I.   INTRODUCTION

1.

Directive (EU) 2022/2557 of the European Parliament and of the Council (1) on the resilience of critical entities (‘the Directive’) aims to ensure that services essential for the maintenance of vital societal functions or economic activities are provided in an unobstructed manner in the internal market. The Directive enhances the resilience of the critical entities providing such services and creates an overarching framework of resilience of critical entities in respect of all hazards (natural and man-made, accidental or intentional).

2.

To achieve a high level of resilience, Member States have obligations under the Directive. The Commission was mandated to develop recommendations, non-binding guidelines and a voluntary common reporting template to support them in fulfilling some of these obligations. Specifically, this Communication gives effect to Article 5(5) of the Directive regarding the development of a template for the provision of certain information to the Commission, to Article 6(6) of the Directive regarding the development of recommendations and guidelines to support Member States in identifying critical entities, and to Article 7(3) of the Directive regarding the adoption of guidelines to facilitate the application of the criteria for determining the significance of a disruptive effect, taking into account the information that Member States must submit in accordance with Article 7(2) of the Directive.

3.

Before the adoption of this Communication, in accordance with the aforementioned provisions, Member States were consulted in a workshop that took place on 3-4 October 2024 and the Critical Entities Resilience Group (CERG) was consulted on 12 February 2025. Further bilateral consultations of CERG delegates took place in writing in March 2025 and an updated version was shared with the CERG on 7 April 2025.

4.

The present Communication is not legally binding and does not affect the interpretation of EU law by the Court of Justice of the European Union.

II.   VOLUNTARY COMMON REPORTING TEMPLATE

5.

The voluntary common reporting template for Member States to provide certain information related to the risk assessment to the Commission, as provided for in Article 5(5) of the Directive, is set out in the Annex.

6.

Although this reporting template is voluntary in nature, Member States are encouraged to use it when providing information pursuant to Article 5(4) of the Directive.

III.   NON-BINDING GUIDELINES TO SUPPORT THE IDENTIFICATION OF CRITICAL ENTITIES

Figure 1

The process to identify critical entities  (2)

7.

In connection with the support for the identification of critical entities, in light of recitals 3 (3) and 16 (4) of the Directive, these non-binding guidelines aim, in particular, to support the consistent application, at EU level, of the criteria for identifying critical entities.

8.

In accordance with Article 6(2) of the Directive, ‘when a Member State identifies critical entities, according to the Directive, it shall take into account the outcomes of the Member State’s risk assessment and its strategy and apply all of the following criteria: (a) the entity provides one or more essential services; (b) the entity operates, and its critical infrastructure is located, on the territory of that Member State; and (c) an incident would have significant disruptive effects, as determined in accordance with Article 7(1) of the Directive, on the provision by the entity of one or more essential services or on the provision of other essential services in the sectors set out in the Annex that depend on that or those essential services’.

9.

It follows from the above that three main elements should be considered by Member States in the process of identifying critical entities: the results of the risk assessment, the outcome of the national strategy, and the cumulative application of the criteria mentioned in point 8 above.

III.1.   The outcome of the risk assessment

10.

Recital 15 of the Directive explains that ‘the actions of Member States to identify and help ensure the resilience of critical entities should follow a risk-based approach that focuses on the entities most relevant for the performance of vital societal functions or economic activities’.

11.

Member States are encouraged to operationalise the outcome of the risk assessment conducted in accordance with Article 5 of the Directive for identifying critical entities in terms of: (a) the magnitude of the loss or disruption (high versus low impact) of the provision of an essential service by a given entity; and (b) the likelihood of the loss or disruption (high versus low probability) of the provision of an essential service by a given entity.

12.

Risks that are of a cross-sectoral or cross-border nature should be given particular weight in the process of identifying critical entities, given their potential for wider cascading effects on the provision of essential services by other entities in the sectors set out in the Annex to the Directive.

III.2.   The strategy for enhancing the resilience of critical entities

13.

