Resilience of Critical Entities: How EU nations are preparing

Key Insights

• In 2020 the European Commission proposed a significant upgrade to the EU's rules on the resilience of critical entities
• Two separate regulations emerged in 2023 - The Directive on the Resilience of Critical Entities (CER) and NIS 2
• The Irish Health Service Executive (HSE) fell victim to a Conti ransomware attack in May 2021 causing significant nationwide disruption
• The country is now taking security seriously and one of the first EU member states to publish a national CER strategy

In 2020 the European Commission proposed a significant upgrade to the EU's rules on the resilience of critical entities and the security of network and information systems.

After a series of serious cyberattacks and increasing evidence that nations were vulnerable to both man-made and natural disasters, the region pushed to require stronger assurance that critical infrastructure across Europe was capable of withstanding future events.

Three years later and two key directives on critical and digital infrastructure entered into force - the aim being to strengthen the EU's resilience against both online AND offline threats including cyberattacks, public health events or natural disasters. The result:

• The Directive on the Resilience of Critical Entities (CER Directive) and;
• The Directive on measures for a high common level of cybersecurity across the Union - better known as the 'NIS 2' Directive.

CNI sectors under attack

We've written previously about the region-wide push for cyber security improvements under NIS 2 and the ever-increasing number of attacks against health, energy and transport sectors.

Increasing legislation and active regulation has become part and parcel of the European experience as countries work to stay compliant with demands for readiness and resilience.

For CER, the Commission proposed a 'non-exhaustive list' of services that are "crucial for the maintenance of vital societal functions, economic activities, public health and safety, or the environment." Those eleven sectors are:

• Energy
• Transport
• Banking
• Financial market infrastructure
• Health
• Drinking water
• Waste water
• Digital infrastructure
• Public administration
• Space
• Production, processing and distribution of food

The clear similarities with NIS 2 stands out and has led to some talk of duplication of effort and a lack of converged focus across cyber and non cyber domains where the objective remains ultimately the same - laying down harmonised minimum rules for providers of essential services.

How Ireland has tackled the CER requirements

“A resilient society is essential for our national security, as well as our economic and social well-being"
Helen McEntee, Ireland’s Minister for Defence

Ireland holds the Presidency of the Council of the EU in 2026 and has set out to champion the EU goals of Values, Security, and Competitiveness.

It is one of the first member states to publish a national CER strategy, not only as a compliance exercise, but to build credibility for the ongoing uplift of regional security.

The goals of the strategy are:

1. Enhance the National Risk Assessment
   ‍Build on the established National Risk Assessment (NRA) methodology to meet the requirements of the EU regulations by identifying essential services of the state
2. Establish Governance and Coordination
   ‍Embed a governance and co-ordination framework for Critical Entity resilience
3. Improve Resilience
   ‍Drive proportionate improvements in the resilience of essential services provided by the identified Critical Entities
4. Strengthen Strategic Oversight
   ‍Enhance the Department of Defence’s strategic oversight of critical infrastructure dependencies across all in scope sectors
5. Ensure Consistency with Cyber Security
   ‍Maintain a consistent approach by the Department of Defence to Critical Entity resilience and ensure consistency with the Irish national approach to cyber security and NIS 2

The scale of potential harm and system wide dependencies

The Irish strategy places critical importance on assessing the potential impact of service disruption across the eleven sectors with scales of impact set out to determine what may happen due to a prolonged failure of key entities to provide the essential service:

Importantly, the national strategy also considers how complex interdependencies between sectors and sub-sectors can increase or amplify systemic risk issues in the event of a disruption.

There is also the prospect for the EU nation states that cross-border interdependencies may exist within sectors where parent companies or supply chains cross national boundaries.

Uplifting national security and the resilience of Critical Entities

The Irish strategy sets out a governance framework, the criteria for identifying critical entities, their specific obligations, and the measures needed to strengthen resilience, particularly through improved information sharing and stronger public‑private collaboration.

The simple visual shows how the separate organisations interact to implement the overall governance model across both NIS 2 and CER activities:

Given the events of May 2021, when the Irish Health Service Executive (HSE) fell victim to a Conti ransomware attack causing significant nationwide disruption and a massive restoration and recovery cost, it's clear that the country wants to be working towards better risk identification and coordinated treatment actions that help prevent future such incidents.

The CER Directive is thus the sister regulation to NIS2, taking a broader, all-hazards approach to national resilience, extending beyond just cyber threats to also address physical risks and the propsect of complex supply chains supporting critical industries.

Security Ireland has analysed the efforts underway in two workstreams and provides this simple comparison of the scope of each directive and crossover:

EU Member States have to identify the critical entities for the eleven sectors set out in the CER Directive by 17 July 2026.

Thus, delivering on CER and NIS 2 and simplifying how two frameworks apply to one set of entities will require practical guidance on alignment. Given the potential disruptions that could play out for critical national infrastructure, achieving these objectives will be well worth the effort required to comply.