The Critical Entities Resilience Directive (CER Directive) is a European Union (EU) directive that recognises the increasingly disrupted nature of our polycrisis world. It aims to strengthen the resilience of critical entities against a wide range of threats and hazards, including natural disasters, terrorist and cyber attacks and sabotage.
EU Member States will use a risk-based approach to designate critical entities: the organisations most relevant for vital economic or societal functions across eleven sectors as follows:
These entities will be required to evaluate the risks that may disrupt their provision of essential services and adopt relevant resilience measures. These measures will include resilience plans and stringent processes for incident notification.
Competent authorities in each Member State will be responsible for the correct application and enforcement of the Directive and determining penalties for non-compliances.
In November 2020, the CER Directive was adopted by the European Parliament and the Council of the European Union, and subsequently entered into force in January 2023. There are several key dates in the coming months and years that are essential for organisations to keep in mind:
Member States transpose the CER Directive into national law.
Member States adopt a strategy for enhancing the resilience of critical entities.
Member States identify critical entities and notify the corresponding entities within one month of identification.
Critical entities conduct this risk assessment within nine months of designation and demonstrate compliance with Directive requirements within ten months of designation.
The European Commission submits a report to the Parliament and Council assessing compliance with the Directive.
Determine if your organisation is likely to be recognised as a critical entity under the Directive based on your sector and potential impact of disruptive events. (Directive (EU) of the European Parliament and of the Council [2022] OJ L333/164 Art. 6; Art. 171)
Familiarise yourself with the CER Directive's specific requirements, including risk assessments, resilience plans, incident notification and mitigation measures.
Monitor CER Directive developments to anticipate and prepare for relevant requirements and deadlines. If you are not immediately identified as a critical entity, consider whether you might be a supplier for a critical entity.
Get in touch to discuss how we’re helping organisations to rethink their approach to resilience.
Footnote:
1Directive (EU) of the European Parliament and of the Council [2022] OJ L333/164
Bobbie Ramsden-Knowles
Bram van Tiel
Ana Cendón Cubero
Jens Greiner
Eric Timon
Alex Johnson
© 2017 - 2024 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.