 2008/114/EC) covering the energy and transport sectors. Just as the nature of the risk landscape and interdependencies between operators providing essential services to support the livelihoods of European citizens and the good functioning of the internal market has evolved since the mid-2000s, the EU’s overall approach too must evolve. This was clearly articulated in the Commission‘s EU Security Union Strategy for 2020-2025 and the Counter-Terrorism Agenda for the EU, both of which stress the importance of ensuring the resilience of critical infrastructure in the face of physical and digital risks.

For these reasons, the Commission recently put forward a number of proposals aimed at enhancing the overall resilience of ‘entities’ in many different sectors, including ones considered critical by Member States. These include a proposal for a directive on the resilience of critical entities and a proposal for a directive on measures for high common level of cybersecurity across the Union (more commonly referred to as NIS2). With these two proposals, the Commission intends to create an all-hazards framework to support Member States in ensuring that critical entities are able to prevent, resist, absorb and recover from disruptive incidents, no matter if they are caused by natural hazards, accidents, terrorism, insider threats, cybersecurity events, or public health emergencies like the one the world faces today.

Specifically the proposed directive on the resilience of critical entities (otherwise referred to as the Critical Entities Resilience (CER) Directive) would cover ten sectors, namely energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, public administration and space. Among other things, the proposal includes the following noteworthy provisions:

• Member States would be obligated to, among other things, have a strategy for ensuring the resilience of critical entities, carry out a national risk assessment and, on this basis, identify critical entities;
• Critical entities would be required to carry out risk assessments of their own, take appropriate technical and organisational measures in order to boost resilience, and report disruptive incidents to national authorities;
• Critical entities providing services to or in at least one-third of Member States would be subject to specific oversight, including advisory missions organised by the Commission;
• The Commission would offer different forms of support to Member States and critical entities, including, for instance, a Union-level risk overview, best practices, methodologies, cross-border training activities and exercises to test the resilience of critical entities; and,
• Strategic cooperation and the exchange of information with regard to the implementation of the directive would be facilitated through an expert group composed of representatives of the Member States and the Commission, namely the Critical Entities Resilience Group.

Meanwhile, the proposed NIS2 Directive aims to ensure robust cyber resilience on the part of a large number of entities covering additional sectors besides those within the scope of the CER Directive. In order to ensure coherence between the two instruments, all critical entities identified under the CER Directive would be subject to cyber resilience obligations under NIS2.