EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
Recent Searches
Ireland’s CERD-aligned strategy turns resilience into an operating reality where essential services run through AI-driven disruption.
In brief
- Resilience is repositioned as a critical infrastructure, shifting expectations from protection and recovery to continuity of essential services under stress.
- CERD demands resilience be engineered into interconnected digital, physical and AI-enabled systems, not managed through plans alone.
- Critical entities must redefine essential services, map hidden dependencies and design operations to function as disruption unfolds.
Ireland’s National Strategy on the Resilience of Critical Entities, aligned with the EU Critical Entities Resilience Directive (CERD), marks a clear evolution in how the State approaches risk, disruption and continuity. There’s an underlying assumption that essential services must keep running even when systems are under strain and that resilience has to be deliberately built into the foundations that support society.
All of this is happening against a backdrop that has fundamentally changed. Today’s economies are shaped by AI, digital platforms and tightly interconnected systems. Dependencies are no longer linear or easy to see. They are distributed, often outside direct control, and increasingly exposed. In this environment, disruption is no longer an occasional event. It is an ever‑present condition.
It is here that the concept of a Resilient Nation becomes tangible. Not as a long‑term aspiration, but as an operating reality, where essential services are treated as core infrastructure and resilience is engineered into the systems on which daily life depends. Resilience Engineered reflects this shift, describing systems that continue to operate under stress, sustaining essential services while disruption is unfolding, rather than failing and relying on recovery processes.
As we have previously argued in EY, resilient systems are fast becoming a shared foundation of national competitiveness, public trust and operational endurance. Ireland’s CERD strategy now starts to translate that broader ambition into clear, practical expectations for critical entities.
Resilience as critical infrastructure
Ireland is reframing what resilience really means. Rather than treating it as an internal control or a technical discipline within organisations, it is positioning resilience as a national capability. It positions it as one that determines whether essential services can continue to function when pressure builds.
Under the EU’s Critical Entities Resilience Directive (CERD), organisations designated as critical entities are expected to understand which essential services they provide, assess the risks that threaten them — whether physical, digital or systemic — and put measures in place to keep those services running during disruption. Ireland’s National Strategy brings these expectations together, turning European policy into a joined‑up national approach that begins to move resilience from intent to action.
This represents a break from how resilience has traditionally been approached. For years, the focus has been on protection, securing systems, strengthening infrastructure and managing risk within organisational boundaries. Those efforts remain important, but on their own they are no longer enough. In a world shaped by interconnection and dependency, disruption rarely stays contained and failures do not happen in isolation.
The expectation has, therefore, changed fundamentally: from simply protecting systems and recovering after the fact, to ensuring that essential services can continue to operate through disruption itself.
When systems are interconnected, resilience must be engineered
CERD is reaching an inflection point, gaining momentum just as AI begins to fundamentally reshape how systems operate. As organisations rely more on AI in day‑to‑day decisions and operations, systems are becoming more connected, more dependent on one another, and harder to predict. When something goes wrong, failure can spread quickly and is often difficult to contain. In this environment, resilience cannot be something organisations plan for on paper or address after disruption has already happened. It has to be built into how systems are designed and run from the start.
This is what “resilience engineered” points to. Systems that continue to function under pressure, keeping essential services running while disruption is unfolding, rather than failing first and relying on recovery later.
That requires a different mindset. Resilience is not an added layer or a technical fix. It is about designing systems with a clear understanding of the dependencies that sit beneath critical services. In practice, many organisations still struggle with this. They often have limited visibility beyond their own boundaries and cannot clearly explain how services would operate if multiple disruptions happened at the same time.
This is the gap Ireland’s CERD‑aligned strategy begins to close. A Resilient Nation is not one where disruption never occurs, but one where essential services are able to endure and continue, even when it does.
From continuity planning to operating through disruption
CERD is often read through the lens of traditional business continuity planning. That is understandable, but it risks missing the scale of the change that is now underway. Business continuity was designed for a world where disruption was contained, systems failed in isolation and recovery could happen in sequence. Those conditions no longer apply.
Today, disruption moves across shared dependencies and interconnected systems, often extending beyond organisational boundaries. The challenge CERD addresses is not simply whether systems can be defended, but whether resilience has been deliberately engineered into the digital and physical systems on which essential services now depend1. CERD gives that challenge formal policy force.
Many organisations feel prepared because they have plans, impact assessments and recovery playbooks in place. Yet these are often built on outdated assumptions about how failure occurs, creating a false sense of resilience. The issue is not a lack of planning, but the belief that planning alone is enough. Business continuity focuses on restoring operations after failure. CERD demands something more: the ability to continue operating as disruption unfolds.
This distinction matters even more as AI accelerates decision‑making and automation. Faster cycles reduce response time. This means disruption is often well underway before recovery processes can take effect. In this context, resilience cannot live in documents. It must be embedded into system design. CERD shifts the focus from recovery to continuity, and from plans to systems that are built to operate under stress.
CERD also broadens the frame. While NIS2 has pushed cyber risk into the boardroom, CERD brings physical infrastructure, operational resilience and systemic dependencies together, increasingly including AI‑driven systems. Ireland’s strategy reflects this shift, strengthening national risk assessment, improving coordination across sectors and setting clearer expectations for delivery.
What critical entities must do now
To align with CERD and support the overall move toward a Resilient Nation, organisations need to shift their focus. Resilience is no longer about managing risk within individual systems. It is about ensuring that essential services continue to operate through disruption, even when those services span multiple, interconnected environments.
This requires moving from planning for failure to designing for continuity under stress.
- Define minimum viable services by continuity, not ownership: Be clear about what must keep working during disruption, regardless of where those services sit or who technically owns them and, when disrupted what must be restored first.
- Identify and prioritise critical dependencies: Map the platforms, suppliers, infrastructure and third parties that determine whether services survive. This includes those outside direct organisational control
- Engineer services to operate under stress: Move beyond fail‑and‑recover models and engineer systems that sustain critical functionality as disruption unfolds
- Test disruption as it really happens: Run scenarios that reflect cascading failures, third‑party outages and AI‑driven impacts. They should not be isolated or theoretical incidents
- Make resilience a leadership accountability: Treat continuity outcomes as a board‑level and executive accountability. There must be clear ownership for ensuring that essential services continue to operate
Summary
Ireland’s strategy signals a structural shift in how resilience is understood and delivered. In an AI‑driven, highly interconnected world, disruption will be more frequent and more systemic. Under CERD, the defining question is no longer how organisations recover, but whether essential services continue to operate when disruption is already underway. Resilience is not created by policies, plans or impact assessments alone. It is determined by whether resilience has been engineered into systems from the outset, enabling them to hold under stress rather than fail and recover.
Related content
Why resilient systems are now essential to national competitiveness
Rising geopolitical and cyber pressures are reshaping how organisations and nations think about system strength, continuity, long term control. Find out how.