Recital 13 of the Directive explains that, with ‘a view to ensuring a comprehensive approach to the resilience of critical entities, each Member State should have in place a strategy for enhancing the resilience of critical entities’. The same recital clarifies what the strategy should cover, that is ‘the strategic objectives and policy measures to be implemented. In the interest of coherence and efficiency, the strategy should be designed to seamlessly integrate existing policies, building, wherever possible, upon relevant existing national and sectoral strategies, plans or similar documents’. The strategy is to be adopted in accordance with Article 4 of the Directive.

14.

To achieve a comprehensive approach with respect to the identification of critical entities, Member States should ensure that their strategies provide for a policy framework for enhanced coordination between the competent authorities under the Directive and the competent authorities under Directive (EU) 2022/2555 of the European Parliament and of the Council (5) in the context of information sharing on cybersecurity risks, cyber threats and cyber incidents and non-cyber risks, threats and incidents and in the context of the exercise of supervisory tasks (6). Since this may have a bearing on the identification of critical entities in sectors particularly exposed to hybrid threats, Member States should take due account of the hybrid nature of threats to critical entities when putting in place their strategies and when building thereon for the purpose of the identification of critical entities. Member States are encouraged to consider European and international standards relevant to the security and resilience measures applicable to critical entities that may inform Member States’ strategies and subsequently their designation processes and decisions.

15.

Pursuant to Article 4(2) of the Directive, the strategy must contain certain elements, such as strategic objectives and priorities for enhancing the overall resilience of critical entities and a description of the process by which critical entities are identified. The strategic objectives and priorities could usefully inform the process of identifying critical entities. For instance, as part of the priority setting in the strategy, thresholds for acceptable, tolerable and unacceptable risks could be set. This could support the process of identifying critical entities by competent authorities and inform the determination of the significance of disruptive effects.

III.3.   The criteria to identify critical entities

16.

It follows from Article 6(2) of the Directive that the three criteria set out in that provision must be applied cumulatively, i.e. only an entity that fulfils all three criteria can be identified as a critical entity under the Directive.

17.

Therefore, and also taking into account the non-application of the Directive provided in Article 1(6), as well as Articles 5(1) and 7(1) of that Directive, the following five steps should be considered in identifying critical entities (see Figure 1): (a) Does the entity pertain to one of the sectors or subsectors and categories of entities listed in the Annex to the Directive? (b) Does the entity provide one or more essential services? (c) Does the entity operate, and is its critical infrastructure located, on the territory of that Member State? (d) Would an incident have significant disruptive effects (7) on the provision, by the entity, of one or more essential services or on the provision of other essential services in the sectors set out in the Annex that depend on that or those essential services? (e) Is the entity excluded from the scope of the Directive (8)?

18.

Member States can choose the order in which they address these steps. The Directive does not require that a particular order is followed.

19.

Where, having followed these steps, it emerges that an entity meets the three criteria cumulatively, pursuant to Article 6(1) of the Directive, it must be identified by the Member State as a critical entity. Recital 16 of the Directive clarifies that ‘where no entity meets those criteria in a Member State, that Member State should be under no obligation to identify a critical entity in the corresponding sector or subsector’.

(a)   Does the entity pertain to one of the sectors or subsectors and categories of entities listed in the Annex to the Directive?

20.

The Annex to the Directive lists in its third column the categories of entities that correspond to the list of sectors and subsectors covered by the Directive. Almost all categories refer back to relevant EU sectoral legislation that defines that category of entity. Such legislation should be carefully considered in the process of identification, in order to understand the category of entity that is covered in that particular sector or subsector.

21.

Particularities in certain sectors should be taken into consideration in the identification process. As regards the energy sector, recital 5 of the Directive clarifies that ‘in terms of, in particular, the methods of electricity generation and transmission (in respect of supply of electricity), it is understood that, where deemed appropriate, electricity generation can include electricity transmission parts of nuclear power plants but excludes the specifically nuclear elements covered by treaties and Union law, including relevant legal acts of the Union concerning nuclear power’.

22.

