How Critical Entities in the EU can prepare for the Directive on the Resilience of Critical Entities

Introduction

National resilience has become a watchword across advanced economies. Governments, from the local to the supranational, have been formulating regulations to bolster the ability of their jurisdiction to withstand and recover from crises and adversities while preserving core values and institutions.

At the center of these regulations has been a focus on critical infrastructure, typically defined as the network of systems, assets, and networks that are essential for the daily life of a people.

Attacks against critical entities on the rise

Given their import, these critical entities have come under severe attack.

A report by Vedere Research labs revealed a 30% year-on-year increase (2022 to 2023) in attacks on the world’s critical infrastructure, averaging out to 13 cyber attacks suffered every second in 2023.ⁱ The European Repository of Cyber Incidents (ERCI) echoed these findings, highlighting that critical infrastructure once again topped the list of primary targets for cybercriminals.ⁱⁱ

Nor is cybercrime the sole threat. Critical assets are also threatened by saboteurs, their own depreciation, as well as natural disasters, such as the recent devastating floods in Spain, which have wiped away or imperiled key assets.    

Beyond climate-related crises, critical infrastructure in the EU, in particular, must also contend with the fallout of roiling war in Ukraine, related inflationary pressures, acutely affecting energy prices, as well as the budgetary overhang from the pandemic.

It’s no surprise then that EU regulators have moved aggressively to shore up so-called critical entities. To date, the most far-reaching of their measures has been the Directive on the Resilience of Critical Entities.

Aimed at stakeholders in the critical infrastructure space, this guide seeks to help critical entities prepare for the upcoming implementation of these rules.

EU Critical Entities Resilience Directive

So, what is the Critical Entities Resilience Directive? Entering into force in January 2023, the Directive of the EU Parliament and the Council of the European Union aims to strengthen the resilience of critical entities against a range of threats, including natural hazards, terrorist attacks, insider threats, or sabotage, as well as public health emergencies.

January 2023? We haven’t implemented the Directive at our entity.

That’s ok. The Directive gives Member States time to adhere (until July 2026). Indeed, the point of the Directive is for all Member States within the bloc to harmonize (by uplifting) their individual resilience strategies and plans.

The Directive itself sets requirements for Member States, who will then need to pass requirements set forth in the Directive into national law.

What sectors are affected by the Directive?

Who then needs to be reading this guide? If you work in any of this non-exhaustive list of essential services, you should be reading this guide to begin preparing for compliance:

• Energy, covering electricity, heating and cooling, oil and gas, and hydrogen
• Transport, covering air, rail, water, road, and public transport
• Banking and financial market infrastructure, covering credit, trading, and clearing
• Health, covering providers, labs, research and development, pharmaceutical and device manufacturing, and distribution
• Drinking and waste water, covering supply and distribution and collection and treatment
• Digital infrastructure, covering providers of internet Exchange Points, DNS services, cloud computing services, data center services, content delivery networks, trust services, electronic communications services, public electronic communications networks, and more
• Public administration
• Space
• Food, covering largescale industrial food production and processing, food supply chain services, and food wholesale distribution

Indeed, that’s quite the list of sectors and subsectors captured by the Directive. What’s more, individual Member States will have to identify their critical entities by means of regular risk assessments.

Nor is that the end of Member State responsibility; Member States, for their part, must also adopt national strategies concerning their own critical entities.

These strategies won’t be spun out of whole cloth. They are likely to build upon pre-existing strategies; as the Directive notes:

In the interests of coherence and efficiency, the strategy should be designed to seamlessly integrate existing policies, building, wherever possible, upon relevant existing national and sectoral strategies, plans or similar documents. In order to achieve a comprehensive approach, Member States should ensure that their strategies provide for a policy framework for enhanced coordination between the competent authorities under this Directive and the competent authorities under Directive (EU) 2022/2555 in the context of information sharing on cybersecurity risks, cyber threats and cyber incidents and non-cyber risks, threats and incidents and in the context of the exercise of supervisory tasks. When putting in place their strategies, Member States should take due account of the hybrid nature of threats to critical entities.

What must critical entities know?

You might not yet have been identified officially as a critical entity by your national government. But if you operate in the aforementioned sectors, it’s likely coming. What can you do now to begin to comply?

Starting at the top, critical entities will have to carry out risk assessments of their own, before taking technical, security, and organizational measures to enhance their resilience and ensure their ability to notify competent authorities (i.e., sectoral regulators) of incidents (more later).

