EUR-Lex Access to European Union law
This document is an excerpt from the EUR-Lex website
Directive 2022/2557 on the resilience of critical entities
The directive aims to:
EU Member States must, following a risk assessment, identify critical entities that provide services that are essential for the maintenance of functions vital to society, economic activities, public health and safety or the environment, and identify cases in which an incident would have significant disruptive effects on these essential services, including when it would affect the national systems that safeguard the rule of law. This covers entities in the following sectors:
It should be noted that certain parts of the directive do not apply to entities in the banking, financial market infrastructure and digital infrastructure sectors.
Each Member State must:
Critical entities must:
If critical entities provide essential services in six or more Member States, they could benefit from extra advice in the form of advisory missions that evaluate the risk assessment and the resilience-enhancing measures the entity has put in place.
A Critical Entities Resilience Group facilitates cooperation among Member States, including sharing information and good practices.
The European Commission provides support, including on cross-sectoral risks, best practices, methodologies, cross-border training and exercises to test the resilience of critical entities.
The directive has to be transposed into national law by 17 October 2024. These rules should apply from 18 October 2024.
The Commission’s EU security union strategy and the counter-terrorism agenda for the EU stress the importance of ensuring the resilience of critical entities in the face of physical and digital risks.
This directive is part of a package of legislative measures to improve the resilience and incident-response capacities of public and private entities in the EU in the field of cybersecurity and critical infrastructure protection.
The Council also issued a recommendation on an EU-wide coordinated approach to strengthen the resilience of critical infrastructure in January 2023.
For further information, see:
Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC (OJ L 333, 27.12.2022, pp. 164–198).
Council Recommendation of 8 December 2022 on a Union-wide coordinated approach to strengthen the resilience of critical infrastructure (OJ C 20, 20.1.2023, p. 1–11).
Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (OJ L 333, 27.12.2022, pp. 1–79).
Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (OJ L 333, 27.12.2022, pp. 80–152).
Communication from the Commission to the European Parliament, the European Council, the Council, the European Economic and Social Committee and the Committee of the Regions – A Counter-Terrorism Agenda for the EU: Anticipate, Prevent, Protect, Respond (COM(2020) 795 final, 9.12.2020).
Communication from the Commission to the European Parliament, the European Council, the Council, the European Economic and Social Committee and the Committee of the Regions on the EU Security Union Strategy (COM(2020) 605 final, 24.7.2020).
Directive (EU) 2019/944 of the European Parliament and of the Council of 5 June 2019 on common rules for the internal market for electricity and amending Directive 2012/27/EU (recast) (OJ L 158, 14.6.2019, pp. 125–199).
Successive amendments to Directive (EU) 2019/944 have been incorporated into the original text. This consolidated version is of documentary value only.
Regulation (EU) 2019/943 of the European Parliament and of the Council of 5 June 2019 on the internal market for electricity (recast) (OJ L 158, 14.6.2019, pp. 54–124).
See consolidated version.
Regulation (EU) 2019/941 of the European Parliament and of the Council of 5 June 2019 on risk-preparedness in the electricity sector and repealing Directive 2005/89/EC (OJ L 158, 14.6.2019, pp. 1–21).
Directive (EU) 2018/2001 of the European Parliament and of the Council of 11 December 2018 on the promotion of the use of energy from renewable sources (recast) (OJ L 328, 21.12.2018, pp. 82–209).
See consolidated version.
Regulation (EU) 2017/1938 of the European Parliament and of the Council of 25 October 2017 concerning measures to safeguard the security of gas supply and repealing Regulation (EU) No 994/2010 (OJ L 280, 28.10.2017, pp. 1–56).
See consolidated version.
Directive (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA (OJ L 88, 31.3.2017, pp. 6–21).
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, pp. 1–88).
See consolidated version.
Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ L 119, 4.5.2016, pp. 89–131).
See consolidated version.
Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council Decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, pp. 12–33).
See consolidated version.
Directive 2012/18/EU of the European Parliament and of the Council of 4 July 2012 on the control of major-accident hazards involving dangerous substances, amending and subsequently repealing Council Directive 96/82/EC (OJ L 197, 24.7.2012, pp. 1–37).
Directive 2009/73/EC of the European Parliament and of the Council of 13 July 2009 concerning common rules for the internal market in natural gas and repealing Directive 2003/55/EC (OJ L 211, 14.8.2009, pp. 94–136).
See consolidated version.
Directive 2007/60/EC of the European Parliament and of the Council of 23 October 2007 on the assessment and management of flood risks (OJ L 288, 6.11.2007, pp. 27–34).
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, pp. 37–47).
See consolidated version.
last update 16.01.2023