As regards the food sector, the same recital 5 of the Directive clarifies that, ‘in order to ensure that there is a proportionate approach and to adequately reflect the role and importance of those entities at national level, critical entities should only be identified among food businesses, whether for profit or not and whether public or private, that are engaged exclusively in logistics and wholesale distribution and large-scale industrial production and processing with a significant market share as observed at national level’.

23.

When identifying critical entities, Member States should consider the particular importance of certain sectors such as transport, as regards the key role of sea or inland waterway ports, roads, airports and railways, in particular when they serve a dual use for military mobility and civilian purposes, water, energy and digital infrastructure for the provision of essential services in other sectors, for their strategic role in ensuring the resilience of the supply chain and for the combat against illicit trafficking and organised crime.

24.

As regards entities in the banking, financial market infrastructure and digital infrastructure sectors, pursuant to Article 8 of the Directive and the explanations in its recitals 20 and 21, Member States must identify, based on the same criteria and using the same procedure provided for in the Directive, critical entities belonging to these sectors. The relevant competent authorities should inform and consult each other as appropriate in the identification of the entities in these three sectors, in line with their general obligation to cooperate effectively to fulfil their tasks under the Directive laid down in its Article 9(1).

25.

Member States should, when identifying critical entities in accordance with Article 6 of the Directive, duly consider entities providing essential services for submarine electronic communications and electricity transmission (9).

(b)   Does the entity provide one or more essential services?

26.

While the primary purpose of Commission Delegated Regulation 2023/2450 (10) (‘the Commission Delegated Regulation’) is to establish a list of essential services in the sectors and subsectors set out in the Annex to the Directive, which is to be used by the competent authorities for the purpose of carrying out risk assessments, the same list should also be used subsequently in the identification process in order to decide whether the entity fulfils the first criterion, that is, whether the entity provides one or more essential services.

27.

Recital 4 of the Commission Delegated Regulation indicates that ‘the list of essential services should be used in the light of all the relevant provisions of the Directive’. This includes the definition of essential services as services that are crucial for the maintenance of vital societal functions, economic activities, public health and safety, or the environment, as well as the definition of a public administration entity (11) and the provisions on the scope of the Directive (12), which are relevant, inter alia, when applying the first criterion mentioned above.

28.

However, Article 5(1) of the Directive states clearly that the list contained in the Commission Delegated Regulation is non-exhaustive. There can, therefore, be other essential services that are covered by the Directive but that are not listed therein. Consequently, whilst an important point of reference, the essential services listed are not necessarily the only ones to be considered when Member States apply Article 6(2)(a) of the Directive. That provision refers to ‘essential services’, as defined in Article 2(5) of the Directive, in general, without necessarily being limited to only the essential services listed in the Commission Delegated Regulation.

(c)   Does the entity operate, and is its critical infrastructure located, on the territory of that Member State?

29.

Under this step, Member States should check whether entities actually operate, in the sense of carrying out their activities, on their territory and have critical infrastructure located there, in the sense of physically being situated there. These two elements (operation by the critical entity and location of the critical infrastructure) are explained in recital 16 of the Directive, which indicates that an entity should be considered to operate on the territory of a Member State if that entity carries out its activities necessary for the essential service or services in question in said Member State and if that entity’s critical infrastructure, which is used to provide that service or those services, is physically located in said Member State.

30.

For the purpose of applying Article 6(2)(b) of the Directive, the territory of a Member State should be considered as covering, subject to the limits resulting from Article 355 TFEU, that Member State’s land territory and inland waterways as well as the territorial sea (and its bed and subsoil) established by that Member State in accordance with the UN Convention on the Laws of the Seas (UNCLOS). In addition, it covers the exclusive economic zone (EEZ) established by that Member State and the continental shelf, yet only in so far as there is a connection between the critical infrastructure located in their EEZ or on the continental shelf and the sovereign rights or jurisdiction that a coastal State exercises in accordance with UNCLOS in those parts of the sea, without interfering with other States’ rights and freedoms guaranteed by UNCLOS. Therefore, when applying Article 6(2)(b) of the Directive, Member States should, where relevant, make a case-by-case assessment to determine the extent to which critical infrastructure located in their EEZ and on the continental shelf is covered.

