Source: OJ L 333, 27.12.2022, pp. 164–198Current language: EN
- Resilience of critical entities
Basic legislative acts
- CER directive
Article 9 Competent authorities and single point of contact
Summary What does Article 9 of the CER directive say?
This article establishes the national governance architecture that Member States must put in place to implement the Directive.
It requires each Member State to designate competent authorities responsible for applying and enforcing the rules, and to set up a single point of contact to serve as the national liaison for cross-border cooperation.
The article also links to the broader regulatory ecosystem by specifying that, for certain sectors, the default competent authorities should be those already designated under related instruments such as DORA and the NIS2 Directive, though Member States retain flexibility to designate different authorities under their national frameworks.
Cooperation obligations run in multiple directions: between competent authorities domestically, across Member States via the single points of contact, and with NIS2 competent authorities on both cyber and non-cyber risks affecting critical entities.
Important points:
- Member States are required to designate competent authorities and a single point of contact, and must notify the Commission of their identity within three months of designation.
- Single points of contact are required to submit summary reports to the Commission and the Critical Entities Resilience Group every two years, covering notifications received and actions taken.
- Competent authorities must cooperate and exchange information with NIS2 competent authorities on cybersecurity and non-cyber risks affecting critical entities.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
Each Member State shall designate or establish one or more competent authorities responsible for the correct application and, where necessary, enforcement of the rules set out in this Directive at national level.
As regards the critical entities in the sectors set out in points 3 and 4 of the table in the Annex to this Directive, the competent authorities shall, in principle, be the competent authorities referred to in Article 46 of Regulation (EU) 2022/2554. As regards the critical entities in the sector set out in point 8 of the table in the Annex to this Directive, the competent authorities shall, in principle, be the competent authorities under Directive (EU) 2022/2555. Member States may designate a different competent authority for the sectors set out in points 3, 4 and 8 of the table in the Annex to this Directive in accordance with existing national frameworks.
Where Member States designate or establish more than one competent authority, they shall clearly set out the tasks of each of the authorities concerned and ensure that they cooperate effectively to fulfil their tasks under this Directive, including with regard to the designation and activities of the single point of contact referred to in paragraph 2.
Each Member State shall designate or establish one single point of contact to exercise a liaison function for the purpose of ensuring cross-border cooperation with the single points of contact of other Member States and the Critical Entities Resilience Group referred to in Article 19 (‘single point of contact’). Where relevant, a Member State shall designate its single point of contact within a competent authority. Where relevant, a Member State may provide that its single point of contact also exercise a liaison function with the Commission and ensure cooperation with third countries.
By 17 July 2028, and every two years thereafter, the single points of contact shall submit a summary report to the Commission and to the Critical Entities Resilience Group referred to in Article 19 on the notifications they have received, including the number of notifications, the nature of notified incidents and the actions taken in accordance with Article 15(3).
The Commission shall, in cooperation with the Critical Entities Resilience Group, develop a common reporting template. The competent authorities may use, on a voluntary basis, that common reporting template for the purpose of submitting summary reports as referred to in the first subparagraph.
Each Member State shall ensure that its competent authority and single point of contact have the powers and the adequate financial, human and technical resources to carry out, in an effective and efficient manner, the tasks assigned to them.
Each Member State shall ensure that its competent authority, whenever appropriate, and in accordance with Union and national law, consults and cooperates with other relevant national authorities, including those in charge of civil protection, law enforcement and the protection of personal data, and with critical entities and relevant interested parties.
Each Member State shall ensure that its competent authority under this Directive cooperates and exchanges information with competent authorities under Directive (EU) 2022/2555 on cybersecurity risks, cyber threats and cyber incidents and non-cyber risks, threats and incidents affecting critical entities, including with regard to relevant measures its competent authority and competent authorities under Directive (EU) 2022/2555 have taken.
Within three months of the designation or establishment of the competent authority and the single point of contact, each Member State shall notify the Commission of their identity and their tasks and responsibilities under this Directive, their contact details and any subsequent change thereto. Member States shall inform the Commission where they decide to designate an authority other than the competent authorities referred to in paragraph 1, second subparagraph, as the competent authorities in respect of the critical entities in the sectors set out in points 3, 4 and 8 of the table in the Annex. Each Member State shall make public the identity of its competent authority and single point of contact.
The Commission shall make a list of the single points of contact publicly available.
Relevant recitals
Recital 22 Designation of competent authorities
Member States should designate or establish authorities competent to supervise the application of and, where necessary, enforce the rules of this Directive and ensure that those authorities are adequately empowered and resourced. In light of the differences in national governance structures, in order to safeguard existing sectoral arrangements or Union supervisory and regulatory bodies, and in order to avoid duplication, Member States should be able to designate or establish more than one competent authority. Where Member States designate or establish more than one competent authority, they should clearly delineate the respective tasks of the authorities concerned and ensure that they cooperate smoothly and effectively. All competent authorities should also cooperate more generally with other relevant authorities, at both Union and national level.
Recital 23 Single point of contact for cross-border coordination
In order to facilitate cross-border cooperation and communication and to enable the effective implementation of this Directive, each Member State should, without prejudice to the requirements of sector-specific Union legal acts, designate one single point of contact responsible for coordinating issues related to the resilience of critical entities and cross-border cooperation at Union level (‘single point of contact’), where relevant within a competent authority. Each single point of contact should liaise and coordinate communication, where relevant, with the competent authorities of its Member State, with the single points of contact of other Member States and with the Critical Entities Resilience Group.
Recital 24 Relation to requirements and competent authorities under the NIS 2 directive
The competent authorities under this Directive and the competent authorities under Directive (EU) 2022/2555 should cooperate and exchange information in relation to cybersecurity risks, cyber threats and cyber incidents and non-cyber risks, threats and incidents affecting critical entities as well as in relation to relevant measures taken by competent authorities under this Directive and competent authorities under Directive (EU) 2022/2555. It is important that Member States ensure that the requirements provided for in this Directive and in Directive (EU) 2022/2555 are implemented in a complementary manner and that critical entities are not subject to an administrative burden beyond that which is necessary to achieve the objectives of this Directive and that Directive.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
incident
Definition
risk
Definition
essential service
Definition
critical entity
Definition
resilience