Industries

See all industries

Aerospace, defence & security

Automotive

Capital projects & infrastructure

Consumer markets

Energy, utilities & resources

Engineering & construction

Financial services

Forest, paper & packaging

Government & public services

Healthcare

Hospitality & leisure

Industrial manufacturing

Insurance

Pharmaceuticals & life sciences

Private equity

Technology, media & Telecommunications

Transportation & logistics

Featured

Move fast, think slow: How financial services can strike a balance with GenAI

Take on Tomorrow @ the World Economic Forum in Davos: Energy demand

PwC’s Global Investor Survey 2023

Services

See all services

Alliances and Ecosystems

Audit and assurance services

Business transformation

Consulting

Crisis management

Deals

Entrepreneurial and private business

Family business

Forensics

Legal Business Solutions

Managed Services

Workforce

Strategy

Sustainability and climate change

Tax

Featured

Climate risk, resilience and adaptation

Business transformation

Sustainability assurance

Issues

See all issues

Artificial Intelligence

Business transformation

C-suite insights

Cybersecurity

Climate and sustainability

Megatrends

Risk and regulation

Technology

Trust

Upskilling

Value creation

Workforce

Featured

The Leadership Agenda

PwC and TED

Built to give leaders the right tools to make tough decisions

About us

See more About Us

Alumni

Analyst relations

Client case studies

Ethics and compliance

Committing to Net Zero

Corporate sustainability

Diversity and inclusion

PwC's Global Annual Review

Global regulatory affairs

Human rights statement

Leadership team

Network governance and structure

New Ventures and Innovation

News room

Our purpose and values

PwC office locations

PwC's Code of Conduct

Strategy Council

Strategy&

Tax Code of Conduct

Third party code of conduct

Transparency Report

Featured

The New Equation

PwC’s Global Annual Review

Committing to Net Zero

Careers

Find out more about careers

Search for a job

Featured

The New Equation

PwC’s Global Annual Review

The Solvers Challenge

Loading Results

No Match Found

Strengthening Enterprise Resilience

Critical Entities Resilience Directive: Why it is relevant to you

Blog
5 Minute Read
February 29, 2024

What is the ‘Critical Entities Resilience Directive’? (CER Directive)

The Critical Entities Resilience Directive (CER Directive) is a European Union (EU) directive that recognises the increasingly disrupted nature of our polycrisis world. It aims to strengthen the resilience of critical entities against a wide range of threats and hazards, including natural disasters, terrorist and cyber attacks and sabotage.

EU Member States will use a risk-based approach to designate critical entities: the organisations most relevant for vital economic or societal functions across eleven sectors as follows:

These entities will be required to evaluate the risks that may disrupt their provision of essential services and adopt relevant resilience measures. These measures will include resilience plans and stringent processes for incident notification.

Competent authorities in each Member State will be responsible for the correct application and enforcement of the Directive and determining penalties for non-compliances.

Why does the CER Directive matter?

Resilience is here to stay. The CER Directive is the latest iteration of a rapidly expanding regulatory push towards resilience within the EU and beyond. Recent regulation (e.g. the NIS 2 Directive) has largely been driven by the cyber threat. However, the CER Directive acknowledges that the types of threats and hazards we face are more diverse, frequent and complex than ever before. That creates an obligation on business, industry and society to develop the ability to respond and adapt in the face of disruption.
The growing breadth of sector coverage. The breadth of sector coverage is another factor that sets this directive apart from other recent regulations (e.g. the Digital Operational Resilience Act (DORA)). Where financial and digital sectors will likely benefit from having laid the groundwork to meet previous regulatory timelines, other sectors may have had limited exposure to resilience requirements. The Directive also does not establish limits on the size of entities and acknowledges that measures may impact neighbouring Member States and third countries
The timelines are tight. The Directive imposes significant requirements for risk and resilience. While critical entities may not be designated until July 2026, they will then have only ten months to demonstrate compliance. If you are likely to be a critical entity, you must start planning now
The opportunity for a strategic approach. The Directive provides the opportunity for designated critical entities to take a strategic approach to resilience that not only protects value but also generates a competitive advantage by identifying operational efficiencies and capitalising on disruption. A tried and tested operational resilience methodology will act as a critical handrail as the Directive brings new sectors into the resilience fold.

When will the CER Directive be enforced?

In November 2020, the CER Directive was adopted by the European Parliament and the Council of the European Union, and subsequently entered into force in January 2023. There are several key dates in the coming months and years that are essential for organisations to keep in mind:

Member States transpose the CER Directive into national law.

Member States adopt a strategy for enhancing the resilience of critical entities.

Member States identify critical entities and notify the corresponding entities within one month of identification.

Critical entities conduct this risk assessment within nine months of designation and demonstrate compliance with Directive requirements within ten months of designation.

The European Commission submits a report to the Parliament and Council assessing compliance with the Directive.

What actions should you take now?

Determine if your organisation is likely to be recognised as a critical entity under the Directive based on your sector and potential impact of disruptive events. (Directive (EU) of the European Parliament and of the Council [2022] OJ L333/164 Art. 6; Art. 17¹)

Familiarise yourself with the CER Directive's specific requirements, including risk assessments, resilience plans, incident notification and mitigation measures.

Identify and assess your risks: Conduct thorough assessments to understand your exposure to plausible risks, the likely impacts and how that aligns to your risk appetite. (Article 12²)
Review your target operating model for risk and resilience: Consider aligning your governance structures to oversee an integrated data-driven target operating model–one that can develop your Enterprise Resilience capability in line with the specific risks you face. Explore how you can implement technology to use data analytics and automation to drive your resilience transformation.
Build your resilience capability around what matters most to you: Identify your minimum viable organisation and focus your energy and investment on making it resilient. This involves defining what really matters to you and your customers, and then mapping those Critical Business Services and the dependencies which enable you to deliver those services. Next, align your resilience disciplines - business continuity, IT disaster recovery, cyber and physical security, and supply chain resilience - to the continuity of those services. Develop targeted response structures, frameworks and plans. (Article 13³)
Build your crisis management capability to manage unplanned or unprecedented scenarios: Review and refresh your incident and crisis management structures and plans to enable rapid containment, triage and response. Consider whether your structures enable you to meet the 24-hour notification requirement and whether you have a clear crisis communications strategy to navigate the complexities of stakeholder management during disruption. (Article 13 and 15⁴)
Conduct regular training and exercises: Devise a programme of training, exercising and testing for incident and crisis response using scenarios aligned to the risks identified in the risk assessment. Use real-time data to test your ability to manage disruption within your impact appetite. Identify opportunities to continue maturing your risks, resilience and crisis capabilities. (Article 13⁵)

Monitor CER Directive developments to anticipate and prepare for relevant requirements and deadlines. If you are not immediately identified as a critical entity, consider whether you might be a supplier for a critical entity.

Get in touch to discuss how we’re helping organisations to rethink their approach to resilience.

Footnote:
_{¹Directive (EU) of the European Parliament and of the Council [2022] OJ L333/164}

Authors

Bobbie Ramsden-Knowles, Co-leader, PwC’s Global Centre for Crisis and Resilience, Partner, PwC UK

Bram van Tiel, Partner, PwC Netherlands

Ana Cendón Cubero, Director, PwC Spain

Jens Greiner, Director, PwC Germany

Eric Timon, Senior Manager, PwC Ireland

Alex Johnson, Senior Manager, PwC Belgium

PwC office locations Site map Contact us

© 2017 - 2024 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.