Animated video Critical Entities Resilience Law

Critical Entities Resilience Law

For a properly functioning society
some services are essential,
including energy, drinking water and healthcare.

Organisations critical to these services
must be resilient to physical threats,
such as terrorism, sabotage, and natural disasters.
This is why the European Union adopted
the Critical Entities Resilience Directive – the CER.

In the Netherlands, this directive is being implemented
into national law as the Critical Entities Resilience Law.

The Dutch Ministry of Health, Welfare and Sport designates
critical entities within the healthcare sector.

Critical entities are organisations
that are essential for healthcare services.
Think of healthcare providers, EU reference laboratories,
organisations conducting pharmaceutical research,

pharmaceutical companies, manufacturers of key
medical devices during emergencies, 
during emergencies, and organisations holding 
a distribution authorization for medicines.

First, the Ministry conducts
a risk assessment for the healthcare sector,
and determines the criteria for designating critical entities.
These critical entities will be designated
once the law takes effect in 2026, 
with a final deadline of 17 July 2026.

If an organisation is designated as a critical entity,
it will have 10 months to comply with the legal requirements.
Critical entities have a duty of care.
This means they must conduct a risk assessment.

Based on the risks identified, organisations must take measures
to prevent, mitigate, and manage physical incidents.
For example, they must develop crisis management plans
or implement access security measures.

Critical entities also have an obligation to report.
Serious physical incidents must be reported
within 24 hours through an incident reporting portal.

The Dutch Health and Youth Care Inspectorate supervises
critical entities within the healthcare sector.

Critical entities must also protect themselves
against digital threats.
This is why they must also comply with the Cyber Security Law.

This way, the healthcare sector will be
more resilient to physical and digital threats.

If you want to learn more about the Critical Entities Resilience Law,
visit datavoorgezondheid.nl/weerbaarheid.