Criticality assessment: 4 steps to building resilience

Criticality assessment is impact-driven, largely hazard-agnostic and does not consider specific threats but rather focuses on the consequences of disruption. For example, a hospital might classify its emergency department, patient record systems and power supply as highly critical because their disruption would directly affect human life and breach statutory obligations.

Risk assessment, by contrast, evaluates what could threaten those critical elements and to what extent. It considers specific hazards such as cyberattacks, extreme weather or supplier insolvencies and analyses their likelihood, potential impacts and the effectiveness of existing controls. Continuing the hospital example, a risk assessment would explore scenarios such as a ransomware attack on patient records, a power outage affecting surgical theatres or supply chain delays impacting critical pharmaceuticals.

The sequencing is important. Organisations first conduct a criticality assessment to determine where disruption matters most and then perform targeted risk assessments on those priority areas. This avoids wasting resources on low-value assets while ensuring that the most essential services receive proportionate attention.

In the context of the CER Directive, the two processes are complementary. Criticality assessment establishes the foundation by identifying essential services and mapping dependencies, while risk assessment evaluates the threats to those services and informs the design of resilience measures.

Why criticality assessment is central to building resilience

Building organisational and systemic resilience begins with establishing a clear understanding of what is critical and why it matters. Without this clarity, resilience strategies can become either misaligned or incomplete. Two common challenges arise when criticality is not well defined:

• Overprotection: organisations may invest heavily in securing infrastructure, services or processes that are not central to maintaining continuity or societal stability.
• Blind spots: vulnerabilities embedded deep within interdependent systems may remain unrecognised until they trigger significant cascading failures.

A structured criticality assessment addresses these challenges by providing the analytical foundation for effective resilience planning and governance. Blind spots are eliminated because it enables organisations to examine their services, assets and processes through a multi-dimensional lens, considering operational, societal, economic, regulatory and environmental factors. By mapping how systems, services and supply chains are connected, organisations can develop a clearer view of interdependencies. Overprotection is corrected for because criticality assessment helps identify tipping points of systemic failure such as locations within networks where disruption in one element could have disproportionate impacts. These insights are particularly valuable for understanding where redundancy is most important, where recovery times must be shortest and where coordination across sectors is essential.

Beyond supporting internal decision-making, a transparent and evidence-based approach to assessing criticality strengthens relationships with regulators, investors and stakeholders. It demonstrates that resilience measures are informed by structured analysis rather than assumptions and facilitates alignment with external requirements such as the CER Directive and related regulatory frameworks.

When approached systematically, criticality assessment provides the foundation for:

• Resource prioritisation: identifying where investments in protection, redundancy or recovery deliver the highest operational, economic and societal value.
• Dependency management: clarifying relationships between services, sectors and geographies to reduce systemic vulnerabilities.
• Governance maturity: establishing a shared evidence base that informs both organisational planning and cross-sector coordination.

In this way, criticality assessment supports a transition from reactive recovery to proactive resilience governance. It equips organisations with the information needed to understand their role within broader systems and to make more informed, balanced and robust decisions about where to focus effort and investment.

Building the criticality framework

A robust criticality assessment requires defining what “critical” means, establishing structured tiers, mapping dependencies and recovery priorities and producing a transparent criticality register. These steps create a clear basis for decision-making and regulatory engagement.

Step 1: Defining what “critical” really means

Defining criticality requires an evidence-based, multi-dimensional approach. Historically, many organisations have assessed criticality using narrow measures such as financial value or direct operational importance, but this is no longer sufficient in today’s interconnected operating environment.

A broader definition considers the consequences of disruption across several dimensions, including impacts on human safety, societal continuity, economic stability, regulatory obligations, environmental dependencies and geostrategic exposures.

Consider the example of a regional water treatment facility. On paper, the facility may appear to be of moderate importance because it serves only a limited geographic area and represents a small portion of the operator’s overall asset base. However, a closer analysis reveals that the facility supplies potable water to several interdependent systems:

• A large hospital complex relies on its water supply for patient care and sterilisation.
• Food processing plants in the region depend on it to maintain production and hygiene standards.
• A nearby power generation plant uses its treated water for cooling operations.

If this facility were to fail, the impact would not be confined to a single community or organisation. Healthcare services, food production and energy generation would all be disrupted, leading to significant cascading effects across sectors.

