CER
CER (Critical Entities Resilience) is the EU Directive 2022/2557 on the resilience of critical entities. It enforces identification and protection of critical infrastructure across 11 sectors. Transposition deadline — 17 October 2024.
What is the CER Directive?
CER (Critical Entities Resilience Directive) — Directive 2022/2557 of the European Parliament and Council of 14 December 2022 on the resilience of critical entities. Entered into force 16 January 2023, transposition deadline expired 17 October 2024, critical entity identification due 17 July 2026.
CER replaces the ECI Directive (2008/114/EC), expanding scope from 2 to 11 sectors and introducing a multi-hazard approach (all-hazard approach) — protection not only against terrorism, but also natural, technical, sabotage, and hybrid threats.
11 sectors covered by CER (CER Annex)
- Energy (electricity, heating, oil, gas, hydrogen)
- Transport (air, rail, water, road)
- Banking
- Financial market infrastructure
- Health (hospitals, laboratories, pharmaceutical manufacturing)
- Drinking water
- Wastewater
- Digital infrastructure (IXP, DNS, TLD registries, data centers, cloud, CDN)
- Public administration
- Space
- Food (production, processing, distribution)
CER vs NIS2 — complementarity
| Aspect | NIS2 (2022/2555) | CER (2022/2557) |
|---|---|---|
| Focus | Cybersecurity (IT networks and systems) | Physical and organizational resilience |
| Threats | Cyberattacks | All-hazard (physical, natural, hybrid) |
| Sectors | 18 (Annex I + II) | 11 |
| Transposition deadline | 17 October 2024 | 17 October 2024 |
Many entities are subject to both regimes — e.g., a hospital under NIS2 (cyber) + CER (physical resilience).
Critical entity obligations
1. Risk assessment (Art. 12)
Every 4 years or after significant changes — covers:
- Natural hazards (floods, earthquakes, fires)
- Terrorist attacks, sabotage, organized crime
- Accidents, technical failures, natural disasters
- Public health emergencies (pandemics)
- Hybrid threats (disinformation, cyber-physical sabotage)
2. Resilience measures (Art. 13)
Technical + organizational:
- Physical facility security (access control, monitoring, fences)
- Reserves of critical resources
- Business continuity plan (BCP) and disaster recovery plan (DRP)
- Personnel training
- Cooperation with security authorities
3. Incident reporting (Art. 15)
- 24 hours: initial notification to supervisory authority
- 72 hours: full report with impact assessment
- 30 days: final report
4. Personnel security checks (Art. 14)
Mandatory for staff with access to sensitive facilities or critical information.
5. Point of Contact
Designated CER liaison for communication with supervisory authorities.
Sanctions
Art. 22 CER: effective, proportionate, and dissuasive penalties.
- Administrative fines typically up to €5 million or 2% of annual turnover
- Personal sanctions against management (including temporary function bans)
- Corrective supervision (mandatory recommendation implementation)
Explore our services
Frequently asked questions
+ What is the CER Directive?
CER (Critical Entities Resilience Directive) — Directive 2022/2557 of the European Parliament and Council of 14 December 2022 on the resilience of critical entities. Replaces the ECI Directive (2008/114/EC) and enforces identification and protection of critical infrastructure across 11 sectors (energy, transport, banking, health, water, digital, public administration, space, manufacturing, food, wastewater). Entered into force 16 January 2023, transposition deadline — 17 October 2024.
+ Who does CER apply to?
CER applies to entities providing services essential for maintaining critical societal or economic functions. By 17 July 2026, Member States identify critical entities in 11 sectors — based on user count, market share, cross-border impact, consequences of disruption. National registers are maintained by relevant authorities.
+ What is the difference between CER and NIS2?
NIS2 (Directive 2022/2555) addresses cybersecurity — protection of network and information systems. CER (Directive 2022/2557) addresses physical and organizational resilience of critical entities — protection against natural hazards, sabotage, hybrid attacks, pandemics. Both acts are complementary: critical entities in NIS2 sectors are typically subject to both regimes. Together they form the Critical Entities Resilience Package alongside DORA.
+ What obligations does CER impose?
Key obligations of critical entities (Arts. 11-14 CER): (1) risk assessment every 4 years covering natural, technical, social engineering, hybrid threats, (2) technical and organizational measures ensuring resilience, (3) business continuity and disaster recovery plans (BCP/DRP), (4) incident reporting to supervisory authority without undue delay (24h initial, 72h full), (5) security checks for personnel with access to sensitive facilities, (6) designation of CER point of contact.
+ What penalties does CER provide?
Art. 22 CER requires penalties to be effective, proportionate, and dissuasive — amounts set by each Member State in transposition. Typical administrative fines: up to €5 million or 2% of annual turnover. Personal sanctions against management (including temporary function bans) are also possible. Corrective supervision (mandatory implementation of recommendations) complements financial penalties.