Critical Entities Resilience Directive (CER) Training

Overview

With which Directive do we have to comply? The Critical Entities Resilience Directive (CER), the NIS 2 Directive, or a sector-specific legal act?

The NIS 2 Directive (2022/2555) addresses cybersecurity challenges. Cybersecurity is addressed sufficiently in the NIS 2 Directive, so the matters covered by the NIS 2 Directive are excluded from the scope of the Critical Entities Resilience Directive (CER). To make it as clear as possible, for cybersecurity challenges the NIS 2 Directive applies, given that the requirements laid down in the NIS 2 Directive are at least equivalent to the corresponding obligations laid down in the Critical Entities Resilience Directive (CER).

Where provisions of sector-specific Union legal acts require critical entities to take measures to enhance their resilience, and where those requirements are recognised by Member States as at least equivalent to the corresponding obligations laid down in the Critical Entities Resilience Directive (CER), the relevant provisions of the Critical Entities Resilience Directive (CER) should not apply. The relevant provisions of sector-specific legal acts should apply.

What about challenges that affect both, the physical security and cybersecurity of critical entities? NIS 2 and CER will both be implemented in a coordinated manner, according to article 1.2 of the Critical Entities Resilience Directive (CER).

CER covers a wide range or risks, not just cybersecurity risks. According to Article 13 of CER, (Resilience measures of critical entities), critical entities must take technical, security and organisational measures to ensure their resilience, including measures necessary to:

(a) prevent incidents from occurring, duly considering disaster risk reduction and climate adaptation measures;

(b) ensure adequate physical protection of their premises and critical infrastructure, duly considering, for example, fencing, barriers, perimeter monitoring tools and routines, detection equipment and access controls;

(c) respond to, resist and mitigate the consequences of incidents, duly considering the implementation of risk and crisis management procedures and protocols and alert routines;

(d) recover from incidents, duly considering business continuity measures and the identification of alternative supply chains, in order to resume the provision of the essential service;

(e) ensure adequate employee security management, duly considering measures such as setting out categories of personnel who exercise critical functions, establishing access rights to premises, critical infrastructure and sensitive information, setting up procedures for background checks in accordance with Article 14 and designating the categories of persons who are required to undergo such background checks, and laying down appropriate training requirements and qualifications;

(f) raise awareness about the measures referred to in points (a) to (e) among relevant personnel, duly considering training courses, information materials and exercises.

Certain critical entities carry out activities in the areas of national security, public security, defence or law enforcement, including the investigation, detection and prosecution of criminal offences, or provide services exclusively to public administration entities that carry out activities predominantly in those areas. Member States are responsible for safeguarding national security and defence, and Member States may decide that the obligations on critical entities laid down in the Critical Entities Resilience Directive (CER) do not apply, in whole or in part.

The ‘Member State risk assessment’.

EU Member States must identify and ensure the resilience of critical entities. They must focus on the entities most relevant for the performance of vital societal functions or economic activities. Each Member State will carry out an assessment of the relevant natural and man-made risks, including those of a cross-sectoral or cross-border nature, that could affect the provision of essential services, including accidents, natural disasters, public health emergencies such as pandemics and hybrid threats or other antagonistic threats, including terrorist offences, criminal infiltration and sabotage.

The ‘critical entity risk assessment’.

Critical entities must have a comprehensive understanding of the relevant risks to which they are exposed, and a duty to analyse those risks. They should carry out risk assessments in view of their particular circumstances and the evolution of those risks and, at least every four years, in order to assess all relevant risks that could disrupt the provision of their essential services.

Competent authority will declare that an existing risk assessment carried out by a critical entity that addresses the relevant risks and the relevant extent of dependence is compliant, in whole or in part, with the obligations laid down in this Directive.

According to the CER Directive, critical entities should take technical, security and organisational measures that are appropriate and proportionate to the risks they face so as to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident. While critical entities should take those measures in accordance with this Directive, the details and extent of such measures should reflect the different risks that each critical entity has identified as part of its critical entity risk assessment and the specificities of such entity in an appropriate and proportionate way.

Who must comply with the Critical Entities Resilience Directive (CER)?

According to Article 2 (Definitions) of the Critical Entities Resilience Directive (CER), ‘critical entity’ means a public or private entity which has been identified by a Member State as belonging to one of the categories:

1. Energy.

a. Electricity.
— Electricity undertakings.
— Distribution system operators.
— Transmission system operators.
— Producers.
— Nominated electricity market operators.
— Market participants.

b. District heating and cooling.
— Operators of district heating or district cooling.

c. Oil.
— Operators of oil transmission pipelines.
— Operators of oil production, refining and treatment facilities, storage and transmission.
— Central stockholding entities.

d. Gas.
— Supply undertakings.
— Distribution system operators.
— Transmission system operators.
— Storage system operators.
— LNG system operators.
— Natural gas undertakings.
— Operators of natural gas refining and treatment facilities.

e. Hydrogen.
— Operators of hydrogen production, storage and transmission.

