Resilience of critical entities
The CER Directive (Critical Entities Resilience Directive) concerns the resilience of entities critical to the functioning of society. The Act on the Protection of Infrastructure Critical to Society and on the Improvement of Resilience (310/2025), which implements the CER Directive, entered into force on 1 July 2025. The Ministry of the Interior is responsible for coordination of the law. For entities supervised by Fimea, the Ministry of Social Affairs and Health will name the critical entities by 17 July 2026. After that, the designation of critical entities will take place every four years.
The Act covers several sectors: energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, public administration, space, and food production, processing and distribution. The Act applies to a critical entity as defined under this Act and its obligations to improve resilience. With regard to cybersecurity risk management and incident reporting, entities identified as critical under the CER Directive are subject to obligations under the Cybersecurity Act.