Directive on the Resilience of Critical Entities

The Directive on the Resilience of Critical Entities (CER), (EU) 2022/2557, is a European Union law designed to strengthen the physical resilience of entities providing essential services against non-cyber threats like natural disasters, terrorist attacks, and public health crises. It replaces the 2008 European Critical Infrastructure (ECI) Directive, expanding its scope and requirements. Within enterprise risk management, CER addresses operational and compliance risks. It complements the Network and Information Security Directive (NIS2), which focuses on cybersecurity, to create a comprehensive EU resilience framework. Unlike ISO 22301 for business continuity, which focuses on the organization itself, CER prioritizes the protection of services vital to society.

Applying CER involves a systematic approach. First, entities must conduct a 'risk assessment' per Article 13 to identify all relevant non-cyber risks that could disrupt essential services. Second, based on the assessment, they must implement 'resilience measures' under Article 14, including physical security, backup systems, supply chain risk management, and employee background checks. Finally, an 'incident notification' mechanism must be established to provide an initial report to competent authorities within 24 hours of an incident. Implementing CER helps avoid significant fines and systematically reduces operational disruption risks. Industry studies show that organizations with such resilience programs can decrease major physical security incidents by 15-20% and improve supply chain stability.

Taiwanese enterprises face three main challenges with CER. First, 'indirect compliance pressure': as suppliers to EU critical entities, they face supply chain audit requirements without being directly regulated, leading to uncertainty. Second, 'siloed responsibilities': physical security, business continuity, and supplier management are often handled by separate departments, lacking an integrated resilience strategy. Third, 'risk assessment gaps': firms are familiar with IT risk assessments like ISO 27001 but may lack the methodology for the 'all-hazards' physical risk assessment CER requires, which includes climate change and geopolitical factors. To overcome this, enterprises should form a cross-functional resilience team, conduct a gap analysis, and adopt integrated risk management frameworks, referencing controls from standards like NIST SP 800-53.

Winners Consulting specializes in CER for Taiwan enterprises, delivering compliant management systems within 90 days. Free consultation: https://winners.com.tw/contact