31.

For instance, in the case of undersea cables or pipelines laid by other States, in the exercise of their rights under Articles 58(1) and 79(1) of UNCLOS, and passing through the EEZ or the continental shelf of a coastal Member State, that Member State shall not be bound to give effect to its obligations under the Directive in regard to that critical infrastructure, insofar as it does not fall within its functional sovereignty and jurisdiction in the EEZ and the continental shelf under UNCLOS. By contrast, undersea cables or pipelines located in the EEZ or the continental shelf of a coastal Member State should be made subject, in that State, to the obligations laid down by the Directive where this critical infrastructure is connected to the activities by which that State exercised its sovereignty or jurisdiction in the EEZ or the continental shelf under Articles 56 and 77 of UNCLOS.

32.

As this is not mentioned in Article 6(2)(b) of the Directive, the place of establishment of the entity should not be considered as part of this criterion. Therefore, this element should be considered as irrelevant for the process of identifying critical entities under the Directive.

(d)   Would an incident have significant disruptive effects on the provision, by the entity, of one or more essential services or on the provision of other essential services in the sectors set out in the Annex that depend on that or those essential services?

33.

The issue of determining the significance of a disruptive effect is further elaborated in Article 7(1) of the Directive, which lists criteria to be taken into account for that purpose. These criteria are further explained in Section IV of these guidelines.

(e)   Is the entity excluded from the scope of the Directive?

34.

If an entity belongs to one of the categories of entities to which the Directive does not apply as set out in Article 1(6) of the Directive, there is no obligation to identify it as a critical entity under the Directive.

35.

Notwithstanding the legal requirement for Member States to apply the criteria provided by the Directive as explained in Section III.3 (A-D) of these Guidelines, they may also apply, under national law and acting in accordance with Union law, obligations related to critical entities to entities operating in other sectors considered critical pursuant to national law, which are not referenced in the Annex to the Directive.

36.

As explained in point 28 above, whilst the Commission Delegated Regulation is an important point of reference, Member States may have to take account of other essential services than those listed in the Commission Delegated Regulation. In addition, Member States may, under national law and acting in accordance with Union law, decide to impose resilience-enhancing obligations on entities providing other services than essential services covered by the Directive.

37.

Member States may thus identify, under national law and acting in accordance with Union law, other critical entities than those identified on the basis of the Directive (13). Consequently, because such entities would be identified based on national law, they do not need to meet the cumulative criteria referred to in Article 6(2) of the Directive and explained above.

IV.   NON-BINDING GUIDELINES TO FACILITATE THE APPLICATION OF THE CRITERIA TO DETERMINE THE SIGNIFICANCE OF A DISRUPTIVE EFFECT

38.

While it follows from Article 7(1) of the Directive that all criteria must be taken into account when determining the significance of a disruptive effect, Member States may further assess the concrete relevance of these criteria in light of the specific circumstances of the case at hand.

IV.1.   The number of users relying on the essential service

39.

Member States are encouraged to take into account the following when applying this criterion: (a) both natural and legal persons as users; (b) other critical entities as users; (c) the total number of users that directly rely on the essential service and/or, in so far as possible to estimate, indirect users of the essential service, i.e. persons that do not directly rely on the service but would be affected by its disruption.

40.

When using a threshold to assess the number of users, the chosen threshold should take into account whether: (a) the users are concentrated in a particular area or dispersed in a region; (b) the users are vulnerable groups for instance, elderly, disabled persons or children; (c) there is time-critical reliance on the respective essential service, for instance by operators of ground-based space infrastructure; (d) the number of users for the essential service in question is not high but those users have high intensity reliance on the essential service, for instance a healthcare provider.

IV.2.   The extent to which other sectors and subsectors as set out in the Annex to the Directive depend on the essential service in question

41.

Critical entities are often strongly connected and mutually dependent in complex ways. Dependencies and interdependencies are a risk multiplier that may increase the significance of a disruptive effect.

