In the Republic of Ireland, the authorities have published a National Strategy on the Resilience of Critical Entities.
You can view the 68-page document at gov.ie. It sets out how the Republic plans to implement the European Union (Resilience of Critical Entities) Regulations 2024. In a foreword, Helen McEntee, Minister for Defence, described the strengthening of national resilience is a priority, and the launch of this Strategy as an important first step. She added: “I am also conscious that changes of this magnitude will not happen quickly but will require a long-term commitment.”
Briefly put, Ireland will identify ‘Critical Entities’, support them in conducting risk assessments in line with a National Risk Assessment, and oversee ‘suitable resilience measures’. The Department of Defence acts as the single point of contact as set out in the Regulations. For the ‘public administration sector’, a working group, reporting to the Minister for Defence, will oversee work towards their meeting the Regulations.
Defined
Critical Entities are defined as ‘essential services’ such as electricity, transport, banking, healthcare providers, drinking water and waste water, cloud computing and data centres; and food production and distribution. ‘Appropriate mitigation measures’, informed by risk assessments, must be taken. Dublin government departments will be invited to share their risk assessments with the Department of Defence.
Comments
David Ferbrache, managing director at the cyber security and crisis response consultancy Beyond Blue said: “In contrast, there is currently no direct equivalent to the CER Directive in the UK. While the Cyber Security and Resilience Bill (CSRB) is currently progressing through Parliament, it places a strong emphasis on cyber security but gives less attention to broader resilience concerns. These concerns cannot be ignored, protecting the availability of critical infrastructure cannot be achieved by only looking through the cyber lens. A more holistic approach is needed which bridges the cyber security and operational resilience disciplines.
“This therefore raises important question as to whether the UK should adopt an all-hazards approach which reflects the reality of today’s interconnected environment, recognising that disruption to critical services may come in many forms and from many sources. This all-hazards approach may require broader legislation and alignment of regulatory expectations on operators of essential services and their suppliers.ย While it’s unlikely that such provisions will be incorporated into the CSRB at this late stage, the UK government cannot afford to overlook this challenge in future.”
And Seamus McCorry, country manager Ireland at Check Point Software, described the document as a significant and welcome step, but also a long overdue one. He said: “The 2021 Conti ransomware attack on the HSE [Health Services Executive] was a watershed moment for Irish cybersecurity. When critical services go down, real people are harmed, appointments are cancelled, records are lost, public confidence is shaken, and it is right that the government has responded with a structured, long-term framework.
“What stands out in this strategy is the recognition that resilience cannot be viewed through a single lens. The alignment with the EU’s CER Directive, alongside existing obligations under NIS2 and DORA, reflects a maturing understanding that cyber threats, physical risks, and operational dependencies are deeply intertwined. Ireland’s critical entities, from energy and water to healthcare and digital infrastructure, increasingly rely on complex, interconnected supply chains, and any resilience strategy must account for that reality.
“The timing of this strategy could not be more critical. As Ireland prepares to assume the Presidency of the Council of the European Union this July, the country is already experiencing a sharp rise in cyber threat activity. Check Point Research data shows Irish organisations faced an average of 1,529 cyberattacks per week in February 2026 alone, a 62 per cent year-on-year increase. Countries holding major diplomatic and policy leadership roles routinely become more attractive targets for cybercriminal groups and state-aligned actors, and with Ireland set to chair EU negotiations, host ministerial meetings and coordinate legislative priorities for six months, both public sector bodies and organisations connected to government operations face elevated risk.
“The emphasis on governance, risk assessment methodology, and cross-sector coordination is exactly the right foundation to build on, but compliance frameworks alone don’t stop attacks. What critical entities need alongside strategic governance is the ability to detect, prevent, and respond to threats in real time, particularly as threat actors increasingly target OT environments, supply chains, and cloud infrastructure.
“Ireland now has a genuine opportunity not just to implement CER effectively, but to lead by example across Europe. Assuming the EU Presidency while simultaneously standing up a national CNI resilience framework sends a powerful signal to member states about what serious, joined-up security leadership looks like. With the October 2026 transposition deadline fast approaching, Irish organisations across every critical sector need to stress-test their security posture now, not wait for regulation to force their hand. This strategy gives them the roadmap; the work of securing it starts today.”
