Source: European Parliament
The EU has strengthened the legislative framework regarding the protection of critical infrastructure, notably with the entry into application in October 2024 of the directive on the Resilience of Critical Entities[1], that enhances the resilience of critical entities that provide essential services for vital societal functions or economic activities.
The directive addresses the resilience of critical entities in respect of all hazards, whether natural or man-made, accidental or intentional.
The European Internal Security Strategy[2] stresses the importance of timely transposition and correct implementation of this directive.
According to the directive on the Resilience of Critical Entities, Member States have to adopt a strategy on the resilience of critical entities and perform a risk assessment by 17 January 2026 and to identify critical entities in the 11 sectors covered by the directive by 17 July 2026.
Identified critical entities in turn will have to perform a risk assessment and take appropriate and proportionate resilience enhancing measures within 10 months after having been notified of their identification as critical entity.
The Commission will continue to support Member States in the implementation of the directive with implementing legislation, advice and guidelines, and facilitate the exchange of information and best practices among Member States.
- [1] Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC.
- [2] Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions on ProtectEU: a European Internal Security Strategy; COM(2025) 148 final.