New European directive designed to improve security

The Member States of the European Union (EU), the European Commission and the European Parliament have reached an agreement on a European directive on Critical Entities Resilience (CER). This directive will protect providers of critical processes by increasing their resistance and resilience, thereby guaranteeing the continuity of these processes more effectively. The directive focuses on the physical security and protection of critical processes such as the supply of drinking water and energy.

Unlike the old directive, the new directive covers more than just energy and transport. New sectors include food supply, health, financial market infrastructures, drinking water, digital infrastructure, waste water, public administration, banking and space. The directive also extends the rights and obligations of critical providers. This includes the obligation to report certain incidents, similar to the existing duty to report cyber incidents. As things stand, critical providers can obtain support from the government in the case of digital incidents, through the National Cyber Security Centre (NCSC), for example. As a result of the new CER directive, a specific form of support will be also be set up for the physical side. As much use as possible will be made here of existing structures, and account will be taken of what is already working well.

Together with the Network and Information Security 2 Directive (NIS2), the CER directive provides a framework for digital and physical resilience of providers of critical services. These directives strengthen the foundation of physical and digital security, thereby ensuring a resilient economy and society both in the Netherlands and in the rest of the European Union.

Following voting in the European Parliament, the directive is due to be published in the autumn of this year and can then be transposed into national legislation by mid-2024.