Turning shared risk into shared response
Resilience is no longer something public organizations can build in isolation. It is something they have to deliver together.
This can also be seen in European regulation, including CER and NIS2. Resilience has shifted from protecting individual assets to governing risk across systems, requiring critical entities to anticipate, absorb and recover from disruptions that move across sectors, borders and supply chains. For the public sector, that makes resilience a coordinating role as well as an obligation. Public bodies must ensure that ministries, operators and suppliers can respond as one system.
That is the change now taking shape in public sector resilience. Most institutions have already strengthened their own continuity plans, cyber controls and crisis protocols. But the risks with the greatest public impact rarely remain inside one organization. They move through dependencies, supply chains, data environments and shared services. This presents public leaders with a bigger opportunity and challenge: to move from separate preparedness to coordinated response. When disruption crosses organizational boundaries, citizens should experience public services that can adapt together, protect essential functions and keep critical support moving.
For Belle Webster, Eraneos Associate Partner for Public Safety & Security, an important example is the EU Preparedness Union Strategy’s push for 72-hour citizen self-sufficiency. Several EU member states have launched national preparedness campaigns, but the Netherlands has gone further by broadening a long-running campaign to businesses, through a collaboration between the Ministry of Economic Affairs and the main Dutch employers’ federation, VNO-NCW.
For public sector leaders, this is the other side of the resilience equation: if the SMEs you depend on for software, logistics or facilities are not prepared, your own continuity plans have a gap that no regulation can close on its own, and you cannot fully protect citizens from the consequences.
The old governance model asks, ‘are we resilient?’ The new governance asks, ‘are we resilient together?’ That is a harder question, and it requires both public and private institutions to work in ways they are not used to.
The old model no longer fits the risk
Public sector organizations have spent years strengthening their own continuity plans, incident response processes and cyber controls. That work still counts. But Belle argues that the harder risks now appear between organizations, where no single body has full visibility or control. The CrowdStrike outage in 2024 showed how quickly disruption can run through aviation, hospitals, banks and emergency services. The Iberian blackout in April 2025 underlined a similar point: resilience failures are rarely confined to one technical system or one accountable owner.
The conversation is changing as a result, says Belle. Many public sector leaders are used to asking how to meet legal requirements, set up reporting and clarify internal accountability. More and more leaders are now asking different questions. Which partners do we depend on but not control? What happens to citizen services if a neighbouring sector fails? Who decides when a crisis crosses our boundary?
Those questions cannot be answered inside one organization. They require a different kind of governance and a different approach.
The gap is governance, not technology
Belle is clear that the main weakness is not a lack of tools. Most organizations know how to run an internal incident response. The weak point is collective response. In practice, each ministry, regulator and sector operator is used to approaching resilience in silos. A port authority may escalate through one route. Energy follows another. Healthcare follows its own continuity plans. Yet a major incident at the port could affect logistics, fuel distribution, customs processes and hospital supplies almost immediately.
“For the public sector, that means moving beyond sector-specific national crisis plans and mandating a coordinating role: ensuring that ministries, operators and suppliers can respond as one system.” Belle says.
While CER and NIS2 tell organizations to account for dependencies, they do not automatically create the shared agenda where those dependencies are mapped out and governed. This is why Belle argues that public bodies now need sharper mandates, better cross-sector exercises, especially involving private parties, and decision structures agreed to before a crisis starts.
Supply chains remain too shallowly understood
Belle also points to a blind spot in supplier visibility. Many organizations understand their direct suppliers reasonably well. Far fewer have a strong view of second- and third-order dependencies. That gap becomes serious when public services rely on software vendors, cloud providers, telecom operators, logistics networks and outsourced service partners. A disruption may enter through a supplier that never appears in the first layer of a risk register. By the time the dependency becomes visible, the public impact may already be spreading.
The cascade should be anticipated, the coordination should be pre-designed and the response should be collective from the first hour. That is the governance shift we are working on.
Sovereignty is now about control, not only data location
AI adds another layer to the resilience challenge. Belle argues that public organizations cannot treat sovereignty only as a question of where data is stored. They also need to understand which AI models they rely on, who controls those models and which jurisdiction governs them. They may have a reasonable view of their data dependencies. The next question is whether they understand the AI models they depend on at the same level of detail. If an AI model shapes a critical public decision, changes to that model can become an operational risk.
If a critical decision in public service delivery is shaped by a model whose behavior can be changed by a vendor outside European jurisdiction, then sovereignty becomes a question of operational control, not only data location
The next step is to train shared decision-making
Belle argues that public organizations must transition from organizational to systemic resilience. To make that shift, she says they will need to map cross-sector dependencies, design shared governance structures and test them through realistic scenarios. The central question is simple: who decides when disruption crosses organizational boundaries? In five years, that question should already be answered and trained. It should not be negotiated during an Iberian-scale disruption with a cyber dimension added.
This will require a more practical view of resilience work. NIS2, CER, DORA and sovereignty requirements cannot remain separate compliance tracks if the real risks move across sectors, suppliers, data environments and operating models. Public organizations need to understand where those requirements overlap in daily decision-making: who has visibility, who has authority, which dependencies shape the response and how leaders build a shared operational picture as a situation develops.
Instruments like DORA, which apply specifically to the financial sector, show how sector-specific rules can complement broader frameworks. The harder design challenge is the connection between sectors.