The EU Critical Entities Resilience Directive
The EU Critical Entities Resilience (CER) Directive is one of the most significant developments in Europe’s evolving regulatory landscape.
Recent EU legislation such as the Corporate Sustainability Reporting Directive (CSRD) have focused on transparency and disclosure, CER focuses on a different question: can essential services continue to operate when disruption occurs? This is a hot topic at the start of Ireland’s EU Presidency as Europe struggles through the climate emergency, energy crisis and ongoing war on its borders.
As Member States identify critical entities and implement national resilience strategies, organisations across sectors, including energy, transport, financial services, health, water, food and digital infrastructure, will face new obligations to assess risks, strengthen resilience and demonstrate business continuity capabilities.
For many organisations, however, the impact of CER will extend beyond those formally designated. As with previous regulations, resilience expectations are likely to cascade through supply chains and commercial relationships, meaning businesses may encounter CER-related requirements long before they receive any direct regulatory notification.
The CER Directive was introduced to strengthen the resilience of organisations that provide services essential to society and the economy. It replaces the previous European Critical Infrastructure Directive and broadens the focus from infrastructure protection to organisational resilience.
The Directive requires Member States to identify critical entities operating in designated sectors and ensure they can withstand, respond to and recover from disruption.
Organisations designated as critical entities must:
Importantly, CER adopts an all-hazards approach. Organisations are expected to consider a wide range of threats, including climate-related events, natural disasters, technological failures, cyber incidents, supply chain disruption, public health emergencies and malicious acts.
This breadth reflects a growing recognition that resilience is not simply about protecting assets but about maintaining continuity of essential services under increasingly complex and interconnected conditions.
Ireland transposed the Directive through the European Union (Resilience of Critical Entities) Regulations 2024.
Responsibility for coordinating implementation sits with the Department of Defence through the Office of Emergency Planning. While this may appear to be an administrative detail, it highlights an important aspect of the Directive. CER is not being framed primarily as an environmental or sustainability initiative, but as a resilience and security priority focused on continuity, preparedness and national capability.
The National Strategy on the Resilience of Critical Entities 2026–2029, published on 19 March 2026, supports this process, and the identification of critical entities is underway. Competent authorities must identify critical entities by 17 July 2026, after which notified entities face defined statutory clocks: risk assessment within nine months of notification, with the full obligations applying at ten months.
The Directive applies across eleven critical sectors:
While direct obligations apply to designated critical entities, organisations should avoid viewing CER solely through the lens of formal scope.
Recent years have demonstrated that regulatory obligations rarely remain contained within the organisations directly subject to them. Instead, they frequently extend through customer, supplier and service-provider relationships.
For many organisations, the more important question may no longer be whether they are directly in scope, but the value chains of which they are part.
Over the past several years, organisations have experienced a series of regulatory cascades flowing through supply chains.
The first was CSRD. Reporting entities sought sustainability information from suppliers and business partners to support disclosures, creating data requests far beyond the population of companies formally required to report; a dynamic that has outlived the rules that created it, even after the Omnibus Directive (Directive (EU) 2026/470, in force since March 2026) removed roughly nine in ten companies from mandatory scope.
The second is NIS2. Essential and important entities are now required to address cyber risks across their supply chains, extending security expectations to vendors and service providers.
The third is likely to be CER.
| Regulation | Primary focus | What cascades through the supply chain |
|---|---|---|
| CSRD | Sustainability reporting | Data and disclosure requests |
| NIS2 | Cyber resilience | Security requirements and controls |
| CER | Operational resilience | Continuity, dependency and resilience expectations |
As designated entities implement CER obligations, suppliers may increasingly be asked to provide information relating to business continuity, critical dependencies, resilience measures and continuity of supply; requests that, unlike CSRD data requests, are subject to no statutory cap.
Many organisations may therefore encounter CER not through a regulator but through a customer.
One of the most practical lessons from CER is that many organisations have already completed some of the work required.
Over recent years, businesses have invested significant time and resources in climate risk assessments, supply chain mapping, dependency analysis, scenario planning and governance structures through sustainability, risk and compliance programmes. Much of this work may prove highly relevant in a resilience context.
The opportunity is not simply to view CER as another compliance exercise but to leverage existing investments to build a more integrated resilience capability.
The question is increasingly shifting from “What should we report?” to “Can we demonstrate that critical operations, sites and supply chains can continue to function when disruption occurs?”
As CER implementation progresses, organisations should consider:
The CER Directive reflects a broader shift in European policy and business expectations. Organisations are increasingly expected not only to understand risk but also to demonstrate their ability to withstand disruption and maintain continuity.
For boards and management teams, resilience is becoming a strategic capability rather than a compliance obligation. The organisations that respond most effectively will be those that recognise resilience as a business-wide issue, connecting sustainability, risk management, security and operational continuity into a coherent framework.
Read our related insights on why resilience is becoming the new language of sustainability
This website uses cookies.
Some of these cookies are necessary, while others help us analyse our traffic, serve advertising and deliver customised experiences for you.
For more information on the cookies we use, please refer to our Privacy Policy.
This website cannot function properly without these cookies.
Analytical cookies help us enhance our website by collecting information on its usage.
We use marketing cookies to increase the relevancy of our advertising campaigns.