42.

Member States are encouraged to take into account the following when applying this criterion: (a) whether two or more sectors depend on the essential service in question; (b) whether the critical entities operating in other sectors and subsectors than the one at issue have alternatives to that essential service; (c) whether the disruptive effect of an incident relating to the provision of the essential service would propagate rapidly and lead to cascading effects in other sectors and subsectors.

43.

Recital 18 of the Directive explains that ‘Member States should also consider effects on the supply chain, to the extent possible, when determining the extent to which other sectors and subsectors depend on the essential service provided by a critical entity’.

44.

To address such supply chain effects, Member States are encouraged to use existing mapping or conduct a mapping of supply chains for essential services provided by entities in the sectors falling within the scope of the Directive, such as direct suppliers and customers, indirect suppliers and customers, cross-sector and cross-border dependencies, including those outside the EU.

IV.3.   The impact that incidents could have, in terms of degree and duration, on economic and societal activities, the environment, public safety and security, or the health of the population

45.

To assess the degree and the duration of an incident, each of the elements mentioned in Article 7(1)(c) of the Directive should be taken into consideration separately. The longer the duration of an incident and the higher its intensity, the more significant the impact should be considered on the economic and societal activities, the environment, public safety and security, or the health of the population.

46.

Member States are encouraged to take into account the following elements when applying this criterion.

47.

As regards the impact that incidents could have on economic activities, Member States are encouraged to take into account: (a) the estimated direct costs related to the physical damage caused by disruptions, the breath and duration of business interruption following the halt of operations, revenue loss, potential closures and insurance costs, when their effects are substantial enough to potentially affect the macro-economy; (b) the estimated costs caused by supply chain disruptions leading to delays and shortages in the provision of essential services, reduced consumer spending and loss of confidence by the public; (c) the estimated costs caused by the impact on investment, trade and long-term economic growth.

48.

As regards the impact that incidents could have on societal activities, Member States are encouraged to assess the significance of disruptions of government activities at central, regional or local level and of disruptions of private sector activities that hinder the overall ability to provide essential services, including disruption of daily life.

49.

As regards the impact that incidents could have on the environment, Member States are encouraged to take into account: (a) the estimated damage to ecosystems and the availability of ecosystem services as defined in Article 2(14) of Regulation 2020/852 of the European Parliament and of the Council (14) on the establishment of a framework to facilitate sustainable investment; (b) impact on air quality (air pollutants concentrations, air quality indices, changes in the aquatic ecosystem), water quality (changes in water and marine pollutant concentrations, water quality, impact on human health, harm to biodiversity), land (soil, deforestation, urbanisation, agriculture, changes in biodiversity); (c) impact on climate change, including changes in greenhouse gas emissions; (d) materialisation of acute or chronic climate risks.

50.

The assessment of the impact that incidents could have on the environment should be based on a comprehensive approach that considers both the direct and indirect impacts, as well as short-term and long-term consequences. Member States are encouraged to draw on existing environmental impact assessments or carry out such assessments or strategic environmental assessments, or life cycle assessments.

51.

As regards the impact that incidents could have on public safety and security, Member States are encouraged to take into account: (a) the effects of different types of incidents and the consequences on the provision of essential services, in terms of degree and duration, on the availability and effectiveness of government services dedicated to public safety and security such as police services, fire protection services, courts and prisons, the crime rate, the potential for social unrest due to scarcity of essential services or goods, or changes in the community perception of safety and security; (b) the impact on the availability and effectiveness of response capabilities of government services dedicated to public safety and security.

52.

In order to assess the impact that incidents could have on public safety and security, Member States are encouraged to use results of risk, threat and vulnerability assessments, crime analyses and mapping, emergency management planning and exercises, and stakeholder engagement.

53.

