The EU Critical Entities Resilience Directive: what organisations need to know

The EU Critical Entities Resilience (CER) Directive is one of the most significant developments in Europe’s evolving regulatory landscape.

Recent EU legislation such as the Corporate Sustainability Reporting Directive (CSRD) have focused on transparency and disclosure, CER focuses on a different question: can essential services continue to operate when disruption occurs? This is a hot topic at the start of Ireland’s EU Presidency as Europe struggles through the climate emergency, energy crisis and ongoing war on its borders.

As Member States identify critical entities and implement national resilience strategies, organisations across sectors, including energy, transport, financial services, health, water, food and digital infrastructure, will face new obligations to assess risks, strengthen resilience and demonstrate business continuity capabilities.

For many organisations, however, the impact of CER will extend beyond those formally designated. As with previous regulations, resilience expectations are likely to cascade through supply chains and commercial relationships, meaning businesses may encounter CER-related requirements long before they receive any direct regulatory notification.

What is the CER Directive?

The CER Directive was introduced to strengthen the resilience of organisations that provide services essential to society and the economy. It replaces the previous European Critical Infrastructure Directive and broadens the focus from infrastructure protection to organisational resilience.

The Directive requires Member States to identify critical entities operating in designated sectors and ensure they can withstand, respond to and recover from disruption.

Organisations designated as critical entities must:

  • Undertake risk assessments.
  • Implement resilience measures.
  • Address identified vulnerabilities.
  • Notify significant incidents.
  • Engage with competent authorities and regulators.

Importantly, CER adopts an all-hazards approach. Organisations are expected to consider a wide range of threats, including climate-related events, natural disasters, technological failures, cyber incidents, supply chain disruption, public health emergencies and malicious acts.

This breadth reflects a growing recognition that resilience is not simply about protecting assets but about maintaining continuity of essential services under increasingly complex and interconnected conditions.

CER implementation in Ireland

Ireland transposed the Directive through the European Union (Resilience of Critical Entities) Regulations 2024.

Responsibility for coordinating implementation sits with the Department of Defence through the Office of Emergency Planning. While this may appear to be an administrative detail, it highlights an important aspect of the Directive. CER is not being framed primarily as an environmental or sustainability initiative, but as a resilience and security priority focused on continuity, preparedness and national capability.

The National Strategy on the Resilience of Critical Entities 2026–2029, published on 19 March 2026, supports this process, and the identification of critical entities is underway. Competent authorities must identify critical entities by 17 July 2026, after which notified entities face defined statutory clocks: risk assessment within nine months of notification, with the full obligations applying at ten months.

Who is affected?

The Directive applies across eleven critical sectors:

  • Energy
  • Transport
  • Banking
  • Financial market infrastructure
  • Health
  • Drinking water
  • Wastewater
  • Digital infrastructure
  • Public administration
  • Space
  • Food production, processing and distribution

While direct obligations apply to designated critical entities, organisations should avoid viewing CER solely through the lens of formal scope.

Recent years have demonstrated that regulatory obligations rarely remain contained within the organisations directly subject to them. Instead, they frequently extend through customer, supplier and service-provider relationships.

For many organisations, the more important question may no longer be whether they are directly in scope, but the value chains of which they are part.

The next regulatory cascade

Over the past several years, organisations have experienced a series of regulatory cascades flowing through supply chains.

The first was CSRD. Reporting entities sought sustainability information from suppliers and business partners to support disclosures, creating data requests far beyond the population of companies formally required to report; a dynamic that has outlived the rules that created it, even after the Omnibus Directive (Directive (EU) 2026/470, in force since March 2026) removed roughly nine in ten companies from mandatory scope.

The second is NIS2. Essential and important entities are now required to address cyber risks across their supply chains, extending security expectations to vendors and service providers.

The third is likely to be CER.

RegulationPrimary focusWhat cascades through the supply chain
CSRDSustainability reportingData and disclosure requests
NIS2Cyber resilienceSecurity requirements and controls
CEROperational resilienceContinuity, dependency and resilience expectations

As designated entities implement CER obligations, suppliers may increasingly be asked to provide information relating to business continuity, critical dependencies, resilience measures and continuity of supply; requests that, unlike CSRD data requests, are subject to no statutory cap.

Many organisations may therefore encounter CER not through a regulator but through a customer.

Turning compliance into capability

One of the most practical lessons from CER is that many organisations have already completed some of the work required.

Over recent years, businesses have invested significant time and resources in climate risk assessments, supply chain mapping, dependency analysis, scenario planning and governance structures through sustainability, risk and compliance programmes. Much of this work may prove highly relevant in a resilience context.

The opportunity is not simply to view CER as another compliance exercise but to leverage existing investments to build a more integrated resilience capability.

The question is increasingly shifting from “What should we report?” to “Can we demonstrate that critical operations, sites and supply chains can continue to function when disruption occurs?”

Three questions organisations should ask now

As CER implementation progresses, organisations should consider:

  1. Are we likely to be designated as a critical entity, or do we operate within a designated entity’s value chain?
  2. Who owns resilience within our organisation?
  3. How can existing work on sustainability, risk management and business continuity support resilience requirements?

Looking ahead

The CER Directive reflects a broader shift in European policy and business expectations. Organisations are increasingly expected not only to understand risk but also to demonstrate their ability to withstand disruption and maintain continuity.

For boards and management teams, resilience is becoming a strategic capability rather than a compliance obligation. The organisations that respond most effectively will be those that recognise resilience as a business-wide issue, connecting sustainability, risk management, security and operational continuity into a coherent framework.

Read our related insights on why resilience is becoming the new language of sustainability

Contact