Resilience

EU Critical Infrastructure Resilience and Implications for Companies

September 5, 2024

·

Anna Loverus

The EU has adopted significant measures to protect critical infrastructure and strengthen resilience against natural and man-made disruptions. These policies are fundamental given the interconnectivity of energy, transport, health, and digital infrastructure sectors.

The Critical Entities Resilience (CER) Directive, which entered into force in January 2023, and the recently adopted Critical Infrastructure Blueprint, set the framework for risk management and response coordination across the EU.

Key Policies and Directives

  1. CER DirectiveThe CER Directive mandates that member states identify critical entities, conduct risk assessments, and create national strategies to safeguard them from a broad spectrum of risks, such as natural hazards, terrorist attacks, cyber threats, and sabotage. Businesses operating in key sectors like energy, transport, banking, digital infrastructure, and food production must implement technical, organizational, and security measures to boost resilience.As of October 2024, all EU countries must comply with the CER Directive, adopting risk management plans and stress tests based on common EU standards​. These measures are designed to ensure that critical services, vital for economic and societal stability, remain operational during crises.

  2. Critical Infrastructure BlueprintThe Critical Infrastructure Blueprint, adopted in June 2024, provides a roadmap for coordinated EU responses to significant cross-border disruptions. This blueprint emphasizes information sharing, communication, and collaboration among member states during incidents impacting critical infrastructure.The blueprint builds on the Council Recommendation on Resilience and stresses the need for preparedness through regular stress tests and risk assessments.

  3. Council Recommendation on ResilienceThe Council Recommendation of December 2022, introduced after the sabotage of critical infrastructure, outlines actions for enhancing preparedness and response across the EU. These actions include cooperation with NATO, stress tests starting in the energy sector, and support from the EU's Protective Security Advisory Missions for critical infrastructure.

Impact on Businesses

Businesses that operate in sectors deemed critical by the CER Directive will be significantly affected. Companies must ensure they comply with the directive by:

  • Conducting Risk Assessments: Regular risk assessments to identify potential disruptions and establish mitigation strategies are now mandatory. These assessments must account for natural disasters, cyberattacks, and terrorist threats​.

  • Enhancing Resilience: Companies must proactively safeguard their infrastructure, such as improving physical security, cybersecurity, and organizational protocols. Collaboration with other businesses and government entities is encouraged to foster a robust response framework.

  • Incident Reporting: Any service continuity incidents must be promptly reported to authorities. These reports will enhance cross-border coordination during crises.

  • Compliance by October 2024: As the CER Directive becomes fully enforceable, businesses should meet all regulatory requirements by the deadline​.

Sectors Affected

The CER Directive impacts companies across 11 critical sectors:

  • Energy

  • Transport

  • Banking

  • Financial market infrastructure

  • Health

  • Drinking water

  • Wastewater

  • Digital infrastructure

  • Public administration

  • Space

  • Food production and distribution

Recommendations for Business Leaders

  1. Prepare for Compliance: Implement the required risk management and resilience strategies to ensure your company meets the October 2024 deadline.

  2. Participate in Stress Tests: Engage in the EU’s stress tests and training exercises to ensure your systems are resilient and can withstand cross-border disruptions.

  3. Improve Communication Protocols: Establish clear communication channels with authorities and other critical entities to facilitate faster incident responses.

  4. Monitor Regulatory Developments: Stay updated on new EU-level initiatives, including cross-border cooperation agreements, stress tests, and any changes in the regulatory framework​.

Conclusion

The new EU framework on critical infrastructure resilience presents businesses with challenges and opportunities.

Companies can ensure compliance with the CER Directive and strengthen their operational resilience by participating in the blueprint's coordinated response mechanisms. To stay ahead of potential disruptions, business leaders should focus on risk management, communication strategies, and engagement in EU-wide exercises.