Risk assessment requirements

What’s the point of the risk assessment? Per the Directive, the risk assessment should give the critical entity “a comprehensive understanding of the relevant risks to which they are exposed.” From there, the entity will have a duty to analyze those risks.

Further risk assessment provisions include:

• How often? Critical entities should carry out risk assessments “whenever necessary” in view of their particular circumstances and the evolution of those risks, but no fewer than every four years to assess all relevant risks that could disrupt the provision of their essential services.
• What about pre-existing risk assessments? If you’ve carried out other, relevant risk assessments, you may be able to use those assessments and documents to meet the requirement.
• Who decides? A competent national authority should be able to declare that an existing risk assessment addresses the relevant risks and the relevant extent of dependence.

Measures to mitigate risk

As noted, the point of the risk assessment is to provide a broader understanding of risks to the entity. From there, the entity must act on that analysis to mitigate the risks identified.

The Directive, here, states that critical entities “should take technical, security and organisational measures that are appropriate and proportionate to the risks they face so as to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident.”

What are the measures envisaged? The Directive is purposefully vague on this point: “…the details and extent of such measures should reflect the different risks that each critical entity has identified as part of its critical entity risk assessment and the specificities of such entity in an appropriate and proportionate way.”

However, the Commission will soon be handing down non-binding guidelines, to further specify appropriate technical, security, and organizational measures.

Whatever they come up with, though, entities will have to document the steps they take to comply with the Directive. More specifically, they will have to develop a detailed resilience plan to describe the measures they’ve taken, before applying that plan in practice. The resilience plan should focus on the following:

• Preventing incidents from occurring
• Ensuring adequate protection of critical infrastructure
• Addressing the impact of and recovery from incidents
• Guaranteeing adequate employee security management

Beyond developing resilience plans, entities will likely also have to formulate initiatives to ensure compliance. Such initiatives might include developing or adapting risk management and resilience frameworks in harmony with later guidance.

Entities might also have to adjust related roles, responsibilities, and reporting processes to fulfil their Member State’s regulatory mandates. To this end, it’s highly advisable to dedicate key personnel, such as a Chief Resilience Officer (CRO), to address these requirements and oversee the organization’s overall approach to compliance.

Incident notification provisions

Certain to fall on the CRO’s plate is responsibility for adhering to the Directive’s strict incident notification requirement.

What’s that? Entities, unless rendered completely inoperative, will have to submit an initial notification, no later than 24 hours after becoming aware of an incident. 

Incident, here, covers events that significantly disrupt or have the potential to significantly disrupt the provision of essential services.

The notification itself needs to include information strictly necessary to make the competent authority aware of the incident and allow the critical entity to seek assistance.

To prepare to comply with this particular requirement, entities should develop a mechanism for notification that will allow competent authorities to respond to incidents rapidly and adequately and to have a comprehensive overview of the (1) impact, (2) nature, (3) cause, and (4) possible consequences of the incident.

Critical entities that provide essential services in six or more Member States

It will ultimately be the responsibility of the Member States to ensure that critical entities implement the appropriate measures contained in their resilience plans. But the Directive envisages some level of Member State assistance to critical entities.

Of course, not all critical entities will get such assistance. They should instead consider conducting self-assessments into their own level of maturity and coverage, performing a gap analysis of their current resilience posture measured up against the Directive, existing national law, and relevant standards.

Certain critical entities will get special attention, though. These are critical entities that provide essential services to or in six or more Member States. They will be considered critical entities of particular European significance.

What happens to them? Well, first of all, the Commission will notify the critical entity of its status, likely through a competent authority. The Commission will then inform the critical entity of its special obligations and the date from which those obligations apply to it. In other words, hold tight.

Digital technology for critical entities

Following the obligations above is a great place to start when upleveling the resilience of critical entities. If doing so seems daunting, critical entities don’t need to act alone.

Technology providers, for their part, are also available help.

Specifically, certain vendors provide integrated resilience workspaces where teams can work together to anticipate and manage threats, conduct preparedness activities, effectively respond to disruptions, and continually learn from insights to strengthen resilience.

