Why ERRA?... Go beyond legal compliance...

The EU and the EU-CER Directive[1] require “…Member States to apply a UNIFORM APPROACH in regulating safety and security of critical infrastructure (called “critical entities” in the new CER directive) and identifying critical entities, while at the same time accounting for specificities at national level, including varying levels of risk exposure and interdependencies between sectors and over borders”. It also asks the critical entities to provide an “EFFECTIVE RESPONSE to the incident”[2] This practically means that of risk and resilience assessment as well as stress-testing of the critical entities is needed[3]





ERRA Initiative & EU Projects

Ensuring sustainability of the SmartResilience , InfraStress , AssureMOSS  project results was one of the major triggers for the ERRA Initiative. Hence, ERRA enables the continuation of project outcomes by:

1. Embedding the projects methodology and its main results in an ISO standard covering risk and resilience topics (e.g. ISO 31050 and 223xx-series), national standard on stress-testing (e.g. DIN SPEC 91461) and other EU Initiatives (e.g. Projects for Policy - P4P )

2. Leaving the indicators, the methodology, and the web tool (web) as an “open system,” possibly on the EU project platforms (e.g. European Reference Network for Critical Infrastructure Protection by JRC - ERNCIP )

3. Creating a business model based on the project and its results – both for project partners and for the European communities



ERRA Services

Main services provided by ERRA are:
1. Consulting service
The consulting service offers ISO 27001/ISO/IEC 27005-based cybersecurity solution for SMEs.
2. Stress-testing service
The Stress-testing service aims to help clients assess their resilience measures against known/unknown (emerging) threats. The stress-testing methodology is primarily based on:

3. Education & Training
The course covers risk and resilience topics, including special cybersecurity issues such as:

  •  Capacity Maturity Model Integration (CMMI) 
  •  Unified Model Language (UML) scenario modelling
  •  SmartResilience and InfraStress courses related to IT/cyber risks and their management for improved resilience of the cyber infrastructures


ERRA and the developing standards

ERRA offered services are based on the new developing risk & resilience standards:
1. DIN SPEC 91461 Stress-testing resilience of critical infrastructures exposed to cyber-physical threats (A. Jovanović, Convener)
2. ISO 31050  Managing emerging risks for enhancing resilience (CD2 stage, A. Jovanović, Convener)




ERRA offers Risk and Resilience Assessment-as-a-Service (A-a-a-S) with following services in three levels

Level 1 Free service without involvement of ERRA: Self-assessment

  •  The service is free of charge for use of available tools
  • ERRA online tool allow to perform the resilience assessment over the time, to perform resilience for assumed scenarios and to perform stress-testing with pre-defined scenarios by users
  • The anonymized assessment remains in the pool and can be embedded into the big data analysis

Level 2 Charged service with involvement of ERRA: audited self-assessment

  •  The service is charged with audit fee for assessing the self-assessment result. The assessor/auditor is appointed by ERRA.
  • The service includes the consultation on assessing the improvement of resilience by Multi Criteria Decision Making (MCDM) tool
    ERRA issues an audit certificate

Level 3 Charged service with involvement of ERRA: 3rd Party audit service

  • ERRA provides the third party audit service performed by appointed assessor/auditor and produce the report

Cybersecurity related tools

The ERRA Cybersecurity related tools provide a user-friendly interface including:

  •  Early warnings about the cybersecurity threats, especially the new/emerging threats/risks
  • Cybersecurity resilience assessment
  • Cybersecurity resilience stress-testing (how secure is a cyber-system against a hypothetic or realistic C/P scenario)
  • Tools for analyzing interdependencies & vulnerabilities
  • Multi-Criteria Decision Making optimization in case of critical situations/threats
  • Database of 5,000+ indicators 




The ERRA Risk & Resilience A-a-a-S solution and its  supporting services helps: 

  •  The competent authorities in dealing with “relevant natural and man-made risks” considering the aspects of “new and emerging risks” when conducting risk assessment as required
  • The critical entities in ensuring business continuity and quality of services, also enhance the reputation by mean of voluntarily certification


Key Partners

In order to optimize operations and reduce business risks, external organizations may cultivate the customer-supplier relationships, so that SmartResilience can focus on the core activities that create real added value.

  • External consultants: External consultant may perform key activities to deliver the value of ERRA, like using the methodology and tools to assess the resilience of Critical Infrastructures or customize, select and add appropriate indicators.
  • Indicator providers: Different organizations may provide new indicators to include in the SmartResilience indicators’ database.
  • Industry associations: Industry associations may provide new indicators and suggest improvements and indicator lists for assessing the resilience of Critical Infrastructures of specific industries.



Target Industries

Based on the Annexes of the NIS 2 and CER Directives, the application of ERRA can extend to essential entities (e.g. IT, energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructures, public administration and space) and certain important entities (e.g. portal and courier services, waste management, manufacture, production and distribution of chemicals, food production, processing and distribution, manufacturing and digital providers)


[1] CER Directive (Draft): Directive of the European Parliament and of the Council on the Resilience of critical entities, 2020/0365 (COD), p.6

[2] CER Directive (Draft): Directive of the European Parliament and of the Council on the Resilience of critical entities, 2020/0365 (COD), p.31

[3] DIN SPEC 91461 Stress-testing resilience of critical infrastructures exposed to cyber-physical threats 


We use cookies to improve your experience on our website. If you continue using our website, we will assume that you are happy to receive all cookies on this website. Read more Continue