Critical Entities’ Resilience Directive (CER)

; Richtlinie (EU) 2022/2557
Titel:	Richtlinie (EU) 2022/2557 des Europäischen Parlaments und des Rates vom 14. Dezember 2022 über die Resilienz kritischer Einrichtungen und zur Aufhebung der Richtlinie 2008/114/EG des Rates
Kurztitel:	Critical Entities‘ Resilience Directive/EU-Resilienz-Richtlinie
Bezeichnung:; (nicht amtlich)	CER-RL
Geltungsbereich:	EWR
Rechtsmaterie:	Binnenmarkt, Cybersicherheit
Grundlage:	AEUV, insbesondere Art. 114
Volltext	Konsolidierte Fassung (nicht amtlich); Grundfassung
Hinweis zur geltenden Fassung von Rechtsakten der Europäischen Union

Diese Seite ist eine übersetzte Version der Seite Critical Entities‘ Resilience Directive (CER) und die Übersetzung ist zu 93 % abgeschlossen sowie aktuell.

Overview


Scope	Key Contents	Synergies	Penalties/Consequences
critical entities (undertakings providing essential services)	Adoption of a strategy for the resilience of critical entities (Art 4 CER-D) by MS	Special rule for authorities' jurisdiction (DORA authority) regarding banking and financial market infrastructures (Art 9 para 1 CER-D)	Supervisory powers of authorities (on-site inspections, external supervisory measures, audits) (Art 21 CER-D)
critical infrastructure (required for providing an essential service)	Risk assessment of entities by MS (Art 5 CER-D)	The identity of critical entities identified under CER-D must also be communicated to the authority responsible for NIS2-D (Art 6 para 4 CER-D).	Information access rights (Art 21 CER-D)
Timeline: Transposition deadline until October 17, 2024	Identification of critical entities by MS (Art 6 CER-D)	Special jurisdiction (NIS2 authority) regarding Digital Infrastructure (Art 9 para 1 CER-D).	Instruction to take specific measures to remedy infringements (Art 21 CER-D)
Exceptions: Banking, Financial Market Infrastructure, Digital Infrastructure	Risk assessment by critical entity itself (Art 12 CER-D)	Cooperation/information exchange regarding cybersecurity risks, cyber threats, and cybersecurity incidents with the NIS2 authority (Art 9 para 6 CER-D).	Fines of up to 50,000 Euros, in case of repetition up to 100,000 Euros, for failure to disclose a contact point/contact person or failure to submit the risk analysis or resilience plan (§ 22 para 1 RKEG-G)
	Implementation of resilience measures (Art 13 CER-D)	The Critical Entities Resilience Group shall meet at least once a year jointly with the Cooperation Group under the NIS2-D (Art 19 para 5 CER-D).	Fine of up to 7 million Euros for non-implementation of measures ordered by decision after finding that the requirements for risk analysis or resilience measures are not met or not fully met, or violations of reporting obligations (§ 22 para 2 RKEG-Draft).
	Reliability checks (Art 14 CER-D)
	Reporting obligations for security incidents (Art 15 CER-D)

Introduction

Through the CER-D, the resilience^[1], meaning the resistance, of critical entities against security incidents^[2]

Conversely, § 2 Z 3 of the draft for the RKEG speaks of an "event that significantly disrupts or could disrupt the provision of an essential service, including an impairment of constitutional fundamental principles."</ref> This aims to improve resilience, covering not only "digital" but also "analogue" threats.^[3] For instance, Recital 3 mentions a "dynamic threat landscape," i.e., "evolving hybrid and terrorist threats, as well as increasing interdependencies between infrastructures and sectors." Furthermore, there is "an increased physical risk related to natural disasters and climate change." In addition to the resilience of critical entities, their ability to provide services in the internal market that are essential for maintaining vital societal functions or economic activities should be improved (Art 1 para 1 lit a, b CER-D).

Recital 20 states that threats to the security of network and information systems can have different causes, which is why the CER-D applies an "all-hazards" approach that covers the resilience of network and information systems as well as the physical components and physical environment of these systems.


Note:
A first draft for a national implementing law of the CER-D, significantly after the end of the transposition period, was submitted to parliament for review in December 2024 under the title "Critical Entities Resilience Act" (hereinafter RKEG-Draft).^[4] The review period ended on January 14, 2025. This legislative process is currently not yet concluded.