2. Transport.

a. Air.
— Air carriers used for commercial purposes.
— Airport managing bodies, airports, including the core airports and entities operating ancillary installations contained within airports.
— Traffic management control operators providing air traffic control (ATC) services.

b. Rail.
— Infrastructure managers.
— Railway undertakings, including operators of service facilities.

c. Water.
— Inland, sea and coastal passenger and freight water transport companies.
— Managing bodies of ports, including their port facilities, and entities operating works and equipment contained within ports.
— Operators of vessel traffic services (VTS).

d. Road.
— Road authorities responsible for traffic management control, excluding public entities for which traffic management or the operation of intelligent transport systems is a non-essential part of their general activity.
— Operators of Intelligent Transport Systems.

3. Banking.
— Credit institutions.

4. Financial market infrastructures.
— Operators of trading venues.
— Central counterparties (CCPs).

5. Health.
— Healthcare providers.
— EU reference laboratories.
— Entities carrying out research and development activities of medicinal products.
— Entities manufacturing basic pharmaceutical products and pharmaceutical preparations.
— Entities manufacturing medical devices considered to be critical during a public health emergency (public health emergency critical devices list).

6. Drinking water.
— Suppliers and distributors of water intended for human consumption, excluding distributors for which distribution of water for human consumption is a non-essential part of their general activity of distributing other commodities and goods.

7. Waste water.
— Undertakings collecting, disposing of or treating urban waste water, domestic waste water or industrial waste water, excluding undertakings for which collecting, disposing of or treating urban waste water, domestic waste water or industrial waste water is a non-essential part of their general activity.

8. Digital infrastructure.
— Internet Exchange Point providers.
— DNS service providers, excluding operators of root name servers.
— TLD name registries.
— Cloud computing service providers.
— Data centre service providers.
— Content delivery network providers.
— Trust service providers.
— Providers of public electronic communications networks.
— Providers of publicly available electronic communications services.

9. ICT service management (business-to-business).
— Managed service providers.
— Managed security service providers.

10. Public administration.
— Public administration entities of central governments as defined by a Member State in accordance with national law.
— Public administration entities at regional level as defined by a Member State in accordance with national law.

11. Space.
Operators of ground-based infrastructure, owned, managed and operated by Member States or by private parties, that support the provision of space-based services, excluding providers of public electronic communications networks.

Important note: This is an overview, not a detailed list of activities. Depending on their products or services, and where their products or services belong in NACE (the statistical classification of economic activities in the European Union), entities must carefully consider if they must comply with the Directive or not.

Training program 1: Preparing for the Critical Entities Resilience Directive (CER), for EU and non-EU firms.

Possible modules of the tailor-made training program.

- Are you sure we must comply with the Critical Entities Resilience Directive (CER)? Where can we find this information?
- Subject matter and scope.
- Understanding the important definitions.
- What is ‘critical infrastructure’ and ‘essential service’?

The obligation for each EU Member State to adopt a strategy for enhancing the resilience of critical entities.
- The strategic objectives and policy measures.
- Risk assessment by Member States.

Criteria for the identification of critical entities.
- the entity provides one or more essential services,
- the entity operates, and its critical infrastructure is located, on the territory of a Member State,
- an incident would have significant disruptive effects on the provision by the entity of one or more essential services.

Criteria for the identification of significant disruptive effects.
- the number of users relying on the essential service provided by the entity concerned,
- the extent to which other sectors and subsectors depend on the essential service in question,
- the impact that incidents could have, in terms of degree and duration, on economic and societal activities, the environment, public safety and security, or the health of the population,
- the entity’s market share in the market for the essential service or essential services concerned,
- the geographic area that could be affected by an incident, including any cross-border impact, taking into account the vulnerability associated with the degree of isolation of certain types of geographic areas, such as insular regions, remote regions or mountainous areas,
- the importance of the entity in maintaining a sufficient level of the essential service, taking into account the availability of alternative means for the provision of that essential service.

Competent authorities and single point of contact.

Cooperation between Member States.

Risk assessment by critical entities, within nine months of receiving the notification.
- Risk assessment by critical entities whenever necessary subsequently, and at least every four years, to assess all relevant risks that could disrupt the provision of their essential services (‘critical entity risk assessment’).
- Risk assessment for all the natural and man-made risks which could lead to an incident, including those of a cross-sectoral or cross-border nature, accidents, natural disasters, public health emergencies, hybrid threats and other antagonistic threats, including terrorist offences.
- Resilience measures of critical entities.

Background checks on persons who:
- hold sensitive roles in or for the benefit of the critical entity, in particular in relation to the resilience of the critical entity,
- are authorised to directly or remotely access its premises, information or control systems, including in connection with the security of the critical entity,
- are under consideration for recruitment to sensitive positions.

