European Union: Implemented Directive on the resilience of critical entities

On 18 October 2024, the Directive on the resilience of critical entities repealing Council Directive 114 of 2008 is implemented. The Member States were required to transpose the Directive by 17 October 2024. Under the Directive, Member States were required to identify public and private entities belonging to one of the listed categories considered "critical entities" from the energy, transport, health, drinking water, wastewater and space sectors. The States were required to notify "critical entities" of their status within one month of the identification, informing them of their obligations, which are binding from 10 months after the date of the notification. Furthermore, the Member States were required to adopt a strategy to improve the resilience of critical entities and conduct risk assessments. The entities designated as "critical entities" must carry out a risk assessment within nine months of being notified of their status and implement preventive, detective and responsive technical and operational measures to mitigate security risks and notify significant incidents and cyber threats. The obligations outlined in the Directive do not apply to entities from the digital infrastructure sector, such as internet exchange points, DNS services, top-level domain-name registries, cloud computing services, data centre services, content delivery, trust services and public electronic communications networks. The cyber security obligations for banking, financial market infrastructure and digital infrastructure sectors are established in the Directive on measures for a high common level of cybersecurity across the EU (NIS 2) and Digital Operational Resilience Act (DORA).