European Union: Entry into force with grace period of Directive on the resilience of critical entities

On 16 January 2023, the Directive on the resilience of critical entities entered into force with a grace period twenty days after its publication in the Official Journal of the European Union. Under the Directive, Member States are required to identify public and private entities belonging to one of the listed categories considered "critical entities" from the energy, transport, health, drinking water, wastewater and space sectors by three and six months after the entry into force. The States are required to notify "critical entities" of their status within one month of the identification, informing them of their obligations, which are binding from 10 months after the date of the notification. Furthermore, the Member States are required to adopt a strategy to improve the resilience of critical entities and conduct risk assessments. The European Commission, by 10 months from the Directive's entry into force, is empowered to adopt a delegated act consisting of a non-exhaustive list of essential services that Member States may use to carry out the risk assessment. Subsequently, Member States must repeat the risk assessment procedure whenever necessary, at least every four years. The entities designated as "critical entities" must carry out a risk assessment within nine months of being notified of this status and implement preventive, detective and responsive technical and operational measures to mitigate security risks and notify significant incidents and cyber threats. The obligations outlined in the Directive do not apply to entities from the digital infrastructure sector, such as internet exchange points, DNS services, top-level domain-name registries, cloud computing services, data centre services, content delivery, trust services and public electronic communications networks. The cyber security obligations for banking, financial market infrastructure and digital infrastructure sectors are established in the Directive on measures for a high common level of cybersecurity across the EU (NIS 2) and Digital Operational Resilience Act (DORA). The Member States are required to transpose the Directive by 17 October 2024 and implement the requirements from 18 October 2024.