Scope

The "critical entity" central to the Directive is a public or private entity that a Member State (MS) has classified as belonging to one of the categories in the third column of the table in the Annex (Art 2 Z 1 CER-D). These are essentially undertakings that provide "essential services", i.e., services that are crucial for maintaining vital societal functions, important economic activities, public health and safety, or the preservation of the environment (Art 2 Z 5 CER-D.^[5]

The term "critical infrastructure", on the other hand, is to be understood in relation to facilities.^[5] This refers to "an asset, facility, equipment, network, or system, or a part of an asset, facility, equipment, network, or system, which is necessary for the provision of an essential service" (Art 2 Z 4 CER-D, cf. § 2 Z 5 RKEG-Draft).

The draft for the RKEG (Critical Entities Resilience Act) refers simply to critical entities according to the sectors listed in the annex of the CER-D (Critical Entities' Resilience Directive) for defining its scope (§ 2 para 1 RKEG-Draft).

Temporal Scope

The regulations necessary for the implementation of the CER-D must be enacted and published by October 17, 2024. These regulations are then to be applied from October 18, 2024 (Art 26 CER-D).

Exceptions

Articles 11 CER-D and Chapters III (Art 12-16 CER-D), IV (Art 17-18 CER-D), and VI (Art 21-22 CER-D) do not apply to certain critical entities in the **banking**, **financial market infrastructures**, and **digital infrastructure** sectors, although Member States may enact or maintain national regulations (Art 8 CER-D).


Note:
The RKEG (Critical Entities Resilience Act) does not apply to the judiciary or legislative branches, nor to the Austrian National Bank (§ 1 para 3 RKEG-Draft).

To avoid overlaps, the provisions of the CER-D do not apply if critical entities are required to take measures to improve their resilience under the provisions of sector-specific Union legal acts, and these requirements are **recognized by the Member States as at least equivalent** to the corresponding obligations under this Directive (Art 1 para 3 CER-D).

In implementation of this provision, the Federal Minister of the Interior must provide information on the Ministry's homepage regarding equivalent provisions and the extent of their equivalence (§ 18 para 1 RKEG-Draft).

Key Contents

National Framework for the Resilience of Critical Entities

Strategies for the Resilience of Critical Entities (Art 4 CER-D)

Each Member State (after consultation) must adopt a strategy for improving the resilience of critical entities by January 17, 2026, at the latest.

This strategy defines the strategic objectives and policy measures to achieve and maintain a high level of resilience for critical entities.

The minimum elements of this strategy are:

strategic objectives and priorities for improving the overall resilience of critical entities, taking into account cross-border and cross-sector dependencies and interdependencies
a governance framework for achieving the strategic objectives and priorities, including a description of the roles and responsibilities of the respective authorities, critical entities, and other actors involved in implementing the strategy
a description of the measures necessary to improve the overall resilience of critical entities, including a description of the risk assessment (Article 5 CER-D)
a description of the procedure for identifying critical entities
a description of the process for supporting critical entities, including measures to improve cooperation between the public sector on the one hand, and the private sector and public and private entities on the other;
a list of the main authorities and relevant stakeholders involved in implementing the strategy
a policy framework for coordination between the competent authorities and the authorities competent under the NIS2-D for the purposes of exchanging information on cybersecurity risks, cyber threats, and cybersecurity incidents, as well as on non-cyber-related risks, threats, and security incidents, and for carrying out supervisory tasks
a description of existing measures to facilitate the implementation of obligations under Chapter III CER-D (Art 12 et seq. CER-D) by small and medium-sized enterprises classified as critical entities by the relevant Member States.

The Member States must **update** this strategy (after consultation) at least every four years. The strategies and updates must be **communicated** to the Commission within three months of their adoption.

According to § 9 of the RKEG-Draft, this strategy is prepared by the Federal Minister of the Interior for the Federal Government and, once adopted, must be submitted to the National Council within three months.

Risk Assessment by MS (Art 5 CER-D)

The Commission is empowered to adopt delegated acts to supplement the CER-D with a non-exhaustive list of essential services within the sectors and sub-sectors listed in the Annex. This list is to be used by the competent authorities for the purposes of a risk assessment, which must be carried out by January 17, 2026, and thereafter as needed, but at least every four years (Art 5 para 1 CER-D).

This list was established with the delegated VO 2023/2450^[6].

The competent authorities use these risk assessments to identify critical entities and support them in taking measures.

