CER directive protects critical infrastructure against physical risks

What changes?

More and more often the safety of our society and economy is under pressure. That is why the European Union has worked out 2 directives:

• the Critical Entities Resilience directive (CER directive)
• the Network and Information Security directive (NIS2 directive)

These directives aim to strengthen the physical, digital, and economic resilience of the countries of the EU.

The CER directive is meant to protect public and private organisations against physical risks, such as the consequence of (terrorist) crimes, sabotage, and natural disasters.

Which sectors and organisations are covered by the CER directive?

The CER directive focuses on strengthening the physical resilience of organisations that supply vital services, so called ‘critical entities’, within the following sectors:

• energy
• drinking water
• transport
• digital infrastructure
• food industry
• healthcare
• financial market infrastructure
• waste water
• government services
• banking sector
• space activities

The ministries responsible for these sectors decide which organisations are designated as critical entities. This is done with a risk assessment. This includes looking at the extent to which an organisation provides a service that is indispensable for the functioning of societal functions and/or economic activities. Did the government already designate your company as ‘vital provider’? Then your company will be designated as a critical entity in any case, if you operate within 1 of the sectors mentioned above.

Has your company been designated as critical entity? Then you will be notified by the responsible ministry. This will happen as soon as possible after the act comes into force. It is expected this will be at the end of 2024. After designation, organisations still have 10 months to comply with the law.

Which obligations does the CER directive impose?

The CER directive dictates a number of important duties, such as:

• Duty of care – Companies must carry out a risk assessment themselves. Based on this risk assessment they should take measures to guarantee their provision of services as much as possible and protect their information. These measures are aimed at physical threats.
• Duty to report – Companies have to report incidents to the supervising authority within 24 hours. It concerns incidents that (can) significantly disrupt the provision of the essential service. In case of a cyber incident this should also be reported to the Cyber Security Incident Response Team (CSIRT). Then the CSIRT can offer help and support. Whether an incident is subject to the duty to report depend on several factors. For example the number of people affected by the disruption, the duration of the disruption, and the potential financial losses.
• Supervision – Organisations covered by the CER directive will be under supervision. The supervisory body will look at compliance with the obligations of the directive, such as the duty of care and the duty to report. It is still being worked out which sectors will fall under which supervisory body.

What does the government do?

The CER directive requires EU countries to help critical, vital, and important organisations strengthen their resilience against physical risks. The government has to perform a risk assessment for each sector every 4 years and share the results with critical entities in that sector. The government can also offer support by sharing information, drawing up guidelines, and offering instruments, for example to perform risk assessment, to increase organisations’ resilience.

How can organisations prepare?

Before the national legislation is ready, organisations can prepare for their duty of care. They can do so by taking measures to improve safety and resilience of their processes and services. For example:

• Identify and analyse risks.
• Write business continuity plans and protocols for crisis management and organise incident response.
• Identify alternative supply chains.
• Create awareness among staff of risks and measures to take.
• Reserve budget and capacity needed to comply with the directive.

For whom?

• organisations – the so called critical entities – that supply vital services

When?

The internet consultation will start in the first quarter of 2024. It is expected the new law will enter into force at the end of 2024. From the end of 2024 the ministries will designate companies covered by the CER directive.

Questions?

It is not yet possible to answer all questions properly. Even so, the government would like to hear what questions your organisation has. Ask your question to the ministry responsible for the sector in which your company is active (in Dutch). This way, the government knows which questions companies have and need to be answered.

Please note: The effective date of this measure is not yet final. Entry into force is subject to its passing through the upper and lower houses of parliament or proclamation of the Order in Council (Algemene Maatregel van Bestuur, AMvB) or ministerial decree and publication in the Staatsblad or Staatscourant (Government Gazette, in Dutch).