As regards the impact that incidents could have on the health of the population, Member States are encouraged to take into account: (a) loss of access to healthcare due to delays in treatment, inability to reach medical facilities, staff shortages, inability to address public health emergencies, strain on or loss of manufacturing of basic pharmaceutical products, of basic pharmaceutical preparations, of medical countermeasures and of medical devices that are considered as critical during a public health emergency, shortages of medicinal products, mental health consequences, increased morbidity and mortality (higher chronic disease rate, spread of infectious diseases, injuries, fatalities); (b) disruption of the food supply chain, disruption or contamination of (drinking) water supplies; (c) effects on the health of vulnerable groups (older people, children, persons with low income, patients with pre-existing conditions).

54.

In order to assess the impact that incidents could have on the health of the population, Member States are encouraged to use public health surveillance aimed at tracking disease outbreaks and changes in mortality and environmental monitoring; surveys and interviews aimed at gathering data on access to healthcare and the experience gathered before and after disruptions; and geospatial analysis aimed at mapping vulnerable groups and areas with limited access to healthcare.

IV.4.   The entity’s market share in the market for the essential service or essential services concerned

55.

Market share reflects the relative position of suppliers on the market and are generally based on sales or purchases of the relevant products in the relevant geographic area. Generally, both the value of sales or purchases and the volume of sales or purchases provide useful information (15). Member States are encouraged to also consult sector-specific statistical data or conduct market research to determine an entity’s market share.

56.

The criterion of market share should always be considered in conjunction with other criteria since a low degree of dependency on the essential service or the availability of alternative service providers may lower the significance of a disruptive effect considerably. Dependency could be a key factor in evaluating the impact of market share since it may explain how much society, specific sectors, or other entities rely on a particular essential service. In assessing the impact of market share, dependency provides insight into the relative systemic importance and criticality of the entity’s role within the market for the essential service or services in question.

57.

The disruption of essential services provided by an entity with a high market share is likely to present a higher risk potential for cascading effects on the provision of other essential services, notably if the essential service concerned is provided in a sector that presents many interdependencies with other sectors, such as the energy or transport sectors. The disruptive effects of an incident affecting the provision of an essential service by an entity with low market share could also be significant if it provides a unique or irreplaceable essential service that a sector relies on.

58.

In terms of models or methodologies to assess the market, various business analysis techniques may be used, such as Porter’s Five Forces (16), SWOT Analysis (17), PESTLE (18), market segmentation strategy (19), customer journey mapping (20) and the business model Canvas (21).

IV.5.   The geographic area that could be affected by an incident, including any cross-border impact

59.

Member States are encouraged to take into account the vulnerability associated with the degree of isolation of certain types of geographic areas, such as insular regions, remote regions or mountainous areas, in accordance with Article 7(1)(e) of the Directive. Such types of geographic areas tend to have specific needs in terms of essential services and limited capabilities to cope with disruptions.

60.

In addition, other elements may be relevant for the application of this criterion: (a) the direct or indirect impact of the incident in a geographic area expressed in surface area; (b) the direct or indirect impact of the incident on the area affected, that is, whether it is local, regional, national or cross-border; (c) characteristics of the geographic area, such as land, airspace, water, urban, rural or forests.

61.

To assess the geographical area that could be affected by an incident, Member States are encouraged to carry out field observations, collect data from satellite and airborne imagery, use census data, energy transmission infrastructure maps, transport infrastructure maps, environmental monitoring networks and GIS databases (22).

IV.6.   The importance of the entity in maintaining a sufficient level of the essential service, taking into account the availability of alternative means

62.

This criterion is relevant, inter alia, in connection to the provision of life-sustaining services, such as drinking water, wastewater, energy, health, food production and distribution, and transport, including traffic management services, since without these services the economy and society would collapse. When assessing the importance of the entity in maintaining a sufficient level of the essential service, Member States must, pursuant to Article 7(1)(f) of the Directive, take account of the availability of possible alternative means for the provision of that essential service. In this context, they are encouraged to consider such alternatives in terms of accessibility, the rapidity with which the alternative can be used, the quality of the alternative service, and the additional costs incurred. If users have no viable alternative for the essential service, the impact of the disruptive effect is generally more significant regardless of the number of users affected by the disruption. In addition, the nature of the essential service in terms of its criticality, its characteristics and its primary purpose should be considered.

