Back to EUR-Lex homepage

EUR-Lex Access to European Union law

Back to EUR-Lex homepage

This document is an excerpt from the EUR-Lex website

Use quotation marks to search for an "exact phrase". Append an asterisk (*) to a search term to find variations of it (transp*, 32019R*). Use a question mark (?) instead of a single character in your search term to find variations of it (ca?e finds case, cane, care).
Search tips
Need more search options? Use the Advanced search
You are here

Summaries of EU Legislation

Making critical entities more resilient

 

SUMMARY OF:

Directive 2022/2557 on the resilience of critical entities

WHAT IS THE AIM OF THE DIRECTIVE?

The directive aims to:

  • reduce vulnerabilities and strengthen the physical resilience* of critical entities in the European Union (EU) in order to ensure the uninterrupted provision of services that are essential for the economy and society as a whole;
  • increasing the resilience of the critical entities that provide these services.

KEY POINTS

EU Member States must, following a risk assessment, identify critical entities that provide services that are essential for the maintenance of functions vital to society, economic activities, public health and safety or the environment, and identify cases in which an incident would have significant disruptive effects on these essential services, including when it would affect the national systems that safeguard the rule of law. This covers entities in the following sectors:

  • energy, including electricity, district heating, oil, gas and hydrogen operators;
  • transport by air, rail, water and road, including public transport;
  • banking, which is also subject to Regulation (EU) 2022/2554 (the Digital Operational Resilience Act – see summary);
  • financial market infrastructure, including trading venues, also subject to the Digital Operational Resilience Act;
  • health, including healthcare providers, basic pharmaceutical product and critical device manufacturers, and research and development of medicinal products;
  • drinking water suppliers and distributors;
  • waste water disposal and treatment;
  • digital infrastructure, including electronic communications services and data centres, which is also subject to Directive (EU) 2022/2555 (see summary);
  • public administration entities at the central government level, excluding national security, public security, defence and law enforcement;
  • space operators of ground-based infrastructure; and
  • food businesses engaged exclusively in logistics and wholesale distribution and in large-scale industrial production and processing.

It should be noted that certain parts of the directive do not apply to entities in the banking, financial market infrastructure and digital infrastructure sectors.

Each Member State must:

  • adopt a national strategy and carry out regular risk assessments;
  • taking into account the outcome of the risk assessments, identify entities that provide essential services to society, the economy, public health and safety or the environment;
  • support the identified critical entities in enhancing their resilience with, for instance, guidance material, exercises, advice and training;
  • ensure that national authorities have the powers, resources and means to carry out their supervisory tasks, including conducting on-site inspections of critical entities and introducing penalties for non-compliance as part of an enforcement mechanism;
  • specify the conditions under which a critical entity can submit requests for background checks on personnel holding sensitive roles.

Critical entities must:

  • carry out risk assessments of their own to identify risks that could disrupt their ability to provide essential services;
  • take technical, security and organisational measures to enhance their resilience;
  • notify significant disruptive incidents to the national authorities.

If critical entities provide essential services in six or more Member States, they could benefit from extra advice in the form of advisory missions that evaluate the risk assessment and the resilience-enhancing measures the entity has put in place.

A Critical Entities Resilience Group facilitates cooperation among Member States, including sharing information and good practices.

The European Commission provides support, including on cross-sectoral risks, best practices, methodologies, cross-border training and exercises to test the resilience of critical entities.

FROM WHEN DO THE RULES APPLY?

The directive has to be transposed into national law by 17 October 2024. These rules should apply from 18 October 2024.

BACKGROUND

The Commission’s EU security union strategy and the counter-terrorism agenda for the EU stress the importance of ensuring the resilience of critical entities in the face of physical and digital risks.

This directive is part of a package of legislative measures to improve the resilience and incident-response capacities of public and private entities in the EU in the field of cybersecurity and critical infrastructure protection.

The Council also issued a recommendation on an EU-wide coordinated approach to strengthen the resilience of critical infrastructure in January 2023.

For further information, see:

KEY TERMS

Resilience. The capacity to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from incidents, which may be caused, among other things, by natural disasters, such as public health emergencies, or man-made threats such as terrorism, sabotage or hybrid threats*.
Hybrid threats. Hybrid threats arise when, state or non-state, actors seek to exploit the vulnerabilities of critical infrastructures by using in a coordinated way a mixture of measures (i.e. diplomatic, military, economic, technological) while remaining below the threshold of formal warfare, for example, mass disinformation campaigns that hinder the democratic process in elections.

MAIN DOCUMENT

Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC (OJ L 333, 27.12.2022, pp. 164–198).

RELATED DOCUMENTS

Council Recommendation of 8 December 2022 on a Union-wide coordinated approach to strengthen the resilience of critical infrastructure (OJ C 20, 20.1.2023, p. 1–11).

Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (OJ L 333, 27.12.2022, pp. 1–79).

Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (OJ L 333, 27.12.2022, pp. 80–152).

Communication from the Commission to the European Parliament, the European Council, the Council, the European Economic and Social Committee and the Committee of the Regions – A Counter-Terrorism Agenda for the EU: Anticipate, Prevent, Protect, Respond (COM(2020) 795 final, 9.12.2020).

Communication from the Commission to the European Parliament, the European Council, the Council, the European Economic and Social Committee and the Committee of the Regions on the EU Security Union Strategy (COM(2020) 605 final, 24.7.2020).

Directive (EU) 2019/944 of the European Parliament and of the Council of 5 June 2019 on common rules for the internal market for electricity and amending Directive 2012/27/EU (recast) (OJ L 158, 14.6.2019, pp. 125–199).

Successive amendments to Directive (EU) 2019/944 have been incorporated into the original text. This consolidated version is of documentary value only.

Regulation (EU) 2019/943 of the European Parliament and of the Council of 5 June 2019 on the internal market for electricity (recast) (OJ L 158, 14.6.2019, pp. 54–124).

See consolidated version.

Regulation (EU) 2019/941 of the European Parliament and of the Council of 5 June 2019 on risk-preparedness in the electricity sector and repealing Directive 2005/89/EC (OJ L 158, 14.6.2019, pp. 1–21).

Directive (EU) 2018/2001 of the European Parliament and of the Council of 11 December 2018 on the promotion of the use of energy from renewable sources (recast) (OJ L 328, 21.12.2018, pp. 82–209).

See consolidated version.

Regulation (EU) 2017/1938 of the European Parliament and of the Council of 25 October 2017 concerning measures to safeguard the security of gas supply and repealing Regulation (EU) No 994/2010 (OJ L 280, 28.10.2017, pp. 1–56).

See consolidated version.

Directive (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA (OJ L 88, 31.3.2017, pp. 6–21).

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, pp. 1–88).

See consolidated version.

Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ L 119, 4.5.2016, pp. 89–131).

See consolidated version.

Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council Decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, pp. 12–33).

See consolidated version.

Directive 2012/18/EU of the European Parliament and of the Council of 4 July 2012 on the control of major-accident hazards involving dangerous substances, amending and subsequently repealing Council Directive 96/82/EC (OJ L 197, 24.7.2012, pp. 1–37).

Directive 2009/73/EC of the European Parliament and of the Council of 13 July 2009 concerning common rules for the internal market in natural gas and repealing Directive 2003/55/EC (OJ L 211, 14.8.2009, pp. 94–136).

See consolidated version.

Directive 2007/60/EC of the European Parliament and of the Council of 23 October 2007 on the assessment and management of flood risks (OJ L 288, 6.11.2007, pp. 27–34).

Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, pp. 37–47).

See consolidated version.

last update 16.01.2023

Top