Directive on the resilience of critical entities (CER Directive)

The new CER Directive replaces the European Critical Infrastructure Directive of 2008. The new rules will strengthen the resilience of critical infrastructure to a range of threats, including natural hazards, terrorist attacks, insider threats, or sabotage. It covers critical entities in 11 sectors, such as energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration, space and food.

Member States will need to adopt a national strategy and carry out risk assessment at least every four years to identify the critical entities that provide essential services. Critical entities will need to identify the relevant risks that may significantly disrupt the provision of essential services, take appropriate measures to ensure their resilience and notify disruptive incidents to the competent authorities.

The Directive also establishes rules for the identification of critical entities of particular European significance. A critical entity is considered of particular European significance if it provides an essential service to six or more Member States.

Directive on measures for a high common level of cybersecurity across the Union (NIS 2 Directive)

The NIS 2 Directive will ensure a safer and stronger Europe by significantly expanding the sectors and type of critical entities falling under its scope. These include providers of public electronic communications networks and services, data centre services, wastewater and waste management, manufacturing of critical products, postal and courier services and public administration entities, as well as the healthcare sector more broadly.

Furthermore, it will strengthen the cybersecurity risk management requirements that companies are obliged to comply with, as well as streamline incident reporting obligations with more precise provisions on reporting, content and timeline.

The NIS 2 Directive replaces the rules on the security of network and information systems, the first EU-wide legislation on cybersecurity.

Member States have 21 months to transpose both Directives into national law. During this time, Member States shall adopt and publish the measures necessary to comply with them.

Council Recommendation on the resilience of critical infrastructure

To respond to the recent acts of sabotage against the Nord Stream pipeline and the new risks brought by Russia’s aggression against Ukraine, the Recommendation adopted focuses on strengthening the resilience of critical infrastructure. This recommendation aims to accelerate the preparatory work for the implementation of the objectives set out in the critical entities and NIS 2 Directive and step up the EU’s capacity to protect its critical infrastructure. It includes series of targeted actions covering key sectors such as energy, digital infrastructure, transport and space.

The Recommendation covers three priority areas: preparedness, response and international cooperation. It invites Member States to update their risk assessments to reflect current threats and encourages them to conduct stress tests of entities operating critical infrastructure, with the energy sector as a priority.

It also calls on Member States to develop, in cooperation with the Commission, a blueprint for a coordinated response to disruptions of critical infrastructure with significant cross-border relevance. The EU will support partner countries in enhancing their resilience and strengthen cooperation with NATO in this area.