Today, the Commission has adopted a list of essential services in the eleven sectors covered by the Critical Entities Resilience Directive (CER), which entered into force on 16 January 2023. Critical entities provide essential services in upholding key societal functions, supporting the economy, ensuring public health and safety, and preserving the environment.
Member States will have to identify the critical entities for the sectors set out in the CER Directive by 17 July 2026. They will use this list of essential services to carry out risk assessments and to then identify the critical entities. Once identified, the critical entities will have to take measures to enhance their resilience.
List of essential services
The Commission has proposed a non-exhaustive list of services that are crucial for the maintenance of vital societal functions, economic activities, public health and safety, or the environment, for the eleven sectors and subsectors covered by the Directive, as follows:
- Energy sector, with services such as the electricity production and energy storage;
- Transport sector, with services such as management and maintenance of airport or railways infrastructure;
- Banking sector, with essential services such as taking deposits and lending;
- Financial market infrastructure sector, with services such as the operation of trading venue and of clearing systems;
- Health sector, with distribution, manufacturing, provision of healthcare, and medical services;
- Drinking water sector, with drinking water supply and drinking water distribution;
- Waste water sector, with waste water collection, treatment and disposal services;
- Digital infrastructure sector, with services such as the provision and operation of internet exchange point service, domain name system, top-level domain, cloud computing and data centre;
- Public administration sector services;
- Space sector, with the operation of ground-based infrastructure services;
- Production, processing and distribution of food sector, with the large-scale industrial food production and processing, food supply chain services and food wholesale distribution services.
The delegated act adopted by the Commission will enter into force only if no objection has been expressed either by the European Parliament or by the Council within a period of two months of its notification or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period can be extended by two months at the initiative of the European Parliament or of the Council.
In 2020 the Commission proposed a significant upgrade to the EU’s rules on the resilience of critical entities and the security of network and information systems. On 16 January, two key directives on critical and digital infrastructure entered into force with the purpose of strengthening the EU’s resilience against online and offline threats, from cyberattacks to crime, risks to public health or natural disasters – the Directive on the resilience of critical entities (CER Directive) and the Directive on measures for a high common level of cybersecurity across the Union (NIS 2 Directive), which entered into force on 16 January 2023.