Source: OJ L 333, 27.12.2022, pp. 164–198Current language: EN
- Resilience of critical entities
Basic legislative acts
- CER directive
Article 4 Strategy on the resilience of critical entities
Following a consultation that is, to the extent practically possible, open to relevant stakeholders, each Member State shall adopt by 17 January 2026 a strategy for enhancing the resilience of critical entities (the ‘strategy’). The strategy shall set out strategic objectives and policy measures, building upon relevant existing national and sectoral strategies, plans or similar documents, with a view to achieving and maintaining a high level of resilience on the part of critical entities and covering at least the sectors set out in the Annex.
Each strategy shall contain at least the following elements:
strategic objectives and priorities for the purposes of enhancing the overall resilience of critical entities, taking into account cross-border and cross-sectoral dependencies and interdependencies;
a governance framework to achieve the strategic objectives and priorities, including a description of the roles and responsibilities of the different authorities, critical entities and other parties involved in the implementation of the strategy;
a description of measures necessary to enhance the overall resilience of critical entities, including a description of the risk assessment referred to in Article 5;
a description of the process by which critical entities are identified;
a description of the process supporting critical entities in accordance with this Chapter, including measures to enhance cooperation between the public sector, on the one hand, and the private sector and public and private entities, on the other hand;
a list of the main authorities and relevant stakeholders, other than critical entities, involved in the implementation of the strategy;
a policy framework for coordination between the competent authorities under this Directive (‘competent authorities’) and the competent authorities under Directive (EU) 2022/2555 for the purposes of information sharing on cybersecurity risks, cyber threats and cyber incidents and non-cyber risks, threats and incidents and the exercise of supervisory tasks;
a description of measures already in place which aim to facilitate the implementation of obligations under Chapter III of this Directive by small and medium-sized enterprises within the meaning of the Annex to Commission Recommendation 2003/361/EC(31)Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises (OJ L 124, 20.5.2003, p. 36). that the Member State in question has identified as critical entities.
Following a consultation that is, to the extent practically possible, open to relevant stakeholders, Member States shall update their strategies at least every four years.
Member States shall communicate their strategies, and substantial updates thereto, to the Commission within three months of their adoption.
Relevant recitals
Recital 13 Strategy for resilience of critical entities
With a view to ensuring a comprehensive approach to the resilience of critical entities, each Member State should have in place a strategy for enhancing the resilience of critical entities (the ‘strategy’). The strategy should set out the strategic objectives and policy measures to be implemented. In the interests of coherence and efficiency, the strategy should be designed to seamlessly integrate existing policies, building, wherever possible, upon relevant existing national and sectoral strategies, plans or similar documents. In order to achieve a comprehensive approach, Member States should ensure that their strategies provide for a policy framework for enhanced coordination between the competent authorities under this Directive and the competent authorities under Directive (EU) 2022/2555 in the context of information sharing on cybersecurity risks, cyber threats and cyber incidents and non-cyber risks, threats and incidents and in the context of the exercise of supervisory tasks. When putting in place their strategies, Member States should take due account of the hybrid nature of threats to critical entities.
Recital 14 Communication of strategies to the European Commission
Member States should communicate their strategies and substantial updates thereto to the Commission, in particular to enable the Commission to assess the correct application of this Directive as regards policy approaches to the resilience of critical entities at national level. Where necessary, the strategies could be communicated as classified information. The Commission should draw up a summary report of the strategies communicated by Member States to serve as a basis for exchanges to identify best practices and issues of common interest in the framework of a Critical Entities Resilience Group. Due to the sensitive nature of the aggregated information included in the summary report, whether classified or not, the Commission should manage the summary report with the appropriate level of awareness with respect for the security of critical entities, Member States and the Union. The summary report and the strategies should be safeguarded against unlawful or malicious action and should be accessible only to authorised persons in order to fulfil the objectives of this Directive. The communication of the strategies and substantial updates thereto should also help the Commission to understand developments in approaches to the resilience of critical entities and feed into the monitoring of the impact and added value of this Directive, which the Commission is to review periodically.
Recital 24 Relation to requirements and competent authorities under the NIS 2 directive
The competent authorities under this Directive and the competent authorities under Directive (EU) 2022/2555 should cooperate and exchange information in relation to cybersecurity risks, cyber threats and cyber incidents and non-cyber risks, threats and incidents affecting critical entities as well as in relation to relevant measures taken by competent authorities under this Directive and competent authorities under Directive (EU) 2022/2555. It is important that Member States ensure that the requirements provided for in this Directive and in Directive (EU) 2022/2555 are implemented in a complementary manner and that critical entities are not subject to an administrative burden beyond that which is necessary to achieve the objectives of this Directive and that Directive.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.