In risk assessments by Member States, the corresponding natural and human-induced risks must be taken into account.^[7]

The Member States must consider at least the following aspects when carrying out the risk assessment (Art 5 para 2 CER-D):

general risk assessment (pursuant to Article 6(1) of Decision No 1313/2013/EU)
other relevant risk assessments carried out in accordance with the requirements of relevant sector-specific Union legal acts
the relevant risks arising from the degree of interdependence between the sectors listed in the Annex, as well as the impact that a significant disruption occurring in one sector may have on other sectors, including any essential risks to citizens and the internal market;
any reported information on security incidents (pursuant to Art 15 CER-D)

Member States must make available the relevant elements of the risk assessments to critical entities, where appropriate via their single points of contact. Member States must also ensure that the information provided to critical entities assists them in carrying out their risk assessments (Article 12 CER-D) and in taking measures to ensure their resilience (Article 13 CER-D) (Art 5 para 3 CER-D).

Within three months of conducting such a risk assessment, a Member State must **transmit** relevant information to the Commission regarding the identified types of risks and the results of these risk assessments, broken down by the sectors and sub-sectors listed in the Annex (Art 5 para 4 CER-D).

Article 5 CER-D is primarily implemented by § 10 RKEG-Draft concerning the "risk analysis"^[8] by the Federal Minister of the Interior.

Identification of Critical Entities (Art 6 CER-D)

Each Member State must **identify** critical entities by July 17, 2025 (Art 6 para 1 CER-D).

In identifying them, it must consider the results of the risk assessment by the Member States and its strategy. Art 6 para 2 CER-D lists three criteria for identification:

the entity provides one or more essential services
the entity operates within the territory of the Member State and its critical infrastructure is located there
a security incident would cause significant disruption to the provision of one or more essential services by the entity or by dependent entities

Each Member State must create a list of critical entities and **inform** these critical entities of this classification and their obligations within one month of identification (Art 6 para 3 CER-D). The identity of these entities must also be communicated to the authority responsible for NIS2-D (Art 6 para 4 CER-D).

The list must be reviewed and, if necessary, updated at least every four years (Art 6 para 5 CER-D).

In implementation, § 11 para 1 RKEG-Draft stipulates that the Federal Minister of the Interior must classify entities as critical by decision within the categories of entities listed in the annex of the CER-D for the listed sectors and sub-sectors, if

they operate domestically
their critical infrastructure is located domestically
they provide at least one essential service, and
a security incident could occur.


Note:
Regarding the "public administration" sector mentioned in Annex Z 9 CER-D (cf. Art 2 Z 10 CER-D), § 12 RKEG-Draft includes a special provision for the identification of critical entities in the public administration sector, which exclusively targets the federal administration.

Significant Disruption (Art 7 CER-D)

In determining the extent of a disruption, Member States must consider the following criteria:

the **number of users** relying on the essential service provided by the entity concerned
the **extent of dependence** of other sectors and sub-sectors specified in the Annex on the essential service concerned
the **potential impact** of security incidents — in terms of scale and duration — on economic and societal activities, the environment, public order and safety, or public health
the **market share** of the entity in the market for essential services or for the essential services concerned
the **geographical area** that could be affected by a security incident, including any cross-border effects, taking into account the vulnerabilities associated with the degree of isolation of certain types of geographical areas^[9]
the **importance of the entity** for maintaining the essential service to a sufficient extent, taking into account the availability of alternative means for providing the essential service concerned

Each Member State must **immediately transmit** the following information to the Commission after identifying the critical entities (Art 6 para 1 CER-D):

the list of essential services in that Member State, if there are additional essential services there compared to the list of essential services referred to in Article 5(1)
the number of critical entities identified for each sector and sub-sector specified in the Annex and for each essential service
any thresholds applied to specify one or more of the above criteria

Finally, Member States must transmit the above information as needed, but at least every four years.

In the implementing act, the Federal Minister of the Interior is obliged to establish by regulation more detailed rules for assessing when a security incident would cause a significant disruption in the provision of essential services (§ 11 para 2 RKEG-Draft).

Resilience of Critical Entities

Risk Assessments by Critical Entities (Art 12 CER-D)

MS have to ensure that critical entities

within nine months of receiving a notification under Art 6 para 3 CER-D, and
subsequently as needed, but at least every four years,

conduct a risk assessment based on the risk assessments by MS and other relevant sources of information, in order to evaluate all relevant risks that could disrupt the provision of their essential services.

The assessment must take into account all relevant natural and human-induced risks that could lead to a security incident^[10].

