Source: OJ L 333, 27.12.2022, pp. 164–198Current language: EN
- Resilience of critical entities
Basic legislative acts
- CER directive
Article 5 Risk assessment by Member States
Summary What does Article 5 of the CER directive say?
This article establishes the framework for Member State risk assessments, which are a critical upstream step that feeds directly into the identification of critical entities under Article 6 and the resilience measures required under Article 13.
The Commission is tasked with producing a non-exhaustive list of essential services to guide these assessments, and Member States must then conduct their own risk assessments on that basis, covering a broad spectrum of threats ranging from natural disasters and public health emergencies to hybrid and terrorist threats.
The article also sets out what inputs Member States must draw upon when conducting their assessments, including existing sector-specific risk assessments under other Union legal acts, and requires Member States to share relevant outcomes both with identified critical entities and with the Commission.
Important points:
- Competent authorities are required to conduct Member State risk assessments by 17 January 2026, and at least every four years thereafter, using the Commission's list of essential services as a basis.
- Member States must share relevant elements of their risk assessments with identified critical entities to assist them in conducting their own risk assessments and taking resilience measures.
- Member States are required to provide the Commission with information on the types of risks identified and the outcomes of each risk assessment, broken down by sector and subsector, within three months of completing the assessment.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
The Commission is empowered to adopt a delegated act, in accordance with Article 23, by 17 November 2023 to supplement this Directive by establishing a non-exhaustive list of essential services in the sectors and subsectors set out in the Annex. The competent authorities shall use that list of essential services for the purpose of carrying out a risk assessment (‘Member State risk assessment’) by 17 January 2026, whenever necessary subsequently, and at least every four years. The competent authorities shall use Member State risk assessments for the purpose of identifying critical entities in accordance with Article 6 and assisting those critical entities to take measures pursuant to Article 13.
Member State risk assessments shall account for the relevant natural and man-made risks, including those of a cross-sectoral or cross-border nature, accidents, natural disasters, public health emergencies and hybrid threats or other antagonistic threats, including terrorist offences as provided for in Directive (EU) 2017/541 of the European Parliament and of the Council(32).
In carrying out Member State risk assessments, Member States shall take into account at least the following:
the general risk assessment carried out pursuant to Article 6(1) of Decision No 1313/2013/EU;
other relevant risk assessments, carried out in accordance with the requirements of the relevant sector-specific Union legal acts, including Regulations (EU) 2017/1938(33) and (EU) 2019/941(34) of the European Parliament and of the Council and Directives 2007/60/EC(35) and 2012/18/EU(36) of the European Parliament and of the Council;
the relevant risks arising from the extent to which the sectors set out in the Annex depend on one another, including from the extent to which they depend on entities located within other Member States and third countries, and the impact that a significant disruption in one sector may have on other sectors, including any significant risks to citizens and the internal market;
any information on incidents notified in accordance with Article 15.
For the purposes of the first subparagraph, point (c), Member States shall cooperate with the competent authorities of other Member States and the competent authorities of third countries, as appropriate.
Member States shall make the relevant elements of Member State risk assessments available, where relevant through their single points of contact, to the critical entities that they have identified in accordance with Article 6. Member States shall ensure that the information provided to critical entities assists them in carrying out their risk assessments pursuant to Article 12 and in taking measures to ensure their resilience pursuant to Article 13.
Within three months of carrying out a Member State risk assessment, a Member State shall provide the Commission with relevant information on the types of risks identified following, and the outcomes of, that Member State risk assessment, per sector and subsector set out in the Annex.
The Commission shall, in cooperation with the Member States, develop a voluntary common reporting template for the purpose of complying with paragraph 4.
Relevant recitals
Recital 15 Member State risk assessments
The actions of Member States to identify and help ensure the resilience of critical entities should follow a risk-based approach that focuses on the entities most relevant for the performance of vital societal functions or economic activities. In order to ensure such a targeted approach, each Member State should carry out, within a harmonised framework, an assessment of the relevant natural and man-made risks, including those of a cross-sectoral or cross-border nature, that could affect the provision of essential services, including accidents, natural disasters, public health emergencies such as pandemics and hybrid threats or other antagonistic threats, including terrorist offences, criminal infiltration and sabotage (‘Member State risk assessment’). When carrying out Member State risk assessments, Member States should take into account other general or sector-specific risk assessments carried out pursuant to other Union legal acts and should consider the extent to which sectors depend on one another, including on sectors in other Member States and third countries. The outcome of Member State risk assessments should be used for the purposes of identifying critical entities and assisting those entities in meeting their resilience requirements. This Directive applies only to Member States and critical entities that operate within the Union. Nevertheless, the expertise and knowledge generated by competent authorities, in particular through risk assessments, and by the Commission, in particular through various forms of support and cooperation, could be used, where appropriate and in accordance with the applicable legal instruments, for the benefit of third countries, in particular those in the direct neighbourhood of the Union, by feeding into existing cooperation on resilience.
Recital 17 List of essential services
Member States should submit to the Commission, in a manner that fulfils the objectives of this Directive, a list of essential services, the number of critical entities identified for each of the sectors and subsectors set out in the Annex and for the essential service or services that each entity provides and, if applied, thresholds. It should be possible to present thresholds as such or in aggregated form, meaning that the information can be averaged by geographic area, by year, by sector, by subsector or by other means, and can include information on the range of the indicators provided.
Recital 19 Foreign ownership of critical infrastructure
In accordance with applicable Union and national law, including Regulation (EU) 2019/452 of the European Parliament and of the Council(7), which establishes a framework for the screening of foreign direct investments in the Union, the potential threat posed by foreign ownership of critical infrastructure within the Union is to be acknowledged because services, the economy and the free movement and safety of Union citizens depend on the proper functioning of critical infrastructure.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
incident
Definition
risk
Definition
essential service
Definition
critical infrastructure
Definition
critical entity
Definition
risk assessment
Definition
resilience
Footnote 7
Footnote 33
Footnote 36
Footnote 34
Footnote 35
Footnote 32