The final text of the Critical Entities Resilience Directive (CER)

Article 5 - Risk assessment by Member States

1. The Commission is empowered to adopt a delegated act, in accordance with Article 23, by 17 November 2023 to supplement this Directive by establishing a non-exhaustive list of essential services in the sectors and subsectors set out in the Annex.

The competent authorities shall use that list of essential services for the purpose of carrying out a risk assessment (‘Member State risk assessment’) by 17 January 2026, whenever necessary subsequently, and at least every four years. The competent authorities shall use Member State risk assessments for the purpose of identifying critical entities in accordance with Article 6 and assisting those critical entities to take measures pursuant to Article 13.

Member State risk assessments shall account for the relevant natural and man-made risks, including those of a cross-sectoral or cross-border nature, accidents, natural disasters, public health emergencies and hybrid threats or other antagonistic threats, including terrorist offences as provided for in Directive (EU) 2017/541 of the European Parliament and of the Council.

2. In carrying out Member State risk assessments, Member States shall take into account at least the following:

(a) the general risk assessment carried out pursuant to Article 6(1) of Decision No 1313/2013/EU;

(b) other relevant risk assessments, carried out in accordance with the requirements of the relevant sector-specific Union legal acts, including Regulations (EU) 2017/1938 and (EU) 2019/941 of the European Parliament and of the Council and Directives 2007/60/EC and 2012/18/EU of the European Parliament and of the Council;

(c) the relevant risks arising from the extent to which the sectors set out in the Annex depend on one another, including from the extent to which they depend on entities located within other Member States and third countries, and the impact that a significant disruption in one sector may have on other sectors, including any significant risks to citizens and the internal market;

(d) any information on incidents notified in accordance with Article 15.

For the purposes of the first subparagraph, point (c), Member States shall cooperate with the competent authorities of other Member States and the competent authorities of third countries, as appropriate.

3. Member States shall make the relevant elements of Member State risk assessments available, where relevant through their single points of contact, to the critical entities that they have identified in accordance with Article 6. Member States shall ensure that the information provided to critical entities assists them in carrying out their risk assessments pursuant to Article 12 and in taking measures to ensure their resilience pursuant to Article 13.

4. Within three months of carrying out a Member State risk assessment, a Member State shall provide the Commission with relevant information on the types of risks identified following, and the outcomes of, that Member State risk assessment, per sector and subsector set out in the Annex.

5. The Commission shall, in cooperation with the Member States, develop a voluntary common reporting template for the purpose of complying with paragraph 4.