---

(1)  Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC (OJ L 333, 27.12.2022, p. 164, ELI: http://data.europa.eu/eli/dir/2022/2557/oj).

(2)  There is no mandatory order of the identification steps.

(3)   ‘The internal market is characterised by fragmentation in respect of the identification of critical entities because relevant sectors and categories of entities are not recognised consistently as critical in all Member States. This Directive should therefore achieve a solid level of harmonisation in terms of the sectors and categories of entities falling within its scope.’

(4)   ‘In order to ensure that all relevant entities are subject to the resilience requirements of this Directive and to reduce divergences in that respect, it is important to lay down harmonised rules allowing for a consistent identification of critical entities across the Union, while also allowing Member States to adequately reflect the role and importance of those entities at national level.’

(5)  Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (OJ L 333, 27.12.2022, p. 80, ELI: http://data.europa.eu/eli/dir/2022/2555/oj).

(6)  The strategies should be coordinated and consistent with National Climate Adaptation Strategies and Plans under Article 5(4) of Regulation (EU) 2021/1119 Regulation (EU) 2021/1119 of the European Parliament and of the Council of 30 June 2021 establishing the framework for achieving climate neutrality and amending Regulations (EC) No 401/2009 and (EU) 2018/1999 (‘European Climate Law’) (OJ L 243, 9.7.2021, p. 1, ELI: http://data.europa.eu/eli/reg/2021/1119/oj).

(7)  As determined in accordance with Article 7(1) of the Directive.

(8)  Article 1(6) of the Directive, which provides that the Directive does not apply to public administration entities that carry out their activities in the areas of national security, public security, defence or law enforcement, including the investigation, detection and prosecution of criminal offences.

(9)  See also Joint Communication to the European Parliament and to the Council, EU Action Plan on cable security (JOIN(2025) 9 final).

(10)  Commission Delegated Regulation (EU) 2023/2450 of 25 July 2023 supplementing Directive (EU) 2022/2557 of the European Parliament and of the Council by establishing a list of essential services (OJ L, 2023/2450, 30.10.2023, ELI: http://data.europa.eu/eli/reg_del/2023/2450/oj). This delegated act was adopted pursuant to Art. 5(1) of the Directive.

(11)  Article 2(10) of the Directive.

(12)  Article 1(6) and (7) of the Directive.

(13)  Cf. Article 3 of the Directive, which indicates that the Directive does not preclude Member States from adopting or maintaining provisions of national law with a view to achieving a higher level of resilience of critical entities, provided that such provisions are consistent with Member States’ obligations laid down in Union law.

(14)  Regulation (EU) 2020/852 of the European Parliament and of the Council of 18 June 2020 on the establishment of a framework to facilitate sustainable investment, and amending Regulation (EU) 2019/2088 (OJ L 198, 22.6.2020, p. 13, ELI: http://data.europa.eu/eli/reg/2020/852/oj).

(15)  Communication from the Commission – Commission Notice on the definition of the relevant market for the purposes of Union competition law (OJ C, C/2024/1645, 22.2.2024, ELI: http://data.europa.eu/eli/C/2024/1645/oj), para. 105-107.

(16)  An approach for analysing an industry's competitive landscape based on five factors: rivalry, new entrants, suppliers, customers, and substitutes.

(17)  An approach for characterising the internal and external forces that may create opportunities or risks for an organisation. It considers the organisation’s strengths and weaknesses, and external opportunities and threats.

(18)  The PESTLE analysis considers political, economic, social, technological, legal, and environmental factors and assess their impacts of these external factors on an organisation’s profitability.

(19)  A technique to divide the market in specific segments based on customer characteristics and preferences.

(20)  A technique to understand and visualise customer characteristics and preferences.

(21)  A technique for assessing and visualising various essential elements of a business.

(22)  Geographic Information System (GIS) capabilities may be used to identify hazards and visualise the potential impacts that would be resulting from the occurrence of an incident. They are also useful to design mitigating measures and resilience capabilities to cope with potential impacts.