It must take into account the extent of **dependence** of other sectors specified in the Annex on the essential service provided by the critical entity, and the extent of the critical entity's dependence on the essential services provided by other entities in other sectors.

This article is transposed into national law by § 14 RKEG-Draft, whereby the risk analysis must be submitted to the Federal Minister of the Interior.

Resilience Measures of Critical Entities (Art 13 CER-D)

Critical entities must take appropriate and proportionate technical, security-related, and organizational measures to ensure their resilience, based on both risk assessments (Art 13 para 1 CER-D).

These include measures necessary to

prevent the occurrence of **security incidents**
ensure adequate physical protection of their premises and critical infrastructures (e.g., fences, barriers, environmental monitoring, detection devices, access control)
respond to, repel, and limit the consequences of **security incidents** (e.g., implementation of risk and crisis management procedures and protocols)
ensure restoration after security incidents (e.g., measures to maintain operations; identification of alternative supply chains)
ensure appropriate security management regarding employees (e.g., defining categories of personnel performing critical functions; access rights; reliability checks)
raise awareness among relevant personnel for these measures, with due consideration for training, informational material, and exercises

The Commission will issue guidelines that further specify these measures (Art 13 para 5 CER-D). The Commission will also adopt implementing acts to establish the technical and methodological specifications for the application of the measures (Art 13 para 6 CER-D).

Critical entities must have and apply a resilience plan or an equivalent document describing these measures (Art 13 para 2 CER-D).

As a point of contact for the authorities, critical entities must also designate a liaison officer or a person with comparable responsibilities (Art 13 para 3 CER-D).

Upon request from the Member State and with the consent of the critical entity, the Commission may also organize advisory missions (Art 18 CER-D) to advise the critical entity on fulfilling its obligations (Art 13 para 4 CER-D).

This article is implemented by § 15 RKEG-Draft. Resilience measures must be taken for the first time within ten months of official classification and outlined in a resilience plan.

Reliability Checks (Art 14 CER-D)

Critical entities may, in sufficiently justified cases and taking into account the risk assessment by Member States, submit applications for reliability checks (Art 14 para 1 CER-D) of individuals who

hold **sensitive functions** for/on behalf of the critical entity
are authorized to have direct **access/remote access** to premises, information, or control systems
are being considered for **positions** that fall under the two criteria mentioned above

These applications must be reviewed and processed within a reasonable timeframe. Reliability checks must be proportionate and limited to what is necessary, meaning they are carried out solely to assess a potential security risk (Art 14 para 2 CER-D).

Reliability checks must at minimum verify the identity of the person undergoing a check and include a criminal record check of the person for offenses relevant to a specific position (Art 14 para 3 CER-D).

This provision is implemented by § 16 RKEG-Draft, which specifically details the necessary data processing (§ 16 para 2, 3 RKEG-Draft). It also specifies further aspects to be considered during the check, such as whether there is a final conviction for an intentional criminal offense, whether criminal proceedings are pending, whether the person is subject to a weapons ban, or whether the person has a close relationship with an extremist or terrorist group (§ 16 para 5 RKEG-Draft).

Reporting of Security Incidents (Art 15 CER-D)

Critical entities must **report** security incidents that significantly disrupt or could significantly disrupt the provision of essential services to the competent authority without undue delay (Art 15 para 1 CER-D).

A first notification is generally to be submitted no later than 24 hours after the entity becomes aware of a security incident. A detailed report is to follow (if applicable) no later than one month thereafter.

The significance of a disruption is determined, among other things, by the following parameters:

the number and proportion of **users** affected by the disruption
the **duration** of the disruption
the affected geographical **area**

If a security incident has or could have a significant impact on the continuity of essential service provision for or in six or more Member States, the competent authorities must report this security incident to the Commission.

Notifications must contain all available information necessary for the competent authority to understand and determine the nature, cause, and potential consequences of the security incident (Art 15 para 2 CER-D).

Based on this information, the relevant competent authority, via the single point of contact, informs the **single points of contact** of other affected Member States if the security incident has or could have a significant impact on critical entities and the maintenance of essential service provision to one or more other Member States or within one or more other Member States (Art 15 para 3 CER-D).

As soon as possible after a notification, the relevant competent authority provides the critical entity concerned with relevant follow-up information, including information that could support the effective response of that critical entity to the security incident in question (Art 15 para 4 CER-D).

These reporting obligations are transposed into national law by § 17 RKEG-Draft.

