Analysis
Attacks and Vulnerabilities
Critical infrastructure
Malware, Phishing & Ransomware
News
Regulation, Standards and Compliance
Threat Landscape

EU Commission publishes list identifying critical entities for key sectors, helps execute risk assessments

July 26, 2023
EU Commission publishes list identifying critical entities for key sectors, helps execute risk assessments

The European Commission adopted on Tuesday a list of essential services in the eleven sectors covered by the Critical Entities Resilience Directive (CER), in a move to boost resilience and step forward to identify critical entities for key sectors. Member States will have to identify the critical entities for the sectors set out in the CER Directive by 17 July 2026. They will use this list of essential services to carry out risk assessments and identify critical entities. Once identified, the critical entities will have to take measures to enhance their resilience.

The Commission has proposed a non-exhaustive list of services that are crucial for the maintenance of vital societal functions, economic activities, public health and safety, or the environment, for the eleven sectors and subsectors covered by the Directive. It includes the energy sector, with services such as electricity production and energy storage; transport sector, with services such as management and maintenance of airport or railways infrastructure; banking sector, with essential services such as taking deposits and lending; and the financial market infrastructure sector, with services such as the operation of trading venue and of clearing systems. 

The agency also included the health sector, with distribution, manufacturing, provision of healthcare, and medical services; drinking water sector, with drinking water supply and drinking water distribution; wastewater sector, with wastewater collection, treatment and disposal services; and digital infrastructure sector, with services such as the provision and operation of internet exchange point service, domain name system, top-level domain, cloud computing and data center. 

The list also covered public administration sector services; space sector, with the operation of ground-based infrastructure services; and production, processing and distribution of food sector, with large-scale industrial food production and processing, food supply chain services, and food wholesale distribution services.

“The sabotage last autumn of the Nord Stream pipelines underlined how essential sectors such as energy, digital infrastructure, transport and space depend on resilient critical infrastructure and how interlinked the external and internal dimensions of our security are,” Margaritis Schinas, vice-president for Promoting our European Way of Life, said in a media statement. “Our new rules on critical entities resilience we are now rolling out, are providing a strong framework to build up our collective protection against all threats.”

Ylva Johansson, Commissioner for Home Affairs said that “we face increasing hybrid attacks and climate change impacts. Being prepared and resilient requires collective action. With today’s adoption, we are taking another step to ensure that our societies and industries are prepared to face security challenges and disruptions in the provision of essential services.”

The delegated act adopted by the Commission will enter into force only if no objection has been expressed either by the European Parliament or by the Council within a period of two months of its notification or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period can be extended by two months at the initiative of the European Parliament or of the Council.

Having come into force on Jan. 16, 2023, the CER Directive aims at ensuring that services essential for the maintenance of vital societal functions or economic activities are provided in an unobstructed manner in the internal market and that the resilience of critical entities providing such services is enhanced, Ursula von der Leyen, president of the European Commission, wrote in a supplementing Directive released by the agency on Tuesday.

The directive lays down obligations for critical entities, with the objective of enhancing their resilience, and establishes rules on the supervision of critical entities, enforcement, and identification of critical entities of particular European significance, according to the document. It also establishes common rules for cooperation between member states and reporting on the application of the directive. In particular, the CER directive provides for obligations on member states to carry out risk assessments and identify those critical entities that provide essential services.

Pursuant to Article 7(2)(a) of the CER Directive, member states shall submit to the Commission without undue delay the list of essential services where there are any additional essential services as compared to the list laid down in this delegated act.

Last week, member states of the Council of the EU (European Council) announced that they have reached a common position on security requirements for digital products. The draft regulation introduces mandatory cybersecurity requirements for the design, development, production, and making available on the market of hardware and software products to avoid overlapping requirements stemming from different pieces of legislation in European Union (EU) member states. These shared requirements ensure that digital products meet the highest level of security and protect users’ sensitive information.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights