CER Directive: EU law introduces quality control of security services in Critical Infrastructure Protection

Especially when it comes to protecting Critical Infrastructure, security services must meet the highest quality standards. However, this is often not reflected in operators' procurement practices to date. CoESS therefore highly welcomes the EU Directive on the Resilience of Critical Facilities (CER Directive), which was finally adopted on 08 December 2022. It is the first EU law recommending operators of Critical Infrastructure to control the quality of security services. 

Security companies and personnel are an integral part of Critical Infrastructure Protection (CIP) in many countries. It should therefore be self-evident that authorities and operators deploy adequately trained, equipped and qualified security personnel to protect these facilities, which are crucial to the functioning of our societies and economies - even if this may involve additional costs.

Unfortunately, however, even in the Critical Infrastructure sector, security service providers are still often selected primarily on the basis of cost rather than quality. Especially in todays world, where Critical Infrastructure is increasingly exposed to hybrid risks and threats, such practices must stop in order to avoid vulnerabilities and shortcomings in CIP.

What we need are tenders that verify the quality of the provider - for example, based on existing industry standards such as EN 16082 (airport and aviation security services), EN 16747 (maritime and port security services) and EN 17483 (critical infrastructure protection security services).

The now adopted EU Directive on the Resilience of Critical Entities (CER Directive) will allow for this to be implemented at EU level: it is the first EU-law recommending quality control of critical personnel in CIP, including private security services, with the help of Standards.

About the CER Directive

Already in 2020, the European Commission had rightly recognised that Critical Infrastructure in Europe faces an increasingly complex risk environment. With a proposal for two new Directives published in December 2020, the Commission therefore aimed to introduce EU-wide obligations for operators of critical entities in terms of their physical protection (CER Directive) and cybersecurity (NIS-2 Directive). Both Directives have now been adopted, the CER Directive by EU Council on 08 December 2022 after the positive vote in European Parliament in November 2022.

CoESS advised EU institutions on the text of the CER Directive for the past three years – managing to get the security industry’s recommendation to be reflected in the final legal text:

The Directive defines a process for Member States to identify “critical entities” in 11 sectors. These critical entities must take appropriate and proportionate technical, security, and organisational measures, as described in the text. Thanks to CoESS’ engagement in the discussions around the proposal, private security is now mentioned in the provisions, which was not the case in Commission proposal, and is qualified as „critical personnel“. For such critical personnel, it is recommended that operators check adequate training and qualification – also an addition to the original proposal. And Member States shall help operators comply with these provisions by promoting the use of Standards (EN 17483-1:2021).

Next steps: transposition at national level

The Member States have now 21 months to transpose the Directive into national law with the option to introduce stricter rules. This means that it is important for the security industry in the Member States to ensure an implementation of the text that corresponds to the adopted version and efficiently enforces quality control measures of security service providers for critical infrastructure operators.

But one thing is already certain today: the CER Directive is already today an important milestone for the enforcement of quality procurement in the field of CIP.