The Member States **inform the public** if they deem it to be in the public interest (Art 15 para 4 CER-D).

§ 8 para 1 RKEG-Draft specifies this publication of security incidents, which can occur after hearing the critical entity affected by a security incident, to inform the public about security incidents, provided that public awareness is necessary for the prevention or management of security incidents or the disclosure of the security incident is otherwise in the public interest.

Critical Entities of Particular European Significance

Identification of Critical Entities of Particular European Significance (Art 17 CER-D)

If the following criteria are met, an entity is considered a critical entity of particular European significance (Art 17 para 1 CER-D):

if it has been classified as a critical entity under Art 6 para 1 CER-D
if it provides the same/similar essential services for/in six or more Member States
has been notified (see below concerning Art 17 para 3 CER-D).

After notification of classification as a critical entity (Art 6 para 3 CER-D), the entity must inform the authority if it provides essential services for/in six or more Member States (which essential services in/for which Member State[s]). The identity of such entities must also be communicated to the Commission. The Commission consults the competent authority that identified the critical entity, the competent authority of other affected Member States, and the critical entity concerned regarding the assessment of whether the services are essential services (Art 17 para 2 CER-D).

If, based on the consultation, it is determined that the critical entity provides essential services for/in six or more Member States, the critical entity will be **notified** that it is considered a critical entity of particular European significance. The entity will also be informed of its obligations (Art 17 para 3 CER-D).

This provision is transposed into national law by § 19 RKEG-Draft.

Advisory Missions (Art 18 CER-D)

Upon the **request of a Member State** that has identified a critical entity as a critical entity of particular European significance, the Commission organizes an advisory mission. This mission serves to assess the measures taken to comply with the obligations under Art 12-16 CER-D (Art 18 para 1 CER-D).

With the consent of the Member State that has identified a critical entity as a critical entity of particular European significance, such an advisory mission can also be organized on the Commission's own initiative or at the request of one or more Member States for whom the essential service is provided (Art 18 para 2 CER-D).

The Member State that has identified a critical entity of particular European significance as a critical entity will provide the Commission, upon its request or the request of one or more Member States, with the following information (Art 18 para 3 CER-D):

the relevant parts of the risk assessment by critical entities
a list of the resilience measures taken under Art 13 CER-D
supervisory or enforcement measures taken by the competent authority under Art 21, 22 CER-D (including assessment of compliance with regulations, orders issued)

The advisory mission will report on its findings within three months of completion to the Commission, the Member State that identified a critical entity of particular European significance as a critical entity, and the Member States for/in which the essential service is provided (Art 18 para 4 CER-D).

This report is analyzed by the Member States for whom the essential service is provided. The Member States consult (if necessary) the Commission regarding whether the critical entity of particular European significance concerned is fulfilling its obligations and what measures could be taken to improve resilience.

The Commission, based on this advice, communicates its opinion to the Member State that identified a critical entity of particular European significance as a critical entity, to the Member States for/in which the essential service is provided, and to the critical entity concerned, regarding whether the critical entity is fulfilling its obligations and what measures could be taken to improve resilience.

The Member State that has identified a critical entity of particular European significance as a critical entity ensures that the opinion is **duly taken into account** by the competent authority and the critical entity, and **informs** the Commission and other Member States for/in which the essential service is provided about the measures taken.

An advisory mission is composed of

experts from the Member State where the critical entity of particular European significance is located
experts from the Member States for/in which the essential service is provided
representatives of the Commission

zusammen.

Diese MS können Kandidat*innen vorschlagen, die an einer Beratungsmission teilnehmen sollen. Die Kommission wählt nach Absprache mit dem MS, der eine kritische Einrichtung von besonderer Bedeutung für Europa als kritische Einrichtung ermittelt hat, die Mitglieder jeder Beratungsmission nach Maßgabe ihrer fachlichen Eignung und, soweit möglich, unter Gewährleistung einer geografisch ausgewogenen Vertretung aus allen diesen MS aus und ernennt sie (Art 18 Abs 5 CER-RL).

The advisory mission will be further specified in the future by an **implementing act** of the Commission (Art 18 para 6 CER-D).

In doing so, Member States must ensure that critical entities of particular European significance **provide access to** advisory missions

information
systems, and
facilities

related to the provision of their essential services, which are necessary for carrying out the respective advisory mission (Art 18 para 7 CER-D).

