Resilience isn’t just a priority for enterprises, agencies, and other organizations. But it’s become a governmental priority, too, especially in the European Union where the Critical Entities Resilience (CER) Directive is in force.
What’s the CER Directive, and what does it say? We cover it all in the following article.
Who are the critical entities identified in the Critical Entities Resilience Directive?
Entering into force in January 2023, the Critical Entities Resilience (CER) Directive aims to strengthen the resilience of critical entities in the EU against a range of threats. Those cited in the Directive include:
- Natural hazards
- Terrorist attacks
- Insider threats
- Acts of sabotage
- Public-health emergencies.
But what are the critical entities around which the Directive is organized? Well, critical entities, here, refer to public or private organizations identified by their respective Member State, on the basis of the following criteria:
- They provide one or more essential services
- They operate, and their critical infrastructure are located, on the territory of that Member State
- An incident would have significant disruptive effects on the provision of one or more essential services or on the provision of other essential services in the sectors set out
What’s the rationale behind the Critical Entities Resilience Directive?
So, why are we seeing these types of Directives crop up now, such as the NIS2 compliance regime we discussed last month?
The fact of the matter is that critical infrastructure assets remain under threat. A report by Vedere Research labs revealed a 30% year-on-year increase (2022 to 2023) in attacks on critical infrastructure around the world.
Critical entities are particularly vulnerable in the EU, though, where critical infrastructure assets once again topped the list of primary targets for cybercriminals, according to the European Repository of Cyber Incidents.
In addition, following from the experience of Covid, the EU Commission wanted to address some of the risks to the provision of essential services identified at the time. National strategy wasn’t going to be the solution, however, as individual Member States had their own (often conflicting) definitions of what a critical entity and an essential service meant.
What’s more, the EU, up to that point, had only addressed the issue of critical-entity resilience through sectoral or issue-specific guidance. The CER Directive, as a result, represents the EU’s attempt to holistically treat the risk to critical entities.
Principal requirements of the Critical Entities Resilience Directive
So, what are the major CER Directive requirements? Most significantly, critical entities will have to carry out risk assessments, before taking technical, security, and organizational measures to enhance their resilience and ensure their ability to notify competent authorities (i.e., sectoral regulators) of incidents.
What measures, in particular? The Commission will soon be handing down non-binding guidelines, to further specify appropriate technical, security, and organizational measures.
Whatever they come up with, though, entities will have to document the steps they’ve taken to comply with the CER Directive. More specifically, they’ll have to develop a detailed resilience plan to describe the measures they’ve taken, before applying that plan in practice. That resilience plan will have to focus on the following elements:
- Preventing incidents from occurring
- Ensuring adequate protection of critical infrastructure
- Addressing the impact of and recovery from incidents
- Guaranteeing adequate employee security management
Beyond developing resilience plans, entities will also have to formulate initiatives to ensure compliance. These initiatives might include developing or adapting risk management and resilience frameworks in harmony with later guidance.
Entities, for their part, can turn to digital security management software to ease the burden of CER Directive Compliance.
Why? Well, the solutions can enable entities to consolidate information including descriptions, locations, and key functions, as well as generate automated notifications when information changes to ensure updates are shared with the regulator.
What other capabilities to look for in security management software, though? Check out our Buyer's Guide for Security Management Software to find out.
.svg)
.svg)
.svg)