EU State National Strategy for the EU Critical Entity Resilience Directive

Beyond Blue is currently supporting a European Union Member State Government to pioneer best in class implementation of the EU Commission’s Critical Entities Resilience Directive (CER Directive). The CER Directive is a landmark piece of legislation designed to push for improved standards of infrastructure resilience across the EU. It is part of a flurry of recent activity from governmental bodies, intergovernmental organisations and standards agencies aimed at driving the proactive resilience-based approaches to combatting the increasingly systemic risks associated with critical infrastructure. 

Several challenges are associated with implementation. For one thing, the scope of the CER Directive is extensive, applying to all critical infrastructure sectors and requiring that entities within its scope prepare for all hazards, from natural disasters to terrorism to supply chain disruptions. The various different sectors which fall under the scope of the Directive display varying levels of maturity and preparedness to meet these requirements. The CER Directive is also quite unique, serving as the first major legislative framework aimed at general infrastructure resilience. This means that there is no established view of best practice for infrastructure resilience policy or regulation, either at the sector or cross sector levels. Finally, there remains a generally low level of understanding amongst governments, regulators, and owners and operators of infrastructure around the meaning of the term “infrastructure resilience”, and how the associated initiatives relate to existing risk management, business continuity, and incident response measures.

Our client was eager for support in designing their approach to implementation of the CER Directive. There were particularly concerned to ensure that the approach adopted would both align with their existing approach to National Risk Assessment and minimise the regulatory burden on entities which fall within the scope of the CER Directive. 

Beyond Blue supported the client through almost all aspects of definition of their initial approach to implementation of the CER Directive. This support included the following:

• National Strategy for the Resilience of Critical Entities: A key requirement of the CER Directive is that Member States must outline a National Strategy for the Resilience of Critical Entities. This document should articulate the public policy platform and governance framework which the Member State intends to use to foster the resilience of essential services. As such, it outlines how the Member State intends to achieve CER Directive implementation. We served as the lead authors on the initial draft and several subsequent iterations. In consultation with our client, we developed and communicated via this document all the core components of their planned approach to implementation, from incident reporting requirements, governance structures, interdependency management, alignment with the National Risk Assessment and NIS2. 
  ‍
• Regulatory Framework: As well as developing the National Strategy for the client, we also supported them to define the parameters of their regulatory framework for CER implementation. The Directive is clear that this must involve Critical Entities providing their Competent Authorities (i.e., their CER-specific regulator) with the outputs of a resilience assessment (dubbed a “Critical Entity Risk Assessment”), and associated documentation of all in plan and completed resilience measures (known as a “Critical Entities Resilience Plan”). Drawing on international best practice guidance from ISO, UNDRR and OECD, we developed an advisory sector-agnostic framework for use by Competent Authorities in structuring their regulatory expectations of Critical Entities. The approach was designed to enable proactive yet proportionate investment by Critical Entities in the resilience of their support for Essential Services. 
  ‍
• Critical Entity Identification: The client was looking to develop an approach to the designation of operators of critical infrastructure to whom the regulations would apply (i.e., designation as a Critical Entity). They wanted this approach to be proportionate, aligned with the National Risk Assessment and as evidence based as possible. We worked closely with the client through multiple rounds of development to develop an approach tailored to their needs, including hosting multiple workshops. 
  ‍
• Current State Assessment: In addition to supporting in the development of the client’s approach to CER implementation, we also conducted a review of current levels of maturity across the government bodies tasked with serving as Competent Authorities under the CER Directive. The objective of this exercise was to gauge levels of preparedness of the various bodies and to help inform the client’s model for training and centralised support.
  ‍
• Training: Following the completion of the Current State Assessment, we worked with the client to establish a clear set of training requirements for Competent Authorities. The focus was on the production of manuals and the hosting of in-person workshops to support these bodies in ensuring effective implementation of the CER Directive which aligns with the client’s overall national strategy. Additionally, we also hosted several workshops with the client themselves to help them to understand and contextualise the CER Directive within the broader context of the growth of infrastructure resilience initiatives.

‍

The client was confronted with the challenging task of developing an approach to implementation of a new and largely original EU legislative framework without the existence of a best practice standard to benchmark against. Additionally, they knew that this framework would need to apply to multiple different sectors with varying levels of maturity and complement their mature national risk and incident response structures. Beyond Blue has been not only been able to support the client on this journey but has become a trusted partner in the process. Bringing to the task decades of experience in national security and industry leading expertise in resilience management, we have been actively involved in building out the client’s National Strategy, developing a flexible and proportionate regulatory framework, producing numerous training materials, ensuring alignment with the National Risk Assessment and supporting the delivery of multiple workshops and seminars to support the successful stewardship of the CER Directive into the long term.