4 Steps to Help Businesses and Infrastructure Prepare for the EU CER Directive

Europe is entering a major transformation in resilience thinking. Under the Critical Entities Resilience (CER) Directive, organizations are not only required to manage risks but also to understand, demonstrate, and maintain the elements that are “critical” to their operations, economy, and society.

In the past, resilience often meant protecting individual assets or recovering from isolated incidents. However, in today’s context — where climate risks, cyberattacks, and supply chain disruptions occur simultaneously — businesses need a comprehensive criticality assessment system to ensure overall resilience.

The Difference Between “Criticality” and “Risk”

Although often mentioned together, the two concepts serve different purposes:

• Criticality Assessment: identifies what is most important by analyzing how each service, asset, or process impacts operations, society, and regulatory compliance. This step focuses on impact orientation rather than causes of risk.

• Risk Assessment: identifies what could threaten those critical elements — such as cyberattacks, natural disasters, or supply chain disruptions — and evaluates the likelihood, impact, and controllability.

The order matters: a business must know what is core before assessing risks. This approach optimizes resources and ensures focus on truly essential services.

Why Criticality Assessment is the Foundation of Resilience

Failing to identify critical elements can lead to:

• Overprotection: investing in assets that are not truly essential.

• Risk Blind Spots: overlooking hidden interdependencies in infrastructure or supply chains.

A structured assessment helps organizations see the relationships between systems, identify weak points that could trigger cascading effects, and build a foundation for transparent governance and data-driven decisions — valued by regulators, investors, and stakeholders alike.

4 Steps to Build a Criticality Assessment Framework

Step 1 – Define What “Critical” Means
Develop a multi-dimensional definition that goes beyond financial value to include impacts on human safety, social stability, legal obligations, the environment, and supply chains.
Example: a small regional water treatment plant may impact hospitals, food factories, and power stations — turning a local issue into a cross-sector problem.

Step 2 – Categorize Levels of Criticality
Classify services and assets into three tiers:

• Tier 1: disruption causes severe or cross-border consequences.

• Tier 2: significant but manageable within acceptable limits.

• Tier 3: localized impact, quickly recoverable.

This structure helps prioritize investments, plan contingencies, and shorten recovery times for the most critical elements.

Step 3 – Map Dependencies and Redundancies
Each essential service should trace its internal and external dependencies — such as infrastructure, energy, IT, suppliers, or cloud data. This step reveals single points of failure, where a minor incident could cripple multiple critical services.
Additionally, organizations should define the maximum allowable recovery time (RTO) to design appropriate response plans.

Step 4 – Build a “Criticality Register”
This document consolidates all critical information within the organization — including service lists, criticality tiers, dependencies, recovery times, and supporting evidence.
The register supports internal management and serves as proof of CER compliance to regulators.

From Reactive to Proactive

The CER Directive marks a turning point in risk management thinking:

• From reacting to crises → to proactively designing resilience.

• From isolated risks → to systemic thinking about interconnections and dependencies.

Criticality assessment is not only a mandatory starting point of CER but also the foundation for sustainable, transparent, and adaptive governance — helping businesses maintain stability, build investor confidence, and prepare for the future of green finance and resilient infrastructure.

ARDOR Green supports Vietnamese businesses and cities in adopting international assessment frameworks and standards such as CER, helping infrastructure, services, and investments develop sustainably, flexibly, and ready for any disruption.