With the 17 July 2026 deadline for Member States to identify ‘critical entities’ fast approaching, organisations that may fall within scope of the Critical Entities Resilience Directive (EU) 2022/2557 (the “CER Directive”) should consider the impact of such a designation. This timing carries added significance with security and resilience being at the centre of the EU policy agenda of Ireland’s EU Council Presidency (as discussed further here).
Relevance and scope
The CER Directive establishes an all-hazards EU framework to strengthen the resilience of critical entities, clarifying their obligations as providers of essential services and reinforcing their capacity to withstand and recover from incidents that could disrupt vital societal functions and economic activities. Unlike its predecessor Directive 2008/114/EC (now repealed), which provided for the designation of European critical infrastructure, the CER Directive designates ‘critical entities’ in certain sectors.
The CER Directive, which was transposed into Irish law in October 2024 by the European Union (Resilience of Critical Entities) Regulations 2024 (SI 559/2024) (the “Regulations”), applies to the following 11 key sectors:
- Energy
- Transport
- Banking
- Financial market infrastructure
- Health
- Drinking water
- Waste water
- Digital infrastructure
- Public administration
- Space
- Food production, processing and distribution
The Schedule to the Regulations identifies the range of subsectors that are in scope for each sector.
Supervision and oversight of critical entities
Ireland favours a sectoral approach, with existing sectoral regulators acting as competent authorities and the Minister for Defence serving as the single point of contact for liaising with other Member States. For example, the Commission for Regulation of Utilities is the competent authority for the energy sector and Commission for Communications Regulation is to regulate the digital infrastructure sector.
Designation of critical entities
Whether an entity is designated as a critical entity under the Regulations is a question determined by the relevant sector-specific competent authority rather than a self-assessment by the entity. In making that determination, the relevant competent authority will consider whether all of the following criteria are met (and may request information to assist with such determination):
- Does the entity provide one or more essential services?
- Does the entity operate, and is its critical infrastructure located, in Ireland?
- Would an incident have significant disruptive effects on the provision by the entity of one or more essential services, or the provision of other essential services in the sectors specified in the Regulations Schedule that depend on the entity’s services?
Member States have discretion to determine what constitutes an ‘essential service’ in their State. As such, the Department of Defence has published an updated 2026 National Risk Assessment for Ireland (the “NRA”) which lists essential services for Ireland. Competent authorities will use the NRA to identify critical entities.
Competent authorities must complete their identification process by 17 July 2026 and notify identified entities within one month thereafter. Entities notified about their proposed identification will have an opportunity to make any representations to the competent authority.
Critical entities providing the same or similar essential services to or in six or more Member States must notify their competent authority accordingly and may, following consultation with the European Commission, be designated as a ‘critical entity of particular European significance’, attracting increased scrutiny.
Impact of critical entity designation
The requirements of the Regulations apply to critical entities 10 months from the date of their receipt of designation notification. The Regulations impose various obligations on critical entities, including:
- Risk assessments: Critical entities must carry out a recurring risk assessment, the first of which is required within 9 months after receipt of notification, and then not later than every fourth anniversary of the date of the first assessment. A new risk assessment is also required when a new risk has been identified which was not previously assessed. The risk assessment must take an all-hazards approach based on the NRA, assessing all relevant natural and man-made risks that could lead to an incident.
- Resilience and security requirements: Critical entities must implement a resilience plan within 10 months of receipt of notification to put in place appropriate and proportionate technical, security and organisational measures to ensure their resilience. The determination of such measures will be based on, amongst other things, the NRA and the outcome of the critical entity’s risk assessment. Critical entities may also request proportionate background checks for employees in sensitive roles, with access to secure systems, or potential recruits.
- Incident notification: Without undue delay, critical entities are required to notify the relevant competent authority in writing of incidents that significantly disrupt, or have the potential to significantly disrupt, the provision of essential services. The initial notification is required within 24 hours of becoming aware of the incident (unless operationally unable to do so), with a detailed report required within one month from becoming aware of the incident.
- Liaison officer: Critical entities are required to designate a liaison officer (or equivalent) as the point of contact with the relevant competent authority.
Enforcement and consequences of non-compliance
Competent authorities have enforcement powers including supervision, inspection (both on-site and off-site), information requests, audits, compliance notices, and penalties for non-compliance.
Non-compliance under the Regulations may attract criminal liability, resulting in potential fines of up to €50,000 for an individual and €500,000 for body corporates. Additionally, directors and officers of a non-compliant body corporate may be held personally liable where an offence under the Regulations is committed with their consent, connivance, approval or wilful neglect.
Interplay with NIS 2 Directive and DORA
The Regulations and the NIS 2 Directive (Directive (EU) 2022/2555) share significant overlap, with both frameworks operating parallel designation regimes across the same critical sectors, resulting in many organisations falling within the scope of both regulatory schemes. Critical entities designated under the Regulations will be considered to be an ‘essential entity’ under the NIS 2 Directive.
For critical entities in banking, financial market infrastructure, or digital infrastructure sectors already identified under NIS 2 Directive or DORA (Regulation (EU) 2022/2554), the core obligations of the Regulations are disapplied, with the NIS 2 Directive and DORA serving as the primary resilience framework.
Next steps
With the identification process nearing its conclusion, organisations operating in any of the in-scope sectors should assess whether they might meet the criteria for designation as a critical entity under the Regulations and consider what representations they might make should the competent authority propose to identify them as such. Such organisations should also consider carrying out a gap analysis to assess whether its existing risk management frameworks and resilience plans are sufficient to meet the Regulations obligations.
Contact us
If you have any questions on anything contained in this article or on organisational resilience in general, please feel free to reach out to a member of the Technology and Innovation Group, or the Energy, Infrastructure and Construction Group, or your usual Matheson contact.
