In an era marked by escalating cyberthreats and increasing interdependence of critical infrastructure, the European Union (EU) introduced the Critical Entities Resilience (CER) Directive to fortify the resilience of essential entities and infrastructure across the continent. Even though the UK already exited the EU, the CER Directive remains relevant for UK-based businesses operating in the EU.
In this blog, we explore the CER Directive from a UK-centric perspective. In addition, we discuss its implications for UK businesses and provide insight into how you can prepare your organization for compliance.
What is the Critical Entities Resilience Directive?
The CER Directive is an EU regulation that went into effect by the European Parliament on January 16, 2023. It is designed to strengthen the operational resilience of critical entities and infrastructure. It replaces the previous European Critical Infrastructure Directive of 2008. In addition, it co-aligns with the Network and Information Systems (NIS) 2 Directive, which focuses on improving the cybersecurity of essential services and digital service providers. The CER Directive aims to provide a more robust framework for securing vital services and infrastructure.
The evolving cyber landscape and the increasing interdependence of critical infrastructure sectors was the impetus for the CER Directive. As digital infrastructure is an integral part of modern society, the EU recognized the importance of a comprehensive approach to protecting both physical and digital assets.
By October 17, 2024, all EU Member States must adopt and publish measures necessary to comply with the CER Directive with the deadline for implementation set for October 18, 2024. By January 17, 2026, each Member State must adopt a strategy to enhance the resilience of critical entities. And, by July 17, 2027, the Commission will submit a report to the European Parliament and Council assessing the extent to which each Member State has taken necessary measures to comply with the NIS Directive.
The CER Directive applies to a diverse array of sectors, covering both physical and digital infrastructure providers. It extends beyond the NIS Directive’s coverage, bringing additional entities and essential services under its purview. These newly included entities are vital to the EU’s overall cybersecurity measures and resilience efforts.
Examples of sectors affected by the CER Directive include energy, transport, banking, health care, water supply and digital infrastructure. Organizations operating within these sectors must comply with the CER Directive’s requirements, irrespective of their size or geographical location. Subsequently, those not in compliance may face fines and/or penalties.
The CER Directive aims to create a more secure and resilient environment across the EU, ensuring continuity of essential services.
The Importance of Critical Infrastructure Cyber Security in Europe
The EU identified 16 critical infrastructure sectors, including energy, transport, banking, and health care. These sectors are essential for the functioning of society and the economy, and their disruption could have severe consequences.
A notable statistic highlights the urgency of bolstering critical infrastructure security. A survey by the European Union Agency for Cybersecurity (ENISA) reported phishing continues to be the most prevalent threat. A whopping 90% of businesses believe any of these incidents would cause a substantial impact on operations.
Digital infrastructure, including data centers and communication networks, is considered a critical component of modern infrastructure. Recognizing its significance, the EU incorporated digital infrastructure into the CER Directive, ensuring that important entities operating in this sector are also subject to regulation.
Achieving Compliance with the CER Directive
Entities that fall under the scope of the CER Directive must take a structured approach to achieve compliance. Therefore, the directive outlines several required measures for ensuring the security and resilience of the critical infrastructure and services. These include:
- Strategic national planning: Member States must establish a comprehensive strategy to bolster the resilience of critical entities.
- Regular risk assessments: The EU requires Member States to carry out regular risk assessments to identify entities that are crucial for the economy and society.
- Identification of risks: Critical entities must be proactive in identifying potential threats that could disrupt the provision of essential services.
- Proactive measures: To mitigate risk, critical entities must implement technical, security, and organizational measures that are appropriate and proportional to the risks they face.
- Communication is key: Critical entities must appoint a liaison officer or equivalent to be their point of contact with the competent authorities.
- Incident reporting: In the event of a disruptive incident, critical entities must promptly notify the competent authorities.
- Critical entities of European significance: The EU recognizes some critical entities may have a cross-border impact. Therefore, these must be designated as critical entities of particular European significance.
- Coordinated response: In the event of a cross-border disruption, Member States must collaborate with the Commission to coordinate an effective response.
- Stress testing: Member States are encouraged to conduct stress tests of entities operating critical infrastructure, with a priority on the energy sector.
- Up-to-date threat assessments: To stay ahead of evolving risks, Member States must continually update their threat assessments.
- Harmonized identification: To ensure consistent protection, the EU requires harmonization of the identification of critical entities across the Member States.
- Commission guidelines: To promote a unified EU approach, the Commission will adopt non-binding guidelines after consulting the Critical Entities Resilience Group.
Is the UK affected by the CER Directive?
Although the UK is no longer a Member State of the EU, the CER Directive remains relevant to the country. As you may be aware, the UK has its own framework for managing critical infrastructure risks, known as the National Risk Assessment. Importantly, this assessment focuses on identifying and mitigating risks to critical entities and infrastructure within a five-year horizon.
The UK’s definition of “critical entities” is similar to the EUs. It includes organizations and infrastructure that provide essential services in sectors such as energy, transport, and communications. As such, UK organizations operating in the EU may need to comply with the CER Directive.
The Critical Entities Resilience Directive is a significant step in the EU’s efforts to protect critical infrastructure and digital networks. The CER Directive aims to create a more resilient and secure environment for essential services and infrastructure across the EU. Entities operating in affected sectors must take the necessary steps to ensure compliance. In addition, they must stay up to date with any new developments as the CER Directive evolves in the coming years.
How Alert Logic Can Help Organizations Achieve and Maintain Compliance
As a leading provider of managed detection and response (MDR) solutions, Fortra’s Alert Logic offers comprehensive security solutions. By partnering with Alert Logic, organizations access innovative security technologies and an expert team to manage their compliance needs.
Fortra’s Alert Logic MDR for Compliance provides compliance mapping, automated security controls, continuous monitoring, threat detection, and incident response capabilities. This helps ensure organizations stay one step ahead of requirements and mandates while safeguarding their critical information assets.