When organizing, reports on any inspections according to

Regulation (EC) 725/2004 of the European Parliament and of the Council of 31 March 2004 on enhancing ship and port facility security
Regulation (EC) 300/2008 of the European Parliament and of the Council of 11 March 2008 on common rules in the field of civil aviation security and repealing Regulation (EC) No 2320/2002
as well as on oversight pursuant to Directive 2005/65/EC of the European Parliament and of the Council of 26 October 2005 on enhancing port security

which the Commission has carried out, must be **taken into account** (Art 18 para 9 CER-D).

The Commission **informs** the Critical Entities Resilience Group about the organization of an advisory mission (Art 18 para 10 CER-D).

This provision is transposed into national law by § 19 paras 3, 4 RKEG-Draft.

Authority Structure

Competent Authorities (Art 9 CER-D)

Member States must designate or establish one or more national competent authorities. As a special rule, the authority designated under DORA is (in principle) responsible for banking and financial market infrastructures, and the authority competent under NIS2 is responsible for Digital Infrastructure (Art 9 para 1 CER-D). The authorities must consult and cooperate with other national authorities (e.g., disaster protection, law enforcement, data protection authority), critical entities, and interested parties (Art 9 para 5 CER-D). Cooperation and information exchange with the NIS2 authority are foreseen regarding cybersecurity risks, cyber threats, and cybersecurity incidents, etc. (Art 9 para 6 CER-D).


Note:
According to the RKEG-Draft, the competent authority and single point of contact is the Federal Minister of the Interior, with the possibility of delegating individual tasks to the State Police Directorate (§ 4 para 1, 3, 4 RKEG-Draft).

|}

Single Point of Contact (Art 9 CER-D)

In addition, Member States must designate or establish a single point of contact to act as a liaison to ensure cross-border cooperation (Art 9 para 2 CER-D). These single points of contact must submit a summary report on the received notifications to the Commission and the Critical Entities Resilience Group every two years (Art 9 para 3 CER-D).

--- According to § 4 para 4 RKEG-Draft, the Federal Minister of the Interior is the single point of contact.

Support (Art 10 CER-RL)

Beyond cooperation between authorities and critical entities, and voluntary information exchange among critical entities, Member States must also **support** critical entities in improving their resilience (e.g., guidelines, methods, exercises, advice, training, etc.) (Art 10 CER-D).

This provision is implemented by § 13 RKEG-Draft.

Group for the Resilience of Critical Entities (Art 19 CER-RL)

To support the Commission and facilitate cooperation between Member States and the exchange of information, a Group for the Resilience of Critical Entities is established (Art 19(1) CER-RL).

The Group is composed of representatives of the Member States and the Commission, whose representative chairs it. If relevant for the fulfillment of its tasks, the Group may invite appropriate stakeholders to participate. Upon request of the European Parliament, experts from the Parliament may be invited to participate in the meetings (Art 19(2) CER-RL).

The Group has a number of tasks (Art 19(3) CER-RL):

Supporting the Commission in assisting Member States in building their capacities regarding the resilience of critical entities
Analyzing strategies to identify best practices
Facilitating the exchange of best practices (identification of critical entities, cross-border/cross-sector dependencies, risks, security incidents)
Contributing to Union-level documents on resilience
Participating in the elaboration of guidelines on significant disruptions (Art 7(3) CER-RL) and resilience measures (Art 13(5) CER-RL) and delegated acts/implementing acts
Analyzing summary reports from single points of contact (Art 9(3) CER-RL)
Exchanging best practices concerning the reporting of security incidents (Art 15 CER-RL)
Discussing the summary reports of the advisory mission (Art 18(10) CER-RL)
Exchanging information and best practices (innovation, research, and development related to the resilience of critical entities)
Exchanging information on issues concerning the resilience of critical entities with the relevant Union institutions, bodies, offices, and agencies

The Group shall draw up a work program every two years, outlining the measures for achieving its objectives and tasks (Art 19(4) CER-RL).

The Group shall meet regularly. At least once a year, a meeting shall take place jointly with the Cooperation Group established under the NIS 2-RL (Art 19(5) CER-RL).

The Commission shall submit a summary report to the Group, when necessary, but at least every four years, on the information transmitted by the Member States (Art 4(3), Art 5(4) CER-RL) (Art 19(7) CER-RL).

Importance of Norms and Standards (Art 16 CER-RL)

Member States shall, in order to promote the coordinated implementation of this Directive, encourage the use of European and international norms and technical specifications relevant for measures concerning the security and resilience of critical entities, where appropriate and without prescribing or favoring a particular type of technology (Art 16 CER-RL).

