In addition to the NIS2 Directive, the CER Directive was adopted – Directive on Critical Entities Resilience.
CER Directive replaces the 2008 European Directive on Critical Infrastructure. The new rules will strengthen critical infrastructure’s resilience to a range of threats, including natural threat, terrorist attacks, threats from within or sabotage.
NIS2 and CER directives strengthen the foundations of physical (offline) and digital (online) security, ensuring a resilient economy and society of each member individually, but also of the entire EU.
Goal:
The CER Directive aims to eliminate vulnerabilities and strengthen the resilience of critical entities.
Critical entities are those who provide essential services that are essential for maintaining important social functions, economic activities, public health and safety, and the environment.
Member States are expected to establish criteria for identifying critical entities and to develop guidelines and methodologies to strengthen resilience and organise resilience testing exercises. They will need to have a national strategy to strengthen the resilience of critical entities, carry out a risk assessment at least every four years and identify critical entities providing critical services. Critical entities must identify relevant risks that may significantly disrupt the provision of essential services, take appropriate measures to ensure their resilience and inform the competent authorities of incidents.
Incidents according to the CER Directive:
- Hybrid attacks,
- Natural disasters,
- Terrorist threats
- Public health emergencies,
Critical subjects must prevent them, deal with them, provide protection and recover from them.
The CER Directive defines physical security as follows::
• Physical security includes all measures taken to prevent or restrict unauthorised physical access to information systems, data and premises in which they are located.
• Physical security involves the application of appropriate technical and organizational solutions, such as locks, alarms, cameras, security doors and windows, access control, insurance, surveillance and education of staff.
• Physical security must be aligned with the level of risk and value of the data being protected, and with other aspects of information security, such as cryptography, authentication, authorization and auditing.
• Physical safety must be regularly checked and updated to ensure its effectiveness and compliance with changes in the environment, technology and legislation.
Who are the obligated parties:
- Energy
- Traffic
- Banking
- Financial market infrastructures
- Health
- Drinking water
- Wastewater
- Digital infrastructure
- Public administration
- Food
- Space
Certain central public administrations will also be covered by some provisions of the directive.
Critical entity of particular European importance
A critical entity of particular European importance is an entity that provides a key service to six or more EU Member States. Member States may request the Commission to organise an advisory mission or the Commission itself, in agreement with the Member State concerned, may propose an assessment of the measures put in place by the entity concerned to fulfil the obligations arising from the directive.
Examples of such entities are large banks, large energy companies, large telecommunications companies, large airports…
The Directive entered into force on 8 December 2022 and Member States have a period of 21 months from the entry into force to transpose the provisions into national law, i.e. until 18.10.2024.