This document is an excerpt from the EUR-Lex website
Directive 2022/2557 on the resilience of critical entities
The directive aims to:
EU Member States must, following a risk assessment, identify critical entities providing services that are essential for the maintenance of functions vital to society, the economy, public health and safety, or the environment, and where an incident would have significant disruptive effects on these essential services. This covers entities in the following sectors:
It should be noted that certain parts of the directive do not apply to entities in the banking, financial market infrastructure and digital infrastructure sectors.
Each Member State must:
Member States must identify the critical entities for the sectors and subsectors set out in the Annex to the directive by 17 July 2026.
Critical entities must:
If critical entities provide essential services in or to six or more Member States, they may benefit from extra advice in the form of advisory missions that evaluate the risk assessment and the resilience-enhancing measures that the entity has put in place.
The European Commission adopted Delegated Regulation (EU) 2023/2450, establishing a non-exhaustive list of essential services in the abovementioned sectors and subsectors. Member States’ competent authorities are to use this list for the purpose of carrying out a risk assessment, and the risk assessment is thereafter to be used for the purpose of identifying critical entities.
The Critical Entities Resilience Group facilitates cooperation among Member States, including sharing information and good practices.
The Commission provides support, including on cross-sectoral risks, best practices, methodologies, cross-border training and exercises to test the resilience of critical entities.
The directive has to be transposed into national law by 17 October 2024. These rules should apply from 18 October 2024.
The Commission’s EU security union strategy and the counter-terrorism agenda for the EU stress the importance of ensuring the resilience of critical entities in the face of physical and digital risks.
This directive is part of a package of legislative measures to improve the resilience and incident-response capacities of public and private entities in the EU in the fields of cybersecurity and critical infrastructure protection.
The Council also issued a recommendation on an EU-wide coordinated approach to strengthen the resilience of critical infrastructure in January 2023.
For further information, see:
Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC (OJ L 333, 27.12.2022, pp. 164–198).
Commission Delegated Regulation (EU) 2023/2450 of 25 July 2023 supplementing Directive (EU) 2022/2557 of the European Parliament and of the Council by establishing a list of essential services (OJ L, 2023/2450, 30.10.2023).
Council Recommendation of 8 December 2022 on a Union-wide coordinated approach to strengthen the resilience of critical infrastructure (OJ C 20, 20.1.2023, pp. 1–11).
Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (OJ L 333, 27.12.2022, pp. 1–79).
Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (OJ L 333, 27.12.2022, pp. 80–152).
Communication from the Commission to the European Parliament, the European Council, the Council, the European Economic and Social Committee and the Committee of the Regions – A Counter-Terrorism Agenda for the EU: Anticipate, Prevent, Protect, Respond (COM(2020) 795 final, 9.12.2020).
Communication from the Commission to the European Parliament, the European Council, the Council, the European Economic and Social Committee and the Committee of the Regions on the EU Security Union Strategy (COM(2020) 605 final, 24.7.2020).
Directive (EU) 2019/944 of the European Parliament and of the Council of 5 June 2019 on common rules for the internal market for electricity and amending Directive 2012/27/EU (recast) (OJ L 158, 14.6.2019, pp. 125–199).
Successive amendments to Directive (EU) 2019/944 have been incorporated into the original text. This consolidated version is of documentary value only.
Regulation (EU) 2019/943 of the European Parliament and of the Council of 5 June 2019 on the internal market for electricity (recast) (OJ L 158, 14.6.2019, pp. 54–124).
See consolidated version.
Regulation (EU) 2019/941 of the European Parliament and of the Council of 5 June 2019 on risk-preparedness in the electricity sector and repealing Directive 2005/89/EC (OJ L 158, 14.6.2019, pp. 1–21).
Directive (EU) 2018/2001 of the European Parliament and of the Council of 11 December 2018 on the promotion of the use of energy from renewable sources (recast) (OJ L 328, 21.12.2018, pp. 82–209).
See consolidated version.
Directive (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA (OJ L 88, 31.3.2017, pp. 6–21).
Regulation (EU) 2017/1938 of the European Parliament and of the Council of 25 October 2017 concerning measures to safeguard the security of gas supply and repealing Regulation (EU) No 994/2010 (OJ L 280, 28.10.2017, pp. 1–56).
See consolidated version.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, pp. 1–88).
See consolidated version.
Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ L 119, 4.5.2016, pp. 89–131).
See consolidated version.
Directive 2012/18/EU of the European Parliament and of the Council of 4 July 2012 on the control of major-accident hazards involving dangerous substances, amending and subsequently repealing Council Directive 96/82/EC (OJ L 197, 24.7.2012, pp. 1–37).
Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council Decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, pp. 12–33).
See consolidated version.
Directive 2009/73/EC of the European Parliament and of the Council of 13 July 2009 concerning common rules for the internal market in natural gas and repealing Directive 2003/55/EC (OJ L 211, 14.8.2009, pp. 94–136).
See consolidated version.
Directive 2007/60/EC of the European Parliament and of the Council of 23 October 2007 on the assessment and management of flood risks (OJ L 288, 6.11.2007, pp. 27–34).
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, pp. 37–47).
See consolidated version.
last update 19.02.2024