CER FAQs

The CER Directive, Directive – 2022/2557 – EN – CER – EUR-Lex, was published in the EU Official Journal on 14 December 2022.

The Critical Entities Resilience (CER) Directive has been transposed into Irish law by  S.I. No. 559/2024 – European Union (Resilience of Critical Entities) Regulations 2024.

The CER Directive states that it should be possible for Member States to designate or establish more than one National Competent Authority with different roles or supervising different sectors.

The Irish Government has appointed the Minister for Defence as the national single point of contact and multiple other bodies as National Competent Authorities for each of the sectors in the CER Directive.

The Commission for Communications Regulation (ComReg) has been designated as the competent authority in the State on resilience in respect of critical entities in the Digital Infrastructure sector.

The Irish Government has designated ComReg as the National Competent Authority under the European Union (Resilience of Critical Entities) Regulations 2024 for the Digital Infrastructure sector. This sector consists of the following categories of entities:

• Internet exchange point providers
• DNS service providers (excluding the operators of root name servers)
• TLD name registries
• Cloud computing service providers
• Data centre service providers
• Content delivery network providers
• Trust service providers
• Providers of public electronic communications networks
• Providers of publicly available electronic communication services

The functions of ComReg as National Competent Authority for the Digital Infrastructure sector are set out in Regulation 9.(1), (2), (3), (4), (5), (6), (7), (8) and (11) of the European Union (Resilience of Critical Entities) Regulations 2024.

The functions and obligations of ComReg include:

• Participating in, and informing, a national risk assessment
• Identifying critical entities for the Digital Infrastructure sector and establishing and maintaining a list of such entities
• Notify an entity of its proposed identification as a critical entity
• Co-operating and exchanging information and good practices as required with critical entities in the digital infrastructure sector

In accordance with Regulation 11 of the European Union (Resilience of Critical Entities) Regulations 2024, the Minister for Defence published the updated National Risk Assessment of Ireland 2023 (Updated 2026) and in accordance with Regulation 10, published the National Strategy on the Resilience of Critical Entities (2026-2029) (link to National Risk Assessment and National Strategy on the Resilience of Critical Entities 2026 – 2029)

ComReg will take into account the outcomes of the National Risk Assessment and National Strategy on the Resilience of Critical Entities to identify critical entities in the Digital Infrastructure sector. In addition to the national risk assessment, the regulations provide that ComReg will identify an entity as a critical entity in the Digital Infrastructure sector where ComReg is satisfied that:

• The entity provides one or more essential services
• The entity operates, and its critical infrastructure is located, in the state
• An incident would have a significant disruptive effect on the provision of an essential service

ComReg shall identify critical entities in the Digital Infrastructure sector by 17 July 2026 and entities that have been identified as being in scope will be informed by ComReg within one month of being formally identified.

An entity that is identified as a critical entity in the Digital Infrastructure sector will be considered an essential entity under the NIS2 Directive and will be subject to all of the obligations of essential entities under the NIS2 Directive. Further information on the NIS2 Directive is available at Directive 2022/2555.

The CER Directive includes specific provisions on its implementation which indicate that this should be coordinated with the implementation of the NIS2 Directive. The requirements laid down in the NIS2 Directive are at least equivalent to the corresponding obligations in the CER Directive. The obligations in Article 11 and Chapters III, IV and VI of the CER Directive should not apply to entities belonging to the Digital Infrastructure sector in order to avoid duplication and unnecessary administrative burden.

The CER Directive aims to ensure that competent authorities designated under both the CER and NIS2 Directives take complementary measures and exchange information regarding cyber and non-cyber resilience.

When an entity is identified as a critical entity under the CER Directive it is considered to be an essential entity under the NIS2 Directive.