Synergies

NIS 2

The identity of critical entities identified under the CER must also be communicated to the authority responsible for NIS 2 (Art 6(4) CER).
In regard to Digital Infrastructure, the authorities responsible under NIS 2 are the competent authorities (Art 9(1) CER).
Concerning cybersecurity risks, cyber threats, and cybersecurity incidents, etc., cooperation and information exchange between the authority responsible under the CER and the NIS 2 authority is foreseen (Art 9(6) CER).
The Group for the Resilience of Critical Entities must meet at least once a year jointly with the Cooperation Group established under the NIS 2 (Art 19(5) CER).

DORA

As a special regulation, regarding banking and financial market infrastructures, the authority designated under DORA is (in principle) also the competent authority under CER (Art 9(1) CER).

Ships, Port Facilities, Civil Aviation

When organizing advisory missions, reports on any inspections and monitoring carried out under other legal acts (Regulation (EC) No 725/2004 of the European Parliament and of the Council of 31 March 2004 on enhancing ship and port facility security; Regulation (EC) No 300/2008 of the European Parliament and of the Council of 11 March 2008 on common rules in the field of civil aviation security and repealing Regulation (EC) No 2320/2002; Directive 2005/65/EC of the European Parliament and of the Council of 26 October 2005 on enhancing port security) must be taken into account (Art 18(9) CER Directive).

Sanctions/Other Consequences (Art 21, 22 CER Directive)

General Provisions (Art 21 CER Directive)

Competent authorities must have the powers and means to assess whether critical entities comply with the obligations under the CER Directive in order to

on-site inspections
external supervisory measures
audits

to carry out or order them (supervisory measures) (Art 21(1) CER Directive).

Competent authorities may require the submission of information to assess whether the measures to ensure resilience meet the requirements, as well as evidence of the effective implementation of these measures (including the results of an external audit) (Art 21(2) CER Directive).

Following supervisory measures or the review of information, the competent authorities may order measures to be taken to remedy infringements (Art 21(3) CER).

In Umsetzung dieser Bestimmungen ist der Bundesminister für Inneres ermächtigt, von kritischen Einrichtungen Nachweise für die Erfüllung der Anforderungen gemäß §§ 14, 15 RKEG-Entwurf sowie die Durchführung von Audits^[11] zu verlangen, wobei die erforderlichen Informationen dafür zu übermitteln sind (§ 20 Abs RKEG-Entwurf).

Insbesondere Vor-Ort-Kontrollen werden durch § 20 Abs 3 RKEG-Entwurf näher konkretisiert.

Sanktionen (Art 22 CER-RL)

The CER Directive leaves the creation of provisions for sanctions in the event of violations and all measures necessary for the application of sanctions primarily to the MS. The sanctions must be effective, proportionate and dissuasive (Art. 22 CER Directive).

The administrative penalties are therefore implemented by Section 22 of the draft RKEG and are the responsibility of the district administrative authorities.

An infringement associated with a fineup to EUR 50,000, in the event of a repeat offense up to EUR 100,000, exists, for example, for the failure to disclose a contact point/contact person or the failure to submit the risk analysis or the resilience plan (Section 22 (1) RKEG-G).

An infringement associated with a fine up to EUR 50,000, in the event of a repeat offense up to EUR 100,000, exists, for example, for the failure to disclose a contact point/contact person or the failure to submit the risk analysis or the resilience plan (Section 22 (1) RKEG-G).

Under certain circumstances, fines can also be imposed against legal entities or registered partnerships (Section 22 (3), (4) RKEG draft).

If obligations by the public administration are not complied with, the non-compliance must be determined by order and an appropriate deadline to restore the lawful condition must be set. If this condition is not restored within the deadline, the non-compliance with the obligations must be published in a general manner (§ 23 RKEG draft).

