This document is an excerpt from the EUR-Lex website
Making critical entities more resilient
SUMMARY OF:
WHAT IS THE AIM OF THE DIRECTIVE?
The directive aims to:
- reduce vulnerabilities and strengthen the physical resilience1 of critical entities in the European Union (EU) in order to ensure the unobstructed provision of services that are essential for the economy and society as a whole;
- increase the resilience of the critical entities that provide these services.
KEY POINTS
EU Member States must, following a risk assessment, identify critical entities providing services that are essential for the maintenance of functions vital to society, the economy, public health and safety, or the environment, and where an incident would have significant disruptive effects on these essential services. This covers entities in the following sectors:
- energy, including electricity, district heating, oil, gas and hydrogen operators;
- transport by air, rail, water and road, including public transport;
- banking, which is also subject to Regulation (EU) 2022/2554 (the Digital Operational Resilience Act – see summary);
- financial market infrastructure, including trading venues, also subject to the Digital Operational Resilience Act;
- health, including healthcare providers, basic pharmaceutical product and critical device manufacturers and research and development of medicinal products;
- drinking water suppliers and distributors;
- wastewater disposal and treatment;
- digital infrastructure, including electronic communication services and data centres, which is also subject to Directive (EU) 2022/2555 (see summary);
- public administration entities at the central government level, excluding national security, public security, defence and law enforcement;
- space operators of ground-based infrastructure; and
- food businesses engaged exclusively in logistics and wholesale distribution and in large-scale industrial production and processing.
It should be noted that certain parts of the directive do not apply to entities in the banking, financial market infrastructure and digital infrastructure sectors.
Each Member State must:
- adopt a national strategy and carry out regular risk assessments;
- taking into account the outcome of the risk assessments, identify entities that rely on critical infrastructure to provide essential services to society, the economy, public health and safety, or the environment;
- support the identified critical entities in enhancing their resilience with, for instance, guidance material, exercises, advice and training;
- ensure that national authorities have the powers, resources and means to carry out their supervisory tasks, including conducting on-site inspections of critical entities and introducing penalties for non-compliance as part of an enforcement mechanism;
- specify the conditions under which a critical entity can submit requests for background checks on personnel holding sensitive roles.
Member States must identify the critical entities for the sectors and subsectors set out in the Annex to the directive by .
Critical entities must:
- carry out risk assessments of their own to identify risks that could disrupt their ability to provide essential services;
- take technical, security and organisational measures to enhance their resilience;
- report significant disruptive incidents to the national authorities.
If critical entities provide essential services in or to six or more Member States, they may benefit from extra advice in the form of advisory missions that evaluate the risk assessment and the resilience-enhancing measures that the entity has put in place.
The European Commission adopted Delegated Regulation (EU) 2023/2450, establishing a non-exhaustive list of essential services in the abovementioned sectors and subsectors. Member States’ competent authorities are to use this list for the purpose of carrying out a risk assessment, and the risk assessment is thereafter to be used for the purpose of identifying critical entities.
The Critical Entities Resilience Group facilitates cooperation among Member States, including sharing information and good practices.
The Commission provides support, including on cross-sectoral risks, best practices, methodologies, cross-border training and exercises to test the resilience of critical entities.
FROM WHEN DO THE RULES APPLY?
The directive has to be transposed into national law by . These rules should apply from .
BACKGROUND
The Commission’s EU security union strategy and the counter-terrorism agenda for the EU stress the importance of ensuring the resilience of critical entities in the face of physical and digital risks.
This directive is part of a package of legislative measures to improve the resilience and incident-response capacities of public and private entities in the EU in the fields of cybersecurity and critical infrastructure protection.
The Council also issued a recommendation on an EU-wide coordinated approach to strengthen the resilience of critical infrastructure in January 2023.
For further information, see:
- How the EU responds to crises and builds resilience (European Council, Council of the European Union)
- Critical infrastructure (European Commission).
KEY TERMS
- Resilience. The capacity to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from incidents that may be caused by, among other things, natural disasters such as public health emergencies or human-made threats such as terrorism, sabotage or hybrid threats. Hybrid threats arise when state or non-state actors seek to exploit the vulnerabilities of critical infrastructure by using a mixture of measures (i.e. diplomatic, military, economic, technological) in a coordinated way while remaining below the threshold of formal warfare, for example mass disinformation campaigns that hinder the democratic process in elections.
MAIN DOCUMENT
Directive (EU) 2022/2557 of the European Parliament and of the Council of on the resilience of critical entities and repealing Council Directive 2008/114/EC (OJ L 333, , pp. 164–198).
last update