This illustrates why criticality cannot be judged solely by asset value or organisational importance. Assets and services must be evaluated within the broader ecosystem in which they operate, recognising where seemingly local disruptions can have far-reaching societal and economic consequences.

Step 2: Establishing tiers of criticality

Once an organisation determines their unique criticality, they should classify services, processes and assets into tiers to distinguish their relative importance. Tiering provides a structured way to prioritise protection and establish recovery measures.

• Tier 1 represents those services whose failure would cause severe, widespread or cross-border consequences affecting multiple sectors or essential societal functions.
• Tier 2 includes services where disruption would significantly degrade operations but remain recoverable within tolerances through coordinated intervention.
• Tier 3 covers elements where disruption would be localised and manageable using existing contingency measures.

However, tiering is not simply a ranking exercise. It reveals interdependencies and hidden vulnerabilities within complex systems. A small fibre-optic relay may initially appear low-value but, upon analysis, may enable many core operations of several Tier 1 service providers, such as hospitals, financial trading platforms and emergency response coordination. Misclassifying such elements can create blind spots that only become visible during disruption.

By structuring services into tiers, organisations create a clear basis for prioritisation. Tiering informs decisions on resource allocation, redundancy planning and recovery strategies, ensuring that the most critical services receive appropriate attention while avoiding overprotection of less consequential areas, i.e. those elements where disruption would be local and manageable.

Step 3: Mapping dependencies, redundancy and recovery priorities

Identifying which services and assets are critical is only part of the assessment. Organisations must also understand how those services function, what they depend on and how quickly they need to be recovered to avoid cascading failures.

This step begins by mapping internal and external dependencies, including IT systems, physical infrastructure, suppliers, utilities, digital platforms and cross-border connections. These dependency maps reveal common-mode risks, i.e. situations where a single failure point affects multiple critical services simultaneously. For example, multiple Tier 1 services might depend on a single energy substation, shared cloud platform or telecommunications exchange.

Redundancy should then be evaluated, not just in terms of its presence but also its independence. Two facilities served by the same upstream fuel supply or located within the same floodplain may appear redundant but in reality share vulnerabilities.

Recovery priorities and tolerances must also be defined. For each critical service, organisations should determine how long it can be disrupted before systemic consequences escalate. These recovery time objectives provide an evidence-based foundation for designing contingency plans and stress-testing continuity measures.

By combining dependency mapping, redundancy analysis and recovery prioritisation, organisations gain a clearer view of where vulnerabilities are concentrated and where targeted investment delivers the greatest benefit.

Step 4: Producing a criticality register

The final step is to consolidate the findings into a comprehensive criticality register. This register serves as the authoritative reference point for internal decision-makers and regulators. The register typically includes:

• A list of essential services and their enabling assets.
• Their assigned tiers of criticality.
• Key dependencies and potential single points of failure.
• Recovery time objectives and redundancy status.
• The rationale and evidence supporting each classification.

Maintaining a transparent and regularly updated register ensures that criticality assessments remain relevant as services evolve, dependencies change and regulatory expectations shift. Under the CER Directive, this register also forms the foundation for demonstrating compliance and supporting subsequent risk assessments focused on the highest-priority areas.

Moving forward - Criticality assessment as the starting point

The CER Directive signals a fundamental shift in how resilience is managed across Europe. Essential services like energy, water, finance, logistics, healthcare and digital infrastructure are no longer isolated domains but deeply interconnected systems where disruptions can rapidly cascade.

In this environment, criticality assessment is the analytical foundation for making resilience practical and proportionate. It establishes what really matters, where vulnerabilities converge and which assets underpin societal and economic continuity. Without this clarity, one risks either overprotecting low-value systems or, more importantly, overlooking critical vulnerabilities until they fail catastrophically.

A structured criticality assessment (the core components of which have been highlighted herein) creates a consistent, evidence-based framework for distinguishing between services where disruption would have severe consequences and those with manageable impacts. This allows for operational planning and demonstrated governance maturity.

But criticality assessment is only the starting point, not the endpoint! Its outputs enable targeted risk assessments, inform capital planning, guide business continuity strategies and support regulatory reporting. For many organisations, this represents a fundamental shift from siloed risk management to system-level thinking about interdependencies. As resilience becomes both an operational necessity and regulatory expectation, understanding what is critical, and why, is the essential first step to informed decision-making and systemic stability.