Here are some software capabilities to consider:

• Critical entities management. Consolidate information about critical entities and operators including descriptions, locations, and key functions. Generate automated notifications when information changes to ensure updates are shared with the regulator in a timely manner to meet reporting obligations.
• Risk management. Take a proactive approach to risk management in a standardized manner that makes it simple to identify risks, assess their inherent risk level, implement controls, confirm their effectiveness, and monitor residual risk levels on an ongoing basis in a single workspace.
• Vulnerability assessments. Perform vulnerability assessments to pinpoint potential gaps that may expose the organization to specific types of cyber incidents. Use the findings to determine areas where additional resources and capabilities are needed to enhance the organization's readiness and resilience to cyber threats.
• Third-party risk management. Streamline the capture of critical entity operator information including key entity details, descriptions of the arrangements in place and details about how relevant data types are managed using automated questionnaires and document requests.
• Preparedness. Build incident response plans using automated plans and checklist functionality then leverage these to conduct exercises on an ongoing basis to ensure that plans are effective, key personnel understand their roles and responsibilities, and shortcomings are addressed.
• Threat intelligence. Stay ahead of potential threats to critical infrastructure and your operators using real-time threat intelligence alerts. Leverage situational awareness dashboards to consolidate feeds from multiple sources to streamline threat detection and improve the incident response process.
• Incident management. Improve incident response times and team activation with automated emails, SMS, and voice notifications. Identify personnel required to update the regulator, then assign tasks, record decisions, and share updates as the incident evolves before using investigations to identify controls to prevent reoccurrence.
• Analytics and reporting. Centralize critical entity information to enable data visualization through interactive dashboards, charts, and maps in real-time on any device. Easily share insights with internal stakeholders to improve decision making and keep the regulator updated on relevant changes to critical entities where required.

Finally, the risk environment surrounding critical assets has never been more perilous. And as a result, national and supranational regulators and policymakers have had to step in.

The Directive on the Resilience of Critical Entities, following similar policies in Australia, the U.S., the U.K., and even EU member states, is just the latest example of a set of measures designed to strengthen the resilience of critical entities against an ever-expanding range of threats.

Just like in those jurisdictions, the onus now falls to critical entities in the EU to beef up their risk and security postures. How to do it in compliance with the statutes? This article has sought to explain in clear language what the requirements for critical entities are so that entities can proactively begin to comply.

And the gist is if you want to beat compliance deadlines, your critical entity needs to immediately determine what its specific impact will be, what resources will be needed, and how best to proceed. We lay out some immediate actions in the fact sheet below.

The EU Critical Entities Directive Fact Sheet

What is it?

Entered into force on 16 January 2023, the Directive aims to strengthen the resilience of critical entities against a range of threats, including natural hazards, terrorist attacks, insider threats, or sabotage, as well as public health emergencies.

Important dates

July 2026. The Directive asks Member States to identify critical entities (i.e. those which provide essential services) by 17 July 2026 and to define national resilience strategies, risk assessment frameworks, and other elements of resilience within an ambitious 10-month timetable from that declaration. 

Which sectors are impacted?

• Energy
• Transport
• Banking
• Financial market infrastructure
• Health
• Drinking water
• Waste water
• Digital infrastructure
• Public administration
• Space
• Food

Steps to comply

• Don’t wait for your regulator. Use existing frameworks, whether sectoral regulations, existing national law and strategy, or international standards, as your starting point for identifying areas of focus to start enhancing resilience capabilities.
• Self-assess. Help might not be coming from national governments. Using existing methodologies as your guide, conducting self-assessments on your level of maturity and coverage.
• Tap the right people. The comprehensive nature of these regulations means that resilience needs to be an organizational initiative. To that end, put a Chief Resilience Officer (CRO) in charge of ensuring compliance but also building a culture of resilience.
• Look into reporting. Immediate action for the CRO includes reviewing your incident detection, impact measurement, and reporting capabilities.
• Invest in the right tools. Those capabilities not up to snuff? Then, it’s time to invest in the right technology. Workspaces like Noggin help consolidate information about critical entities and operators, generate automated notifications when information changes to meet reporting obligations, as well as make it simple to identify risks, assess their inherent risk level, implement controls, confirm their effectiveness, and monitor residual risk levels on an ongoing basis in a single workspace.

Sources

ⁱ Security Today: World's Critical Infrastructure Suffered 13 Cyber Attacks Every Second in 2023. Available at https://securitytoday.com/Articles/2024/01/29/World-Critical-Infrastructure-Suffered-13-Cyber-Attacks-Every-Second-in-2023.aspx?Page=1.

ⁱⁱ Akshay Joshi, World Economic Forum: These sectors are top targets for cybercrime, and other cybersecurity news to know this month. Available at https://www.weforum.org/agenda/2024/04/cybercrime-target-sectors-cybersecurity-news/.