Protection of Critical Infrastructure and the Resilience of Critical Entities

Last update

1.  Introduction

At the core of national protection lies the safeguarding of the vital interests and essential needs of the country and its population through the maintenance of vital societal functions.

The essential services required for these functions rely on critical infrastructure operated by critical entities. Their disruption or unavailability may lead to severe disturbances or even a crisis affecting society, the economy, or national security.

These interconnected and interdependent infrastructures are exposed to multiple risks — natural, technological, human, or cyber-related — that may affect their operation or continuity.

In this context, the resilience of critical entities is based on a comprehensive approach aimed at preventing disruptions, limiting their impact, and ensuring the continuity of essential services, including during crisis situations.

It therefore constitutes a central pillar of national protection and directly contributes to maintaining vital societal functions and safeguarding the vital interests and essential needs of the country and its population.

2. Contexts

2.1. National Context

At national level, the resilience of critical entities forms part of the national protection concept. The High Commission for National Protection plays a central coordinating role within a whole-of-government approach involving competent authorities, sectoral and functional authorities, and the relevant critical entities.

2.2. European Context

At the level of the European Union, the CER Directive establishes a common all-hazards framework, complemented by cybersecurity requirements. Its objective is to ensure the continuity of essential services at the core of the internal market.

2.3. NATO Context

Within NATO, the resilience of critical infrastructure supports civil preparedness — understood as the ability to ensure continuity of government, the provision of essential services to the population, and civil support to military operations — thereby contributing to national and collective resilience.

3. Governance and Strategy

The governance of the resilience of critical entities is based on a structured framework derived from the CER Directive and transposed into national law by the Law of 5 May 2026 on the resilience of critical entities. This framework is further implemented through the National Resilience Strategy and the Strategy for Strengthening the Resilience of Critical Entities. It forms part of a multiannual strategic cycle integrating risk assessment, identification of critical entities, implementation of resilience measures, support, and supervision.

The Strategy for Strengthening the Resilience of Critical Entities constitutes the national implementation framework for the CER Directive. It defines the strategic objectives, priorities, governance framework, risk assessment processes, identification of critical entities, and the arrangements for support, supervision, and coordination with other relevant frameworks, particularly in the field of cybersecurity.

A dedicated page presents this strategy in greater detail.

4. Risk Assessment and Identification

Risk assessment identifies threats, vulnerabilities, dependencies, and interdependencies that may affect the provision of essential services. It covers risks of natural, technological, human, or malicious origin and relies in particular on sectoral risk assessments and the analysis of reported incidents.

The identification process aims to identify entities whose infrastructure failure could lead to a crisis within the meaning of the national protection concept. It is based on an analysis of potential disruptive effects, allowing their scale, duration, and impact to be assessed. The criticality criteria therefore reflect the crisis potential associated with such effects.

5. Security and Resilience Measures

Critical entities implement appropriate and proportionate technical, organisational, and security measures to ensure their resilience. These measures notably cover incident prevention, infrastructure protection, personnel security, training and awareness-raising, crisis management, business continuity, recovery, and cybersecurity.

Within the scope of their respective competences, the competent CER authorities and the competent NIS2 authorities, as well as sectoral and functional authorities, ensure, where appropriate, the implementation, coordination, and support of the arrangements necessary to maintain the continuity of essential services

6. Support, Supervision, and Cooperation

Support for critical entities includes risk awareness activities, dissemination of guidance documents, organisation of training sessions and exercises, as well as the facilitation of networks promoting the exchange of practices and the development of a culture of resilience.

Supervision is based on a proportionate and trust-based approach combining guidance, oversight, and coordination among competent authorities, including with regard to the interaction between the CER and NIS2 frameworks.

The resilience of critical infrastructure ultimately relies on close cooperation at national, European, and international levels, including regional frameworks, NATO, and stakeholders from research and innovation.

7. Standardisation and Resilience

Standardisation remains primarily a market-driven process. Authorities encourage the use of relevant European and international standards in order to support a coherent and structured implementation of security and resilience measures.

Standards relating to business continuity, crisis management, organisational resilience, risk management, and cybersecurity constitute recognised reference frameworks for strengthening the resilience of critical entities.