Article 4 - Strategy on the resilience of critical entities
1. Following a consultation that is, to the extent practically possible, open to relevant stakeholders, each Member State shall adopt by 17 January 2026 a strategy for enhancing the resilience of critical entities (the ‘strategy’). The strategy shall set out strategic objectives and policy measures, building upon relevant existing national and sectoral strategies, plans or similar documents, with a view to achieving and maintaining a high level of resilience on the part of critical entities and covering at least the sectors set out in the Annex.
2. Each strategy shall contain at least the following elements:
(a) strategic objectives and priorities for the purposes of enhancing the overall resilience of critical entities, taking into account cross-border and cross-sectoral dependencies and interdependencies;
(b) a governance framework to achieve the strategic objectives and priorities, including a description of the roles and responsibilities of the different authorities, critical entities and other parties involved in the implementation of the strategy;
(c) a description of measures necessary to enhance the overall resilience of critical entities, including a description of the risk assessment referred to in Article 5;
(d) a description of the process by which critical entities are identified;
(e) a description of the process supporting critical entities in accordance with this Chapter, including measures to enhance cooperation between the public sector, on the one hand, and the private sector and public and private entities, on the other hand;
(f) a list of the main authorities and relevant stakeholders, other than critical entities, involved in the implementation of the strategy;
(g) a policy framework for coordination between the competent authorities under this Directive (‘competent authorities’) and the competent authorities under Directive (EU) 2022/2555 for the purposes of information sharing on cybersecurity risks, cyber threats and cyber incidents and non-cyber risks, threats and incidents and the exercise of supervisory tasks;
(h) a description of measures already in place which aim to facilitate the implementation of obligations under Chapter III of this Directive by small and medium-sized enterprises within the meaning of the Annex to Commission Recommendation 2003/361/EC that the Member State in question has identified as critical entities.
Following a consultation that is, to the extent practically possible, open to relevant stakeholders, Member States shall update their strategies at least every four years.
3. Member States shall communicate their strategies, and substantial updates thereto, to the Commission within three months of their adoption.