Author: Τriantafyllos Kouloufakos, Doctoral Researcher
In the end of 2022 the EU introduced the Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities (CER Directive). This Directive was introduced along the the Directive 2020/0359 on measures for a high common level of cybersecurity, across the Union, repealing the Directive 2016/1148 (NIS2 Directive) in order to enhance the security for critical infrastructures in the Union. In this blogpost we will be examining some of the basic points of the CER Directive and we will also be delving into a brief analysis of its application in different sectors.
CER Directive- General Overview
Article 6(1) of the CER Directive indicates that States have until 17th of July 2026 to identify the critical entities for all the sectors and subsectors set in the Annex, taking into account the aforementioned criteria. Furthermore, according to Article 6(3) each Member State must notify each critical entity regarding their inclusion in the list, within one month of such inclusion. In parallel, according to Article 12(1) of the Directive, Members State must ensure that said critical entities perform a risk assessment within nine months of receiving the notification of Article 6(3) and at least every four years thereafter. Those risk assessments “ shall account for all the relevant natural and man-made risks which could lead to an incident, including those of a cross-sectoral or cross-border nature, accidents, natural disasters, public health emergencies and hybrid threats and other antagonistic threats, including terrorist offences”.
Moreover, the Directive provides that Member states must also ensure that critical entities take the appropriate measures (technical, security and organizational) to ensure their resilience. Said measures include measures necessary to “(a)prevent incidents from occurring, duly considering disaster risk reduction and climate adaptation measures; (b)ensure adequate physical protection of their premises and critical infrastructure, duly considering, for example, fencing, barriers, perimeter monitoring tools and routines, detection equipment and access controls; (c)respond to, resist and mitigate the consequences of incidents, duly considering the implementation of risk and crisis management procedures and protocols and alert routines; (d)recover from incidents, duly considering business continuity measures and the identification of alternative supply chains, in order to resume the provision of the essential service; (e)ensure adequate employee security management, duly considering measures such as setting out categories of personnel who exercise critical functions, establishing access rights to premises, critical infrastructure and sensitive information, setting up procedures for background checks in accordance with Article 14 and designating the categories of persons who are required to undergo such background checks, and laying down appropriate training requirements and qualifications; (f)raise awareness about the measures referred to in points (a) to (e) among relevant personnel, duly considering training courses, information materials and exercises”. Finally, the Directive, in order to further protect the resilience of critical entities, allows member states to submit request for background checks on persons who hold sensitive roles on a critical entity, have access to such entity or under consideration for recruitment to a position in such entities.
Furthermore, the Directive sets some obligations regarding incident notification, similar to the NIS 2 Directive. Specifically, “Member States shall ensure that critical entities notify the competent authority, without undue delay, of incidents that significantly disrupt or have the potential to significantly disrupt the provision of essential services.” When member states proceed to said notification they must take into account “(a)the number and proportion of users affected by the disruption;(b)the duration of the disruption;(c)the geographical area affected by the disruption, taking into account whether the area is geographically isolated. Finally, the CER Directive establishes a Critical Entities Resilience Group with the role to support the commission and facilitate cooperation among Member States as well as the exchange of information on issues relevant to the CER Directive. This Group will be composed of representatives of the member States and the Commission and may also invite relevant stakeholders to participate in its work.
Sectoral Application
One of the sectors that is treated as a priority from the CER Directive is the digital infrastructure sector. According to the Directive Member states must designate data centres, cloud providers and Internet Access Points as critical entities, and conduct risk assessments, resilience plans and incident reporting protocols according to the directive. Those risk assessments must be conducted within 9 month of identification with updates at least every 4 years and also include cross-sector dependencies. Examples of those resilience plans incorporate measures that include physical measures, crisis response, cyber-hygiene, backups and tools for situational awareness across different infrastructure layers.
Another very important sector covered by the CER Directive is the energy sector. The CER Directive applies to all participants of the sector from transmission and distribution system operators, to producers, storage operators, also energy services and market operators, and involves different types of energy (e.g. gas, hydrogen oil etc). Entities must conduct Risk Vulnerability Assessments which cover natural, cyber, physical sabotage and different system interdependencies. When assessing physical resilience, one should conduct perimeter controls, sensor systems checks, draft crisis protocols and conduct staff vetting. A good example is the one of Denmark, which with the implementing act of the CER Directive, designated utility operators, liaison officers, 24-hour incident notifications and regulated enforcement powers like fines.
The CER Directive also covers the very important Healthcare sector. The CER Directive covers healthcare entities including medical device manufacturers, reference labs, healthcare providers and production entities as well as pharmaceutical R&D. Risk assessments in this sectors must integrate dependencies on energy, water and logistics, as well as checks on the IT systems uptime as well as medication and devices supply-chain security. The resilience plans in this sector emphasize mainly continuity strategy, backup facilities, crisis management and incident communication protocols.
Regarding the transport sector, the CER Directive covers air transport, port authorities, road traffic control systems and rail infrastructure operators. In this sector the risk assessment includes interfaces with different sectors as energy and digital systems are pivotal for the operation of transports. In addition, when conducting the assessments, entities must establish liaison points with regulators of each transport sectors (e.g. aviation or port authorities).
Finally, regarding food production it must be mentioned that only large-scale producers, processors and logistics or wholesale distributors with significant share on the market fall within the scope of the CER Directive. Risk assessments in this sector might include transportation dependencies, warehouse vulnerabilities, supply chain interdependencies and energy/water availability, indicating thus the importance of cross-sectoral cooperation. Based on those assessments some resilience strategies might include crisis communication with authorities, backup transport strategies, alternative sourcing plants and maintaining critical thresholds of stock.
Beyond the sectoral developments, there are some interesting outtakes from cases of cross-sectoral cooperation. Cloud based services are omni present and thus any risk assessment emphasizes the interdependencies between energy and cloud systems as well as the importance of cloud services for transport logistics which are based on internet communications. Furthermore sectors like public administration are the cornerstone for the efficient operation of different sectors like food and healthcare, since public administration authorities help facilitate for example medical supply-chains or emergency services.
Final Thoughts
The CER Directive is a very positive step, on behalf of the EU, towards a more effective and comprehensive protection of critical infrastructures. Furthermore it offers projects like the EU-CIP necessary guidance, but also tools, in order for them to fulfill their mission towards more resilient European critical infrastructures.