Resilience

Resilience is the ability of an organisation or critical entity to prevent, absorb, adapt to and recover from incidents that could disrupt the delivery of essential services. The concept is central to both the CER Directive (physical and organisational resilience) and DORA (digital operational resilience).

Back to Dictionary

What is resilience?

Resilience (from Latin: resilire -- to spring back) in a compliance context describes an organisation's ability not merely to withstand disruptions but actively to adapt to and recover from them while continuing to deliver critical services. Resilience is more than security alone -- it is a holistic perspective on organisational robustness.

The concept sits at the heart of two central EU legislative instruments: the CER Directive (physical and organisational resilience of critical entities) and DORA (digital operational resilience for the financial sector).

Resilience under the CER Directive

The CER Directive defines resilience as a critical entity's ability to prevent, withstand, absorb, adapt to and recover from incidents that could disrupt the delivery of essential services.

CER's resilience framework covers four dimensions:

Prevention: Measures that reduce the likelihood of disruptive incidents occurring.
Protection: Measures that reduce the consequences of incidents when they do occur.
Recovery: The ability to restore normal operations swiftly after an incident.
Adaptation: The ability to learn from incidents and improve future resilience.

Resilience under DORA

In the DORA context, the term "digital operational resilience" captures the same fundamental concept but applies it specifically to ICT systems and services in the financial sector. The essence is the same: the ability to continue delivering services during and after disruptions.

Resilience as a continuous process: Resilience is not a goal that is achieved once. It is a continuous process requiring ongoing assessment, adaptation and testing. Both EU instruments reflect this by mandating regular assessments and tests.

Frequently Asked Questions about Resilience

What is resilience in a compliance context?

Resilience is an organisation's ability to prevent, absorb, adapt to and recover from incidents that could disrupt operations. It goes beyond traditional security by encompassing the full lifecycle: prevention, protection, recovery and adaptation.

What is the difference between resilience and security?

Security typically focuses on preventing incidents. Resilience is broader and addresses the entire lifecycle: prevention, resistance, recovery and adaptation. A resilience-oriented approach accepts that incidents will occur and focuses on minimising consequences and recovering quickly.

How does the CER Directive define resilience?

The CER Directive defines resilience as a critical entity's ability to prevent, withstand, absorb, adapt to and recover from incidents that could disrupt the delivery of essential services. It covers both physical and organisational dimensions.

How does DORA address resilience?

DORA uses the term 'digital operational resilience' to describe the same concept applied to ICT systems in the financial sector. It requires financial entities to build, assure and maintain their operational integrity through ICT capabilities.

Is resilience a one-time achievement?

No. Resilience is a continuous process that requires ongoing risk assessment, testing and improvement. Both CER and DORA mandate regular reviews and resilience testing to ensure that measures remain effective over time.