European Law Monitor

Make your voice heard!

newsEU resilience: Council adopts a directive to strengthen the resilience of critical entities


The Council today adopted a directive and a recommendation which aim to reduce the vulnerabilities and strengthen the resilience of critical entities.

Critical entities are entities providing essential services that are crucial for the maintenance of vital societal functions, economic activities, public health and safety, and the environment. They need to be able to prevent, protect against, respond to, cope with and recover from hybrid attacks, natural disasters, terrorist threats and public health emergencies.

In recent months we have been subject to hybrid attacks and to the consequences of climate change, and the challenges we face are only likely to grow. Preparedness and resilience is a joint effort. We need to make sure that our societies and industry are ready to face any disruptions to our security and our economies, and that when disaster strikes we can respond swiftly. The directive adopted today is an important step towards achieving this.

                 Vít Rakušan, Czech Minister for the Interior

The directive adopted covers critical entities in a number of sectors, such as energy, transport, health, drinking water, waste water and space. Certain central public administrations will also be covered by some of the provisions of the directive.

Member states will need to have a national strategy to enhance the resilience of critical entities, carry out a risk assessment at least every four years and identify the critical entities that provide essential services. Critical entities will need to identify the relevant risks that may significantly disrupt the provision of essential services, take appropriate measures to ensure their resilience and notify disruptive incidents to the competent authorities.

The directive also establishes rules for the identification of critical entities of particular European significance. A critical entity is considered of particular European significance if it provides an essential service to six or more member states. In this case, the Commission may be requested by the member states to organise an advisory mission or the Commission may itself propose, with the agreement of the member state concerned, to assess the measures the entity concerned has put in place to meet the obligations arising from the directive.

To respond to the recent acts of sabotage against the Nord Stream pipeline and the new risks brought by Russia’s aggression against Ukraine, the recommendation adopted focuses on strengthening the resilience of critical infrastructure. This recommendation aims to accelerate the preparatory work for the implementation of the objectives set out in the critical entities and NIS 2 directives and step up the EU’s capacity to protect its critical infrastructure. It includes series of targeted actions covering key sectors such as energy, digital infrastructure, transport and space.

The recommendation covers three priority areas: preparedness, response and international cooperation. It invites member states to update their risk assessments to reflect current threats and encourages them to conduct stress tests of entities operating critical infrastructure, with the energy sector as a priority. It also calls on member states to develop, in cooperation with the Commission, a blueprint for a coordinated response to disruptions of critical infrastructure with significant cross-border relevance. The EU will support partner countries in enhancing their resilience and strengthen cooperation with NATO in this area.


The European Commission presented a proposal for a directive on the resilience of critical entities in December 2020. Once it enters into application, the proposed directive will replace the current directive on the identification and designation of European critical infrastructure, adopted in 2008.

A 2019 evaluation of that directive highlighted the need to update and further strengthen the existing rules in light of new challenges facing the EU, such as the rise of the digital economy, the growing impacts of climate change, and terrorist threats.

Together with the proposed directive on critical entities, the Commission also presented a proposal for a directive on measures for a high common level of cybersecurity across the EU (NIS 2), which aims to respond to the same concerns for the cyber dimension. In September 2020, the Commission presented a proposal for a Digital Operational Resilience Act (DORA), which will strengthen the IT security of financial entities such as banks, insurance companies and investment firms. The Council adopted these two texts on 28 November 2022.

Member states will need to ensure a coordinated implementation of all three legislative texts and the recommendation.

Copyright European Union