Energy security and the EU Critical Entities Resilience Directive

Across the PwC network, and through our Global Crisis and Resilience Centre, discussions with energy sector leaders consistently reveal a challenging and fast‑evolving risk landscape. Geopolitical tensions, increasingly sophisticated cyberattacks on digital and operational infrastructure, and persistent capacity constraints across energy networks all pose significant threats to the continuity of essential energy services. These pressures also have broader economic and societal implications. Against this backdrop, the European Union’s Critical Entities Resilience (CER) Directive has emerged as a central framework guiding energy organisations in strengthening their resilience.

CER Directive as a resilience framework

Energy clients acknowledge the diverse and interconnected risks they face. Geopolitical instability, including conflicts, trade restrictions, and supply chain disruptions, can sharply affect access to critical resources. Cyberattacks on grid control systems and operational technology continue to grow in scale and complexity, heightening the risk of service interruptions. At the same time, increasing energy demand and the rapid integration of renewable sources add pressure to network capacity and expose new vulnerabilities.

The CER Directive requires Member States to conduct comprehensive risk assessments spanning natural, cyber, hybrid, and geopolitical threats. This process helps identify critical energy entities and enables tailored obligations that reflect the scale and nature of the risks involved.

Drawing on our experience in financial services, we have sought insights on integrating risk and resilience in a way that moves beyond compliance. While some financial entities may benefit from exemptions or narrower scopes under the CER Directive, our work consistently shows that risk prevention alone is insufficient. A “resilience by design” approach, focused on anticipating severe but plausible disruptions and limiting their cascading impacts, is essential.

Using our Enterprise Resilience Maturity Assessment, we support energy clients by conducting gap analyses, benchmarking performance, and defining roadmaps to reach their desired resilience maturity. This includes mapping critical services, analysing dependencies, and running scenario tests to validate preparedness. Strengthening collaboration between risk and resilience teams helps turn regulatory obligations into strategic advantage.

From compliance to resilience by design

Energy sector leaders are keen to understand how the CER Directive translates into day‑to‑day practice. The Directive requires organisations to implement proportionate technical, security, and organisational measures across prevention, protection, response, recovery, and personnel security. It also emphasises the appointment of liaison officers to ensure effective communication with national competent authorities responsible for supervising compliance and enforcing requirements when necessary.

A foundational step is aligning internal risk and resilience frameworks with the Directive and relevant national strategies. This includes applying insights from national risk assessments that take account of geopolitical tensions, cyber challenges, and network capacity pressures. Embedding substitution strategies, such as alternative supply chains or backup systems, into continuity plans is increasingly critical. These contingency options must be thoroughly tested to understand their implications for controls, dependencies, and risk appetite.

Governance, collaboration and execution

Robust governance and clear roles are central to building strong organisational resilience. Our engagements with clients highlight the value of reviewing and reshaping resilience governance structures to support an integrated approach that breaks down operational silos. Eliminating these barriers enhances collaboration across internal functions and strengthens relationships with regulators.

We have found that it is often necessary for organisations to redefine responsibilities to promote cross‑functional cooperation and develop management information and reporting systems that support timely incident notification, as required by the CER Directive. This enables coordinated and effective responses to disruptions of essential energy services. Finally, it is key to emphasise the importance of enhancing horizon‑scanning and analytics capabilities so organisations can identify emerging threats earlier, while maintaining strict safeguards for confidential information in line with regulatory expectations.

Conclusion

Geopolitical instability, cyber threats, and network capacity constraints continue to create significant challenges for the energy sector. The CER Directive provides a practical and harmonised framework for strengthening resilience through proportionate and risk‑informed measures. By applying lessons from financial services and embracing a resilience‑by‑design mindset, energy organisations can better anticipate, absorb, and recover from disruption. PwC’s global network and local teams are working closely with energy clients to translate the Directive into practical action, helping protect vital energy infrastructure in an increasingly complex risk environment.

Kim McClenaghan
Partner
Energy & Utilities Consulting

Andy Banks
Partner
Enterprise Resilience

Eric Timon
Director
Enterprise Resilience

For more information
contact www.pwc.ie