The Critical Entities Resilience Directive (CER) 101

The healthcare industry is constantly under pressure due to both online and offline threats. For this reason, the bar for medical devices is continually being raised in order to ensure both the safety of those in need of health care and the stability of industry operations.

In parallel with the introduction of the Network and Information Security 2 (NIS2) Directive, the European Commission has also adopted the Critical Entities Resilience (CER) Directive, focusing on the protection of public and private organizations against physical threats. Both of these Directives aim to increase resilience and counter threats that could disrupt society.

If you already learnt about NIS2 from our previous e-book, it’s time to go deeper into the CER Directive and how it affects the healthcare sector and Medical Device Manufacturers (MDMs).

The CER Directive: What you need to know 

The CER Directive replaced the European Critical Infrastructure Directive, which was released back in 2008. The new Directive established stronger rules to prevent disruptions amongst essential services and the operations of society and the economy. The CER Directive therefore concentrates on a wider range of risks rather than just cyber-related ones, which has already been the main focus in NIS2.

The purpose of the CER Directive is to reduce vulnerabilities and reinforce the physical resilience of critical entities. These entities comprise of 11 sectors which are responsible for the functionality and livelihood of both EU citizens and the internal market.

Under the influence of the CER Directive, Member States are required to develop a national strategy to identify the critical entities that deliver essential services, as well as undertake periodical risk assessments and publicly communicate the results with those critical businesses.

Meanwhile the essential entities included in the aforementioned sectors are responsible for identifying the risks that could seriously impair the delivery of their services. In order to ensure their resilience, they must take the necessary precautions against threats such as natural catastrophes, terrorist threats, medical problems and hybrid attacks. Notifying the competent authorities of disruptive incidents is also mandatory.

How do NIS2 and CER affect the healthcare sector? 

It is noteworthy that CER is only applicable for critical entities, not for all MDMs. If a company fits under one of the following categories, it is classified as a critical entity:

  • Healthcare providers
  • EU reference laboratories
  • Firms engaging in the development and research of medicinal products
  • Firms producing fundamental pharmaceutical items and pharmaceutical preparations
  • Firms manufacturing medical devices are regarded as crucial during a public health emergency
  • Entities with a distribution authorization

In practice, Member States will have to make sure that these two Directives are carried out in unison. Although both Directives address cybersecurity, CER places a stronger emphasis on the physical and non-cyber-related resilience, whereas NIS2 is more concerned with the digital cyber-related resilience of the EU’s critical infrastructures.

The combination will provide a comprehensive framework for the cyber and non-cyber resilience of critical entities. This is crucial for the healthcare sector, particularly for MDMs, given that the disruption of medical devices comes from both online and offline threats, negatively affecting patient outcomes.

What timelines should MDMs be aware of? 

From 2024, Member States must implement a strengthening critical entity resilience strategy in accordance with the CER Directive. The strategy must cover specified elements, such as identifying essential services, compiling a list of crucial organizations, outlining the duties that must be met and conducting periodical risk assessments at least every four years.

The new rules take effect only when Member States successfully transpose the requirements of the NIS2 Directive and the CER Directive into national law. For both Directives, Member States must publish these national laws by October 17, 2024 and put them into action the following day. However, rather than waiting until the 2024 deadlines, it is strongly advised that enterprises, including MDMs, begin their NIS2 and CER compliance preparations immediately.

What actions should MDMs take to comply with the two Directives? 

Before the national legislation is finalized, MDMs can prepare by taking measures to improve the safety and resilience of their processes and services. They can also start building their reporting mechanisms.

To comply with NIS2, strengthening security requirements must be a top priority to mitigate relevant cybersecurity risks and ensure robust incident management process.

Meanwhile, as mentioned above, not all MDMs are covered by CER. MDMs will only be subjected to the relevant regulations until they have been specifically identified by each Member State as critical entities, based on the pertinent standards outlined in the CER Directive. MDMs should therefore keep a close eye on the latest information at the Member States level keep a close eye on the latest information at the Member States level to determine whether or not the CER Directive will apply to them and have an actionable plan accordingly.

Want to discover more? 

Feel free to start a conversation with our experts to learn more about CER and NIS2, as well as how to ensure your medical devices best comply with these.