Internet Explorer 11 (IE11) is not supported. For the best experience please open using Chrome, Firefox, Safari or MS Edge

Article Insight

Critical entity identification deadline looms large

Insights Energy 27 May 2026 5 min read read

The deadline under EU law for Member States to identify “critical entities” is 17 July 2026. Our Competition, Antitrust & Foreign Investment team discusses the consequences for critical entities including onerous compliance obligations, subject to certain exceptions. Critical entities operating in Ireland also need to be aware of the potential broader implications of identification for their corporate transactions.

The EU Critical Entities Resilience Directive[1] (CER Directive) establishes a framework across the European Union to ensure that entities providing essential services can prevent, withstand, respond to, and recover from disruptions. These disruptions may be caused by natural, accidental or intentional threats. The CER Directive was transposed into Irish law in October 2024 by the European Union (Resilience of Critical Entities) Regulations 2024[2] (the Regulations).

The Government’s strategy[3] for strengthening the resilience of critical entities and essential services involves identifying critical entities and establishing a governance framework to improve resilience concerning all hazards.

What is the relevant oversight authority?

The Department of Defence acts as the single point of contact for Ireland in the EU regarding the Regulations and liaising with other Member States.

The Minister for Defence has designated competent authorities for each of the 11 sectors covered by the Regulations. For example, the competent authority for the energy sector is the Commission for Regulation of Utilities, while the competent authorities for the health sector include the Health Information and Quality Authority and the Health Products Regulatory Authority.

Competent authorities are responsible for overseeing the application and enforcement of the Regulations in their sector. This includes:

  1. Identifying and maintaining a list of critical entities
  2. Carrying out audits, and
  3. Where necessary, taking enforcement action including conducting on-site inspections

What is a 'critical entity'?

Under the Regulations, a critical entity is one that meets each of the following cumulative criteria:

  1. Provides one or more essential services
  2. Operates in Ireland, and has critical infrastructure located here, and
  3. It would, if it experienced an incident, have a significant disruptive effect on the provision by the entity of one or more essential services

The competent authority will use information from the National Risk Assessment[4] to identify critical entities. It then may require operators of essential services to provide information necessary for the identification process. Additionally, entities that are notified by a competent authority about their proposed identification have an opportunity to make representations to the competent authority. These representations must be made not less than 15 working days after the date of the notification.

What requirements do the Regulations impose on critical entities?

The Regulations impose several requirements on critical entities, including to:

  • Conduct a risk assessment:
    • First, no later than nine months after being notified of their identification
    • Again, no later than four years from the date of the initial risk assessment, and
    • Periodically whenever a new material risk is identified
  • Implement resilience measures no later than 10 months after being first notified of their identification. These measures should be designed to enable the critical entity to prevent, protect against, and respond to an incident
  • Maintain and apply a resilience plan describing the resilience measures taken
  • Report to the competent authority any significant disruptive incidents, comprising:
    • An initial written notification within 24 hours after becoming aware of the incident
    • A detailed report not later than one month after becoming aware of the incident
  • Appoint a liaison officer as the point of contact for the competent authority

Do the requirements of the Regulations apply to entities covered by NIS2 and DORA?

Critical Entities identified under the Regulations will also be designated as Essential Entities under the NIS2 Directive[5] and will accordingly be subject to all of the obligations of Essential Entities.

The Regulations impose equivalent requirements on critical entities to those imposed by the NIS2 Directive and the DORA Regulations[6] on entities in the digital infrastructure sector and the banking and financial market infrastructure sectors, respectively. Therefore, to avoid duplication, certain obligations under the Regulations will not apply to critical entities operating in these sectors.

What are the penalties for non-compliance with the Regulations?

Non-compliance with the requirements of the Regulations may result in fines on individuals of up to €50,000 and on entities of up to €500,000 on conviction on indictment. Directors and officers can be held personally liable where an offence is committed with their consent, connivance, or wilful neglect.

Will identification have broader implications for critical entities?

Certain transactions involving the acquisition of all or part of a critical entity by a ‘third country’ undertaking, or a person connected with such an undertaking, will be subject to a mandatory notification obligation under the Irish investment screening regime.

Parties to a transaction meeting the relevant mandatory notification criteria are required to notify the transaction to, and obtain approval from, the Minister for Enterprise, Tourism and Employment in Ireland before completion. This process can take several weeks or months in some cases. A failure to notify and obtain approval for a transaction prior to completion is a criminal offence under the relevant investment screening legislation.[7]

What are the key takeaways for critical entities?

Critical entities should consider what representations they may wish to make to their competent authority. They should also consider, if identified, how they will fulfil the requirements of the Regulations, including whether and to what extent alignment with NIS2 compliance is required.

Parties to a transaction involving the sale of a critical entity's shares or assets to a third country undertaking, or a connected person, should seek specialist legal advice early in the deal timeline. This is to identify any notification requirements, with a view to minimising the potential delay to completion.

For more information and expert advice, please contact a member of our Competition, Antitrust & Foreign Investment team.

The content of this article is provided for information purposes only and does not constitute legal or other advice.

[1] Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities.

[2] S.I. No. 559 of 2024.

[3] National Strategy on the Resilience of Critical Entities (2026 - 2029)

[4] National Risk Assessment of Ireland 2023 (Updated in 2026)

[5] Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union.

[6] Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector.

[7] The Screening of Third Country Transactions Act 2023.

Related Content

View All →