Einzelnachweise

↑ According to Art 2 Z 2 CER-D, "resilience" refers to the ability of a critical entity to prevent, protect against, respond to, repel, limit the consequences of, absorb, manage, and recover from a security incident (cf. § 3 Z 2 RKEG-Draft).
↑ "Security incident" according to Art 2 Z 3 CER-D refers to an event that significantly disrupts or could disrupt the provision of an essential service, including an impairment of national systems for maintaining the rule of law.
↑ Škorjanc, Der neue acquis communautaire des europäischen IT-Sicherheitsrechts, ecolex 2023, 881.
↑ Parliament Austria, Resilienz kritischer Einrichtungen-Gesetz – RKEG (1/ME), https://www.parlament.gv.at/gegenstand/XXVIII/ME/1?selectedStage=100 (accessed January 22, 2025).
↑ ^5,0 ^5,1 MwN Eisenmenger, Ein neuer Rechtsrahmen für Kritische Infrastrukturen (KRITIS) - unter Berücksichtigung der EU-Resilienz-Richtlinie, NVwZ 2023, 1203 (1204).
↑ Commission Delegated Regulation (EU) 2023/2450 of 25 July 2023 supplementing Directive (EU) 2022/2557 of the European Parliament and of the Council by establishing a list of essential services, OJ L 2023/2450, 1.
↑ Including those of a cross-sectoral or cross-border nature, accidents, natural disasters, public health emergencies, as well as hybrid threats or other hostile threats, including terrorist offenses.
↑ "'Risk analysis' [is] the entire process of determining the nature and extent of a risk, in which potential threats, vulnerabilities or hazards to critical entities that could lead to a security incident are identified and analyzed, and the potential losses or disruptions in the provision of an essential service caused by the security incident, including their probability of occurrence, are assessed; in the course of this risk analysis, all risks originating from natural causes or caused by humans that could lead to a security incident are taken into account" (§ 3 Z 8 RKEG-Draft).
↑ For example, island regions, remote regions, or mountainous areas.
↑ Including cross-border or cross-sector risks, accidents, natural disasters, public health emergencies, and hybrid threats and other hostile threats, including terrorist offenses.
↑ Die Audits werden dabei durch qualifizierte Stellen, dh natürliche oder juristische Personen oder eingetragene Personengesellschaften, die aufgrund eines begründeten schriftlichen Antrags bescheidmäßig zur Durchführung von Audits berechtigt sind (§ 21 RKEG-Entwurf), durchgeführt.

[1] According to Art 2 Z 2 CER-D, "resilience" refers to the ability of a critical entity to prevent, protect against, respond to, repel, limit the consequences of, absorb, manage, and recover from a security incident (cf. § 3 Z 2 RKEG-Draft).

[2] "Security incident" according to Art 2 Z 3 CER-D refers to an event that significantly disrupts or could disrupt the provision of an essential service, including an impairment of national systems for maintaining the rule of law.

[3] Škorjanc, Der neue acquis communautaire des europäischen IT-Sicherheitsrechts, ecolex 2023, 881.

[4] Parliament Austria, Resilienz kritischer Einrichtungen-Gesetz – RKEG (1/ME), https://www.parlament.gv.at/gegenstand/XXVIII/ME/1?selectedStage=100 (accessed January 22, 2025).

[:0-5] 5,0 ^5,1 MwN Eisenmenger, Ein neuer Rechtsrahmen für Kritische Infrastrukturen (KRITIS) - unter Berücksichtigung der EU-Resilienz-Richtlinie, NVwZ 2023, 1203 (1204).

[6] Commission Delegated Regulation (EU) 2023/2450 of 25 July 2023 supplementing Directive (EU) 2022/2557 of the European Parliament and of the Council by establishing a list of essential services, OJ L 2023/2450, 1.

[7] Including those of a cross-sectoral or cross-border nature, accidents, natural disasters, public health emergencies, as well as hybrid threats or other hostile threats, including terrorist offenses.

[8] "'Risk analysis' [is] the entire process of determining the nature and extent of a risk, in which potential threats, vulnerabilities or hazards to critical entities that could lead to a security incident are identified and analyzed, and the potential losses or disruptions in the provision of an essential service caused by the security incident, including their probability of occurrence, are assessed; in the course of this risk analysis, all risks originating from natural causes or caused by humans that could lead to a security incident are taken into account" (§ 3 Z 8 RKEG-Draft).

[9] For example, island regions, remote regions, or mountainous areas.

[10] Including cross-border or cross-sector risks, accidents, natural disasters, public health emergencies, and hybrid threats and other hostile threats, including terrorist offenses.

[11] Die Audits werden dabei durch qualifizierte Stellen, dh natürliche oder juristische Personen oder eingetragene Personengesellschaften, die aufgrund eines begründeten schriftlichen Antrags bescheidmäßig zur Durchführung von Audits berechtigt sind (§ 21 RKEG-Entwurf), durchgeführt.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]