Directive on critical entities and North Sea infrastructure

European resilience framework for critical entities

At the same time as the NIS2 directive and the DORA, the new 'critical entity resilience' directive was also published at the end of December 2022 (abbreviated as CER 'Critical Entities Resilience' in English) (Directive (EU) 2022/2557 ). And that means that the implementation deadline for this directive too has now passed. This directive is part of the development of European laws and regulations on the security of the critical infrastructure of European member states.

In practice, the CER Directive and the NIS2 will often align, or even overlap. Here, the idea is that the CER Directive should enhance physical and non-cyber-related resilience, and the NIS2 Directive should enhance digital cyber-related resilience of the European Union's critical infrastructure.

In short; physical resilience in the CER and cyber resilience in the NIS2. But as the European legislator also noted; physical and cybersecurity have increasingly common ground.

Obligations and sanctions for critical entities

The new CER directive prescribes obligations with which critical entities must comply, and on which member states must also organise supervision and enforcement including sanctions.

Prevent, detect & response 

For example, critical entities must take measures to prevent incidents, mitigate the consequences of incidents or that help to recover adequately if an incident did occur.

Reporting obligation

In addition, the CER directive requires incidents to be reported within 24 hours, followed by a detailed report no later than one month later.

From European to national developments

For now, this overview will suffice. Also because the CER Directive has numerous exceptions that affect the aforementioned European cyber laws. For now, with this contribution, we would like to point out the landscape of developments.

This often involves 'European look' at laws and regulations. But increasingly, there are also regulations at the national level that deal with the protection of critical infrastructure. And in that context, we now briefly consider the protection of North Sea infrastructure.

North Sea infrastructure

Especially after the Nordstream 2 gas pipeline incident, more attention was paid to the protection of vital infrastructure in the North Sea. But earlier attention had also been drawn to this issue, for instance by the HCSS and by a motion in the House of Representatives. 

On 8 February 2023, the cabinet sent a letter to the House of Representatives on this subject. In that letter, the cabinet discusses the 'joint strategy for the protection of North Sea infrastructure'.

The cabinet letter considers the various domains covered by the 'joint strategy'. For example, the national (Dutch) framework considers the various public and private parties involved in protecting the North Sea infrastructure:

• National Coordinator for Security and Counterterrorism in cooperation with the Ministries of Economic Affairs and Infrastructure and Water Management, Defence, AIVD, Police the security regions and the vital providers.

European context

Remarkably, the 'joint strategy' - in the context of protecting North Sea infrastructure - points to the importance of the NIS2 and CER Directives. And that makes it even more important for many parties to be well aware of those regulations.

Want to know more?

Would you therefore like to know more about the CER and NIS2 Directives? We would be happy to discuss the (possible) legal implications for your business with you.