Critical Entities Resilience

European Union Policy Landscape

The policy landscape for critical entity resilience encompasses frameworks and regulations aimed at ensuring the robustness and continuity of essential services and critical infrastructures against all-hazards, including climate change, and emerging and hybrid threats. At the national level, governments often establish policies that mandate risk assessments, preventive measures, and crisis management protocols for entities deemed critical, such as those in energy, transportation, finance, and healthcare sectors. Internationally, collaborations and agreements, such as those fostered by bodies like the European Union and the United Nations, promote information sharing and joint resilience-building efforts. Additionally, public-private partnerships play a crucial role in enhancing resilience, leveraging the resources and expertise of the private sector to support public policy objectives. Overall, the policy landscape is marked by an increasing emphasis on adaptability, intersectoral cooperation, and proactive risk management to safeguard societal and economic stability. 

At European Union (EU) level, Recent policy changes denote a paradigm shift from the protection of critical infrastructure systems toward the focus on enhancing resilience of critical entities against a growing array of manmade threats and natural hazards.

Directive on the Resilience of Critical Entities

In October 2024, the Directive (EU) 2022/2557 (CER Directive) entered into force, repealing the ECI Directive. Together with the Directive (EU) 2022/2555 (NIS2 Directive), it provides Member States with a framework to identify, assess, and protect essential services across the EU. The CER Directive is supplemented by the Commission Delegated Regulation (EU) 2023/2450 that establishes a list of essential services by critical entity sector and subsector. The new rules strengthen the resilience of critical infrastructure to all hazards, whether natural or man-made, accidental or intentional, including cross-border and cross-sectoral risks. 

The Joint Research Centre (JRC) supports the implementation of the CER Directive. In collaboration with the Directorate General on Migration and Home Affairs (DG HOME), the JRC has been developing non-binding guidelines to support Member States in identifying critical entities, determining the significance of disruptive effects, reporting their risk assessment outputs, and defining the technical, security and organisational measures that critical entities need to undertake to enhance their resilience. 

This work will support Member States and critical entities in fulfilling some of their obligations under the CER Directive.

Council Recommendation on the Resilience of Critical Infrastructure

Following the sabotage of the Nord Stream pipelines, the Council adopted a Recommendation on a Union-wide coordinated approach to strengthen the resilience of critical infrastructure. The Recommendation aims to step up the EU’s capacity to protect its critical infrastructure, including a series of targeted actions on key sectors such as energy, digital infrastructure, transport and space. It enhances preparedness and response against current threats, as well as international cooperation. 

In late 2023, Member States finished conducting the stress tests of critical infrastructure in the energy sector. These focused mainly on intentional man-made threats such as sabotage and were based on fictitious scenarios.

The JRC expertise was pivotal in developing common scenarios and indicators for the stress tests of EU critical energy infrastructures, and in supporting DG HOME with the processing of the replies.

Critical Infrastructure Blueprint on Cross-Border Disruptive Incidents

In June 2024, the Council adopted a Recommendation on a Blueprint to coordinate EU response to disruptions to critical infrastructure with significant cross-border relevance. The Blueprint provides a roadmap with measures that can be applied when Member States are faced with significant critical infrastructure incidents. Notably, it recommends several actions to improve shared situational awareness of the origin and consequences of an incident, coordinated public communication and effective response at EU level. It also helps mitigate the effects of a significant critical infrastructure incident and enables swift reestablishment of essential services.

The JRC supported the development of EU-wide fictitious scenarios to test the validity of the draft Blueprint proposal in case of cross-border disruptions. The assessment was conducted with Member States, Commission Services and other EU institutions through a table-top exercise to Identify possible gaps or shortcomings at EU level.

ProtectEU – European Internal Security Strategy

Within the ProtectEU strategy, critical entities are a focal point of consideration, as their resilience is vital for the security and stability of the European Union. ProtectEU underscores the necessity of safeguarding critical infrastructure across various sectors, such as energy, transport, healthcare, and digital communication, against both traditional and hybrid threats. The strategy advocates for the implementation of the CER Directive, which outlines measures for strengthening the resilience and continuity of essential services. It emphasizes cross-border and cross-sector cooperation, encouraging member states to share best practices, conduct thorough risk assessments, and develop integrated response strategies. Additionally, ProtectEU supports the adoption of collaborative frameworks and secure communication channels to protect critical entities from cyberattacks and other disruptions. This approach ensures that the EU can maintain operational resilience, safeguard its citizens, and uphold its economic and social stability in the face of growing global challenges.

