Art. 4 Strategy on the resilience of critical entities | CER directive | CER

1. Following a consultation that is, to the extent practically possible, open to relevant stakeholders, each Member State shall adopt by 17 January 2026 a strategy for enhancing the resiliencemeans a critical entity’s ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident; of critical entitiesmeans a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; (the ‘strategy’). The strategy shall set out strategic objectives and policy measures, building upon relevant existing national and sectoral strategies, plans or similar documents, with a view to achieving and maintaining a high level of resiliencemeans a critical entity’s ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident; on the part of critical entitiesmeans a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; and covering at least the sectors set out in the Annex.
1. Each strategy shall contain at least the following elements:
  1. strategic objectives and priorities for the purposes of enhancing the overall resiliencemeans a critical entity’s ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident; of critical entitiesmeans a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex;, taking into account cross-border and cross-sectoral dependencies and interdependencies;
  2. a governance framework to achieve the strategic objectives and priorities, including a description of the roles and responsibilities of the different authorities, critical entitiesmeans a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; and other parties involved in the implementation of the strategy;
  3. a description of measures necessary to enhance the overall resiliencemeans a critical entity’s ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident; of critical entitiesmeans a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex;, including a description of the risk assessmentmeans the overall process for determining the nature and extent of a risk by identifying and analysing potential relevant threats, vulnerabilities and hazards which could lead to an incident and by evaluating the potential loss or disruption of the provision of an essential service caused by that incident; referred to in Article 5;
  4. a description of the process by which critical entitiesmeans a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; are identified;
  5. a description of the process supporting critical entitiesmeans a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; in accordance with this Chapter, including measures to enhance cooperation between the public sector, on the one hand, and the private sector and public and private entities, on the other hand;
  6. a list of the main authorities and relevant stakeholders, other than critical entitiesmeans a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex;, involved in the implementation of the strategy;
  7. a policy framework for coordination between the competent authorities under this Directive (‘competent authorities’) and the competent authorities under Directive (EU) 2022/2555 for the purposes of information sharing on cybersecurity risksmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;, cyber threats and cyber incidentsmeans an event which has the potential to significantly disrupt, or that disrupts, the provision of an essential service, including when it affects the national systems that safeguard the rule of law; and non-cyber risksmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;, threats and incidentsmeans an event which has the potential to significantly disrupt, or that disrupts, the provision of an essential service, including when it affects the national systems that safeguard the rule of law; and the exercise of supervisory tasks;
  8. a description of measures already in place which aim to facilitate the implementation of obligations under Chapter III of this Directive by small and medium-sized enterprises within the meaning of the Annex to Commission Recommendation 2003/361/EC(³¹)Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises (OJ L 124, 20.5.2003, p. 36). that the Member State in question has identified as critical entitiesmeans a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex;.
2. Following a consultation that is, to the extent practically possible, open to relevant stakeholders, Member States shall update their strategies at least every four years.
1. Member States shall communicate their strategies, and substantial updates thereto, to the Commission within three months of their adoption.