The final text of the Critical Entities Resilience Directive (CER)

Preamble 1 to 10

(1) Critical entities, as providers of essential services, play an indispensable role in the maintenance of vital societal functions or economic activities in the internal market in an increasingly interdependent Union economy. It is therefore essential to set out a Union framework with the aim of both enhancing the resilience of critical entities in the internal market by laying down harmonised minimum rules and assisting them by means of coherent and dedicated support and supervision measures.

(2) Council Directive 2008/114/EC provides for a procedure for designating European critical infrastructure in the energy and transport sectors the disruption or destruction of which would have a significant cross-border impact on at least two Member States. That Directive focuses exclusively on the protection of such infrastructure. However, the evaluation of Directive 2008/114/EC conducted in 2019 found that, due to the increasingly interconnected and cross-border nature of operations using critical infrastructure, protective measures relating to individual assets alone are insufficient to prevent all disruptions from taking place.

Therefore, it is necessary to shift the approach towards ensuring that risks are better accounted for, that the role and duties of critical entities as providers of services essential to the functioning of the internal market are better defined and coherent, and that Union rules are adopted to enhance the resilience of critical entities. Critical entities should be in a position to reinforce their ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from incidents that have the potential to disrupt the provision of essential services.

(3) While a number of measures at Union level, such as the European Programme for Critical Infrastructure Protection, and at national level aim to support the protection of critical infrastructure in the Union, more should be done to better equip the entities operating such infrastructure to address the risks to their operations that could result in the disruption of the provision of essential services. More should also be done to better equip such entities because there is a dynamic threat landscape, which includes evolving hybrid and terrorist threats, and growing interdependencies between infrastructure and sectors.

Moreover, there is an increased physical risk due to natural disasters and climate change, which intensifies the frequency and scale of extreme weather events and brings long-term changes in average climate conditions that can reduce the capacity, efficiency and lifespan of certain infrastructure types if climate adaptation measures are not in place. In addition, the internal market is characterised by fragmentation in respect of the identification of critical entities because relevant sectors and categories of entities are not recognised consistently as critical in all Member States. This Directive should therefore achieve a solid level of harmonisation in terms of the sectors and categories of entities falling within its scope.

(4) While certain sectors of the economy, such as the energy and transport sectors, are already regulated by sector-specific Union legal acts, those legal acts contain provisions which relate only to certain aspects of resilience of entities operating in those sectors. In order to address in a comprehensive manner the resilience of those entities that are critical for the proper functioning of the internal market, this Directive creates an overarching framework that addresses the resilience of critical entities in respect of all hazards, whether natural or man-made, accidental or intentional.

(5) The growing interdependencies between infrastructure and sectors are the result of an increasingly cross-border and interdependent network of service provision using key infrastructure across the Union in the energy, transport, banking, drinking water, waste water, production, processing and distribution of food, health, space, financial market infrastructure and digital infrastructure sectors and in certain aspects of the public administration sector.

The space sector falls within the scope of this Directive with respect to the provision of certain services that depend on ground-based infrastructure owned, managed and operated either by Member States or by private parties; consequently, infrastructure owned, managed or operated by or on behalf of the Union as part of its space programme does not fall within the scope of this Directive.

In terms of the energy sector and in particular the methods of electricity generation and transmission (in respect of supply of electricity), it is understood that, where deemed appropriate, electricity generation can include electricity transmission parts of nuclear power plants but excludes the specifically nuclear elements covered by treaties and Union law, including relevant legal acts of the Union concerning nuclear power. The process for identifying critical entities in the food sector should adequately reflect the nature of the internal market in that sector and the extensive Union rules relating to the general principles and requirements of food law and food safety.

Therefore, in order to ensure that there is a proportionate approach and to adequately reflect the role and importance of those entities at national level, critical entities should only be identified among food businesses, whether for profit or not and whether public or private, that are engaged exclusively in logistics and wholesale distribution and large-scale industrial production and processing with a significant market share as observed at national level.

Those interdependencies mean that any disruption of essential services, even one which is initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in a far-reaching and long-term negative impact on the delivery of services across the internal market. Major crises, such as the COVID-19 pandemic, have shown the vulnerability of our increasingly interdependent societies in the face of high-impact low-probability risks.

(6) The entities involved in the provision of essential services are increasingly subject to diverging requirements imposed under national law. The fact that some Member States have less stringent security requirements on those entities not only leads to various levels of resilience but also risks negatively impacting the maintenance of vital societal functions or economic activities across the Union and leads to obstacles to the proper functioning of the internal market.

Investors and companies can rely on and trust critical entities that are resilient, and reliability and trust are the cornerstones of a well-functioning internal market. Similar types of entities are considered as critical in some Member States but not in others, and those which are identified as critical are subject to divergent requirements in different Member States. That results in an additional and unnecessary administrative burden for companies operating across borders, in particular for companies active in Member States with more stringent requirements. A Union framework would therefore also have the effect of levelling the playing field for critical entities across the Union.

(7) It is necessary to lay down harmonised minimum rules to ensure the provision of essential services in the internal market, to enhance the resilience of critical entities and to improve cross-border cooperation between competent authorities. It is important that those rules be future proof in terms of their design and implementation while allowing for necessary flexibility. It is also crucial to improve the capacity of critical entities to provide essential services in the face of a diverse set of risks.

(8) In order to achieve a high level of resilience, Member States should identify critical entities that will be subject to specific requirements and supervision and that will be provided with particular support and guidance in the face of all relevant risks.

(9) Given the importance of cybersecurity for the resilience of critical entities and in the interests of consistency, a coherent approach should be ensured, wherever possible, between this Directive and Directive (EU) 2022/2555 of the European Parliament and of the Council. In light of the higher frequency and particular characteristics of cyber risks, Directive (EU) 2022/2555 imposes comprehensive requirements on a large set of entities to ensure their cybersecurity. Given that cybersecurity is addressed sufficiently in Directive (EU) 2022/2555, the matters covered by that Directive should be excluded from the scope of this Directive, without prejudice to the particular regime for entities in the digital infrastructure sector.

(10) Where provisions of sector-specific Union legal acts require critical entities to take measures to enhance their resilience, and where those requirements are recognised by Member States as at least equivalent to the corresponding obligations laid down in this Directive, the relevant provisions of this Directive should not apply, so as to avoid duplication and unnecessary burden. In that case, the relevant provisions of such Union legal acts should apply. Where the relevant provisions of this Directive do not apply, the provisions on supervision and enforcement laid down in this Directive should not apply either.