The JRC plays a pivotal role in the European Internal Security Strategy by supporting the implementation of the CER Directive, developing assessment and stress test methodologies and training to enhance the resilience and protection of critical infrastructure systems against all hazards. One of the main objectives of the Hybrid Threats and Critical Entities Resilience (HYCER) team is to advance the understanding of interdependencies among complex socio-technical systems and hybrid threats.

European Preparedness Union Strategy

The Preparedness Union Strategy places significant emphasis on the resilience of critical entities, recognizing their foundational role in maintaining societal and economic stability throughout crises. The strategy identifies the necessity of robust foresight, anticipation, and cross-sector coordination to protect these essential services from both natural and human-induced threats. In line with the CER Directive, the strategy underscores enhancing the resilience of sectors vital to the EU's functioning, such as healthcare, energy, and transportation, through comprehensive risk assessments and resilience measures. It advocates for stronger public-private cooperation, ensuring that critical infrastructure operators work closely with governmental bodies to enhance preparedness and mitigation efforts. Moreover, the strategy highlights the importance of civil-military coordination and integration of resilience considerations into EU external partnerships, thereby reducing vulnerabilities and ensuring that critical entities are equipped to withstand and recover from disruptions, maintaining continuity of service.

The JRC’s research addresses the consideration of all hazards both intentional and unintentional and the assessment of their compound effects on the operations of critical entities and ultimately on the provision of European essential services and vital functions.

European Defence Readiness 2030

The The Joint White Paper for European Defence Readiness 2030 places significant emphasis on the resilience and protection of critical entities, recognizing their vital role in maintaining societal stability amidst evolving security threats. It highlights the necessity of securing essential infrastructure and services against disruptions that could profoundly impact economic and public safety. 

The work conducted at the JRC perfectly aligns with the white paper by focusing on comprehensive risk assessments considering infrastructure interdependencies and cross-border impacts to enhance the resilience of critical entities and the vital function they support.

Niinistö Report - Strengthening Europe’s civil and military preparedness and readiness

The Niinistö report places considerable emphasis on the resilience and protection of critical entities, recognizing their pivotal role in strengthening Europe’s preparedness and readiness. against potential disruptions of essential services. By highlighting the adoption of mechanisms like the CER Directive, the report advocates for a unified and cohesive European approach to bolster resilience across member states. It calls for increased public-private cooperation, policy harmonization, and the establishment of baseline requirements to ensure that critical entities are adequately prepared to withstand and recover from various threats. Additionally, the report emphasizes the importance of sectoral and cross-sectoral initiatives to safeguard the integrity of critical services, reinforcing the EU's ability to respond swiftly and effectively to emergencies.

The JRC in partnership with the European Defence Agency (EDA) developed a framework to define the necessary measures to counter hybrid threats and to enhance the resilience of critical energy infrastructures on which the defence sector depends for its well-functioning. To ensure EU-wide coherence, this study follows the conceptual framework on hybrid threats and the comprehensive resilience ecosystem model developed by JRC and the Centre of Excellence for Countering Hybrid Threats (Hybrid COE) in Helsinki.

Resilience Assessment

Improving the resilience of critical entities has become a priority for the authorities around the globe. A widening spectrum of hazards and threats (e.g., extreme weather, geopolitical tension, supply‑chain disruptions, growing reliance on artificial intelligence (AI) in operational technology, sophisticated cyber‑attacks, hybrid threats) have exposed the limits of traditional risk assessment and risk management efforts. Because many shocks cannot be anticipated and driving every risk to an absolute minimum is rarely cost‑effective, attention is shifting toward systemic resilience: the capacity to maintain, or rapidly restore, essential services when unpredictable events occur. This has shifted the attention towards resilience in order to reassure service continuity in the aftermath of destructive events especially in cases when these cannot be predicted.

To analyse how tightly coupled critical infrastructure networks behave under stress, and to quantify the knock‑on economic effects of service outages, the Joint research Centre (JRC) has developed several tools and methodologies and has published several scientific publications in these fields.

Below are examples of ongoing work on the resilience and protection of critical infrastructures and critical entities.