Incident notification.
- initial notification no later than 24 hours after becoming aware of an incident,
- detailed report no later than one month thereafter.

The new Critical Entities Resilience Group.
- it supports the Commission and facilitates cooperation among Member States,
- it supports the exchange of information on issues relating to this Directive,
- it is analysing the strategies in order to identify best practices,
- it is composed of representatives of the Member States and the Commission who hold security clearance, where necessary.

Supervision and enforcement.
- on-site inspections of the critical infrastructure and the premises that the critical entity uses to provide its essential services,
- off-site supervision of measures taken by critical entities,
- audits in respect of critical entities.
- penalties.

Target Audience

The program is beneficial to all persons working for entities in the scope of the CER directive, having authorized access to systems and data. We also offer specialised training for risk and compliance teams, responsible for the implementation of the EU directives and regulations.

Duration

One hour to half day, depending on the needs, the content of the program and the case studies.

Delivery format of the training program

a. In-House Instructor-Led Training,
b. Online Live Training, or
c. Video-Recorded Training.

Instructor

Our instructors are working professionals that have the necessary knowledge and experience in the fields in which they teach. They can lead full-time, part-time, and short-form programs that are tailored to your needs. You will always know up front who the instructor of the training program will be.

George Lekatis, General Manager of Cyber Risk GmbH, can also lead these training sessions. His background and some testimonials: https://www.cyber-risk-gmbh.com/George_Lekatis_Testimonials.pdf

Terms and conditions.

You may visit: https://www.cyber-risk-gmbh.com/Terms.html

Training program 2: Preparing for the Critical Entities Resilience Directive (CER) and the NIS 2 Directive.

Possible modules of the tailor-made training program

a. The Critical Entities Resilience Directive (CER).

The obligation for each EU Member State to adopt a strategy for enhancing the resilience of critical entities.
- The strategic objectives and policy measures.
- Risk assessment by Member States.

Competent authorities and single point of contact.

Cooperation between Member States.

Incident notification.
- initial notification no later than 24 hours after becoming aware of an incident,
- detailed report no later than one month thereafter.

b. The NIS 2 Directive

Introduction.
- Subject matter and scope.
- Essential and important entities.
- The "high common level of cybersecurity across the Union".
- Member States adopt national cybersecurity strategies and designate or establish competent authorities, cyber crisis management authorities, single points of contact on cybersecurity, and computer security incident response teams (CSIRTs).
- The new cybersecurity risk-management measures and reporting obligations.
- The new cybersecurity information sharing obligations.

Understanding the important definitions, including ‘near miss’, ‘large-scale cybersecurity incident’, ‘significant cyber threat’, ‘internet exchange point’, etc.

National cybersecurity strategy - objectives, resources, regulatory measures.
- Competent authorities and single points of contact.
- National cyber crisis management frameworks.
- Computer security incident response teams (CSIRTs).
- Coordinated vulnerability disclosure and a European vulnerability database.

- The new Cooperation Group that facilitate strategic cooperation and the exchange of information.
- The new network of national CSIRTs.
- The new European cyber crisis liaison organisation network (EU-CyCLONe) for large-scale cybersecurity incidents and crises.
- International cooperation.
- Peer reviews.

Cybersecurity risk management measures and reporting obligations.
- Governance.
- The management bodies of essential and important entities approve the cybersecurity risk-management measures.
- The management bodies of essential and important entities are required to follow training, and encourage essential and important entities to offer similar training to their employees.
- Cybersecurity risk-management measures.
- Reporting obligations.

Jurisdiction and territoriality.
- Entities are considered to fall under the jurisdiction of the Member State in which they are established.
- Entities are considered to have their main establishment in the Union in the Member State where the decisions related to the cybersecurity risk-management measures are predominantly taken.
- Entities not established in the EU, but offer services within the EU, must designate a representative in the EU.
- The tasks of the representative.

Cybersecurity information-sharing arrangements.

General aspects concerning supervision and enforcement.
- Supervisory and enforcement measures in relation to essential entities.
- Supervisory and enforcement measures in relation to important entities.
- General conditions for imposing administrative fines on essential and important entities.
- Infringements entailing a personal data breach.
- Penalties.

- What is next: Delegated and Implementing Acts.
- Review.
- Transposition.

What is extraterritoriality?
- Extraterritorial application of EU law.
- Risk and compliance management challenges for firms established in non-EU countries.

- Master plan and list of immediate actions, for firms established in EU and non-EU countries.

- Other new EU directives and regulations that introduce compliance challenges to EU and non-EU firms: The European Cyber Resilience Act, the Digital Operational Resilience Act (DORA), the Critical Entities Resilience Directive (CER) etc.

- Closing remarks.