Critical Entities Resilience (CER) Regulations

In October 2024, the Minister for Defence signed the European Union (Resilience of Critical Entities) Regulations 2024 (S.I. No. 559 of 2024). These regulations transpose the EU Directive on the resilience of critical entities (EU 2022/2557).

The Resilience of Critical Entities Regulations are part of our effort to increase the resilience of essential services providing vital societal functions in Ireland. The regulations will apply to the following sectors of the economy: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, public administration, space, and large-scale food production, processing, and distribution.

A key requirement of the Regulations is publication by the Minister for Defence of a National Strategy on the Resilience of Critical Entities. This drafting of the National Strategy involved engagement with key stakeholders, including the competent authorities for each sector. This strategy sets out the governance framework, the criteria for identifying critical entities, their specific obligations, and the measures needed to strengthen resilience, particularly through improved information sharing and stronger public‑private collaboration. The Regulations also required the Department of Defence to conduct an enhanced national risk assessment to support the identification of critical entities.

The table below lists the Competent Authorities responsible for each of the 11 sectors. Some sectors have more than one Competent Authority, as different organisations may oversee specific sub‑sectors due to the nature and complexity of the services involved.

The Office of Emergency Planning in the Department of Defence will act as the Single Point of Contact for Ireland on the CER Directive and can be contacted at cer@defence.ie

The Minister for Defence, following the Department of Defence working with the relevant Competent Authorities and Government Departments, has published Ireland’s National Strategy on the Resilience of Critical Entities (2026–2029).

The Strategy sets out how Ireland will ensure that critical entities across 11 sectors can withstand, adapt to, and recover from disruptive events that could affect essential services.

• The governance framework for delivering resilience
• Criteria for identifying critical entities
• The specific obligations on those entities
• The measures required to strengthen resilience

The goals of the strategy are:

1. Enhance the National Risk Assessment: Build on our established National Risk Assessment (NRA) methodology to meet the requirements of the regulations including identifying essential services of the state.
2. Establish Governance and Coordination: Embed a governance and co-ordination framework for Critical Entity resilience.
3. Improve Resilience: Drive appropriate and proportionate improvements in the resilience of essential services provided by identified Critical Entities.
4. Strengthen Strategic Oversight: Enhance the Department of Defence’s strategic oversight of critical infrastructure dependencies across all our sectors.
5. Ensure Consistency with Cyber Security: Maintain a consistent approach by the Department of Defence to Critical Entity resilience and ensure consistency with our national approach to cyber security, including the implementation of EU Network and Information Security (NIS 2) Directive.

The National Risk Assessment (NRA) is conducted every 3 years as a requirement of EU Decision 1313/2013/EU. It is conducted by the Office of Emergency Planning in consultation with all government departments and agencies and is approved by the Government Task Force on Emergency Planning.

The NRA process has been updated to ensure that it aligns with the requirements of the European Union (Resilience of Critical Entities) Regulations 2024.