Critical Entities (CE) Taxonomy & Ontology

A critical infrastructure ontology is required for providing a structured framework for understanding and managing the complex interrelationships between various components of critical infrastructure. Firstly, it facilitates enhanced communication and collaboration across different sectors and stakeholders by establishing a common vocabulary and set of concepts, thus reducing ambiguity and improving information sharing. This can lead to more effective coordination in planning, risk assessment, and incident response. Secondly, an ontology can improve decision-making by allowing for more precise modeling and analysis of dependencies and vulnerabilities within infrastructure systems, enabling stakeholders to identify potential points of failure and prioritize resilience measures accordingly. Additionally, it supports interoperability between different information systems and platforms, enabling seamless integration of data from diverse sources, which is crucial for comprehensive situational awareness. Ultimately, by offering a systematic approach to conceptualizing and managing critical infrastructure, an ontology enhances resilience, facilitates proactive risk management, and contributes to the overall security and stability of essential services.

One recent project of the Hybrid Threats and Critical Entities Resilience (HYCER) team consists in creating an ontology related to the resilience of critical entities that can harmonize linguistically all concepts related to risk assessment (i.e., threats/hazards, vulnerabilities, and consequences), critical entity structural organization (e.g., essential services, infrastructures, assets) but also the European policy framework. The present ontology can serve as a support for policymakers for defining and better understanding of gaps in policy, implementing the Critical Entities Resilience (CER) Directive; but also serving as a support for early warning systems and automated detection/classification tools.

Risk Assessment

Risk assessment is a fundamental component in enhancing the resilience of critical entities, serving as the foundation for identifying and understanding potential threats and vulnerabilities that could impact essential services. By systematically evaluating risks, organizations can prioritize and implement appropriate mitigation strategies tailored to safeguard infrastructure against disruptions, whether they arise from natural disasters or manmade threats. This proactive approach enables critical entities to develop comprehensive response plans, ensuring continuity of operations even during crises. Furthermore, effective risk assessment fosters a culture of preparedness and adaptability, allowing entities to anticipate challenges and adjust their infrastructure and processes accordingly.

The JRC uses its risk assessment expertise for developing vulnerability and interdependency assessment methodologies and framework tailored to enhancing the protection and resilience of critical entities and critical infrastructure system of systems.

Critical Infrastructure Protection

Understanding and modeling critical infrastructure vulnerabilities and security features is also a key element contributing to the resilience of critical entities. These assessments involve a systematic evaluation of infrastructure components, operational processes, and security protocols to uncover potential susceptibilities that could compromise service delivery or lead to significant disruptions. By applying these assessments, organizations can prioritize interventions and allocate resources effectively to fortify defenses, thereby enhancing the robustness of their infrastructure.

The JRC works in this field along two axes. First, the Hybrid Threats and Critical Entities Resilience (HYCER) team supports the development of the Commission non-binding resilience measures guidelines, which defines the security measures that entity owners and operators should consider enhancing their security posture and overall resilience. The HYCER team also works on the development of specific vulnerability assessment tools for supporting Member States and critical entity stakeholders in their expected risk assessment obligations and informing resilience enhancement decision making.

The European Union (EU) Knowledge Hub to Counter Terrorism

Discover EU data and tools to counter terrorism through the new Knowledge Hub. It provides with all relevant information in a one-stop-shop.

This portal facilitates access to available guidance and scientific research documents. It presents the overarching EU Policy framework for the protection public spaces and organizes guidance documents and in-depth research articles. In addition, it offers available tools and models. 

Most documents are directly downloadable. Others may require a justified request. A convenient search function also allows looking for specific document types, publication periods or keywords. Overall, the new Knowledge Hub provides with all the relevant information at your fingertips in a one-stop-shop.

Interdependency Assessment

Infrastructure interdependency assessment is a systematic process of evaluating how critical infrastructure systems interact together, rely on one another, and collectively contribute to providing essential services and supporting vital functions. By analysing the complex physical, cyber, geographic and logical relationships among socio-economic components, the assessment helps prioritize resilience strategies, optimize resource allocation, and inform policy decisions to ensure the continuity of essential services. It integrates data-driven modelling, scenario analysis, and stakeholder collaboration to map dependencies, quantify risks, and develop mitigation plans, ultimately enhancing the resilience (e.g., robustness and adaptability) of interconnected systems in the face of hybrid threats and compound risks. This approach is vital for fostering sustainable urban planning, emergency preparedness, and long-term infrastructure development in an increasingly interlinked world.

The JRC uses a tiered approach combining bottom-up and top-down frameworks and modelling capabilities to assess critical entities upstream and downstream capabilities, and cross-sector and cross-border impacts to support decision-making and inform regional security and resilience enhancement options.

Stress Tests, Training & Exercises

Stress tests, training, and exercises are vital for enhancing the resilience of critical entities, ensuring they are well-prepared to handle disruptions effectively. Stress tests allow organizations to assess vulnerabilities and system weaknesses by simulating various threat scenarios, thereby identifying areas that require reinforcement. Training programs ensure that personnel are equipped with the necessary skills and knowledge to respond to emergencies and maintain operational continuity. Regular exercises, which replicate realistic crisis conditions, help in evaluating the effectiveness of response plans and coordination between different stakeholders. Together, these tools foster a culture of preparedness, enabling critical entities to test their limits, refine their strategies, and build robust mechanisms for risk management and recovery. This proactive approach is essential for safeguarding essential services and reinforcing public confidence in the resilience of vital infrastructures during crises.

Below are some examples of Joint Research Centre (JRC)’s involvement in the development of stress tests, exercises, and training for supporting the implementation of the Critical Entities Resilience (CER) Directive.

Stress Test

In 2022, the Council Recommendation on a Union-wide coordinated approach to strengthen the resilience of critical infrastructure recognized the importance of further developing critical infrastructure stress tests at national level or enhancing the resilience of critical infrastructure. In coordination with DG HOME, the JRC developed the methodology, scenarios and indicators supporting the energy sector stress test that was conducted by Member States. 

Table-Top Exercises (TTX)

The European Defence Agency (EDA) and Joint Research Centre (JRC) conducted a Tabletop exercise (TTX) in Bulgaria with over 80 European experts to enhance understanding of hybrid threats to defence-related critical energy infrastructure. The exercise simulated a synchronised and deliberate attack on democratic states, testing resilience and informing recommendations to strengthen preparedness and awareness among individuals, civil society, and companies. The exercise relied on a scenario involving fictional hostile states as well as criminal and para-military organisations, encouraging collaboration between European stakeholders to develop longer-term resilience. Overall, the exercise fostered a shared understanding of hybrid threats for enhancing resilience of defence-related critical energy infrastructure at European Union (EU) level.

The JRC supported the development of EU-wide fictitious scenarios to test the validity of the draft Critical Infrastructure Blueprint proposal in case of cross-border disruptions. The assessment was conducted with Member States, Commission Services and other EU institutions through a table-top exercise to Identify possible gaps or shortcomings at EU level.

Training

Among others, The HYCER team conducted training in academia at Politecnico di Milano to train future transport specialists and during the EUMA Summer School on Disaster Risk Management to explain the challenges of critical infrastructure protection and critical entity resilience. The teal also participated as instructors to the Critical Entities Resilience Advanced 2024 & 2025 Courses jointly organized by the European Security and Defence College (ESDC) and the Portuguese Guarda Nacional Republicana (GNR), which aimed to provide practitioners (i.e., mid‐ to high‐level representatives of public authorities, Critical Entities or Critical Infrastructure (CI) owners/operators (private and state) with responsibilities for the development, formulation and implementation of security strategies, policies and mechanisms for Critical Entities Resilience and CI protection) a significant grounding in the framework of Critical Entities Resilience (CER), including critical infrastructure protection.

POSEIDON

The "Platform-based Operational System Events and Injects Distribution Online" (POSEIDON) is an advanced tool created by the European Commission's Joint Research Centre. This innovative platform is designed for the seamless online management, real-time execution, tracking, and evaluation of operational exercises, whether they are tabletop or field scenarios. POSEIDON stands out as an essential resource for orchestrating intricate training and preparedness exercises, significantly improving engagement, communication, and feedback mechanisms among various stakeholders. Its robust capabilities make it indispensable for coordinating complex exercises and enhancing overall readiness.

POSEIDON has demonstrated its versatility and broad applicability across various exercises, playing a vital role in enhancing training and preparedness. It has been instrumental in exercises such as Parallel AND Coordinated Exercise (PACE) 2024, where it supported the preparation and execution phases by engaging diverse stakeholders and refining scenarios for optimal performance. The platform's advanced coordination and reporting features have been leveraged in national and international exercises, involving multiple sectors and fostering collaboration among stakeholders. POSEIDON's ability to efficiently manage complex scenarios ensures that it remains a valuable asset for strengthening crisis management capabilities and promoting cooperative efforts across different member states and sectors.