In six months, on July 17, 2026, the deadline for full implementation of the CER Directive (Critical Entities Resilience Directive) in EU member states expires. For critical infrastructure operators, this means specific obligations whose non-fulfillment can result in serious consequences - from financial penalties to loss of ability to conduct business.
This article is a practical guide to CER requirements. We explain who the regulations affect, what obligations they impose, and how to prepare in the remaining time.
What is the CER directive and why was it created?
The CER Directive (2022/2557) is the European Union’s response to growing threats to critical infrastructure. The COVID-19 pandemic, attacks on the Nord Stream gas pipelines, the increasing number of cyberattacks on hospitals and energy networks - these events showed how fragile the systems on which society depends really are.
CER replaces the 2008 directive (2008/114/EC), which covered only the energy and transport sectors. The new regulation significantly expands scope and introduces a comprehensive approach to resilience.
Key assumptions of the directive include:
- Broader sectoral scope - 11 sectors instead of 2
- All-hazards approach - protection against all types of threats, not just terrorist
- Resilience, not just protection - ability to absorb disruptions and quickly return to normal
- Link to NIS2 - coherent regulation of physical and digital resilience
📚 Read the complete guide: SOC: Security Operations Center - czym jest, jak działa, jak wybrać
Which entities are subject to the CER directive?
CER applies to entities providing essential services in 11 sectors of the economy. This is a significant expansion compared to the previous regulation.
Sectors covered by CER
- Energy - electricity, gas, oil, district heating, hydrogen enterprises
- Transport - air, rail, water, road
- Banking - credit institutions recognized as systemically important
- Financial market infrastructure - trading system operators, clearing houses
- Health - healthcare entities, medical device manufacturers, laboratories
- Drinking water - drinking water suppliers and distributors
- Wastewater - wastewater collection and treatment system operators
- Digital infrastructure - internet exchange point operators, DNS service providers, data centers
- Public administration - central government administration bodies
- Space - ground infrastructure operators supporting space services
- Food - large food production and distribution enterprises
How to determine if you are a critical entity?
Member states must identify critical entities in each sector using specified criteria. An entity will be recognized as critical if:
- It provides an essential service for maintaining important societal functions or economic activities
- It provides this service on the territory of a given member state
- An incident would have a significant disruptive effect on service provision
“Significant disruptive effect” is determined based on:
- Number of users dependent on the service
- Degree of dependence of other sectors on the service
- Potential impact of an incident on economic and social activity, environment, public safety
- Entity’s market share
- Geographic scope of potential effect
- Entity’s importance for maintaining adequate service levels
What obligations does CER impose on critical entities?
Entities identified as critical must meet a number of requirements. Here are the most important ones.
Critical entity risk assessment
Each critical entity must conduct a comprehensive risk assessment considering:
- All significant threats - natural, technical, man-made (including terrorism)
- Dependencies on other sectors - how will disruptions in energy affect water utilities?
- Dependencies on suppliers - critical suppliers of services and products
- Geographic locations - specific risks for a given area
The assessment must be updated at least every four years or more frequently if circumstances change.
Resilience measures
Based on the risk assessment, entities must implement appropriate measures. The directive lists:
Incident prevention measures:
- Physical protection of facilities and infrastructure
- Access control and security systems
- Protection against natural threats
Incident response measures:
- Incident management procedures
- Business continuity plans
- Capabilities for rapid service restoration
Personnel management measures:
- Verification of employees in sensitive positions
- Security training
- Access management
Awareness-raising measures:
- Awareness programs for personnel
- Regular exercises and simulations
- Communication with stakeholders
Incident reporting
Critical entities must report incidents that:
- Significantly disrupt or may disrupt the provision of essential services
- Cause or may cause significant damage
Initial notification must occur within 24 hours of incident detection. A detailed report - within one month.
Compliance verification
Member states will regularly verify whether critical entities meet requirements. Controls may include:
- On-site inspections
- Documentation audits
- Verification of technical and organizational measures
- Review of business continuity plans
How does CER differ from NIS2?
CER and NIS2 are “sister” directives that together create a coherent resilience framework. Distinguishing them is key to proper implementation.
NIS2 - cybersecurity
NIS2 (Network and Information Security Directive 2) focuses on network and information system security. It concerns digital threats - cyberattacks, IT system failures, data breaches.
CER - physical and operational resilience
CER covers a broader range of threats - physical, natural, technical, human. It concerns the resilience of the entire entity, not just its IT systems.
Common denominator
An entity may be subject to both directives simultaneously. For example, an energy network operator:
- As a critical entity (CER) must protect physical infrastructure from sabotage, natural disasters, failures
- As an essential entity (NIS2) must protect control systems, communication networks, data from cyberattacks
In practice, this means the need for an integrated approach to risk management and resilience.
What is the state of preparations in Europe?
EU member states are working on transposing the CER directive into national law. As of January 2026:
Legislative work
Most member states are at advanced stages of transposition. National laws will specify:
- Detailed criteria for identifying critical entities
- Competent authority for critical entity resilience
- Incident reporting procedures
- Supervision and control system
- Sanctions for violations
Entity identification
Government security centers are conducting work on identifying critical entities in individual sectors. Many entities already appear in critical infrastructure lists based on existing regulations.
Implementation challenges
Main challenges include:
- Human resources - lack of specialists in physical security and resilience
- Budgets - need to increase security spending
- Coordination - cooperation between entities and sectors
- Awareness - understanding requirements by management
What to do in the remaining six months?
Six months is not much time to implement a comprehensive resilience program. Here are priority actions.
Month 1-2: Diagnosis
Week 1-2: Determine status
- Check if your entity will likely be recognized as critical
- Analyze criteria from the directive and draft national law
- Consult with lawyers and industry bodies
Week 3-4: Gap analysis
- Compare current security measures with CER requirements
- Identify gaps in: risk assessment, protective measures, continuity plans, reporting procedures
- Prepare board report
Week 5-8: Risk assessment
- Conduct comprehensive risk assessment meeting CER requirements
- Consider all threat categories (all-hazards)
- Identify dependencies on other entities and sectors
- Document results
Month 3-4: Planning and design
Physical protection measures
- Review and modernize access control systems
- Strengthen facility protection
- Secure against natural threats (if applicable)
Business continuity plans
- Develop or update plans for scenarios from risk assessment
- Define minimum service levels
- Prepare failover procedures
Incident management procedures
- Define incident classification criteria
- Prepare notification templates
- Define roles and responsibilities
- Establish communication channels with authorities
Personnel management
- Review sensitive positions
- Employee verification procedures
- Training programs
Month 5-6: Implementation and testing
Measure implementation
- Launch new security systems
- Implement updated procedures
- Train personnel
Testing
- Tabletop exercises
- Technical system tests
- Trial incident notifications
- Continuity plan verification
Documentation
- Prepare compliance evidence
- Complete documentation for supervision
- Board readiness report
What penalties are there for non-compliance?
The CER directive provides that member states shall establish effective, proportionate, and dissuasive sanctions. Specific penalty amounts will be set in national legislation.
Types of violations
- Failure to conduct risk assessment
- Failure to implement appropriate resilience measures
- Failure to report incident within required timeframe
- Refusal to cooperate with supervisory authorities
- Obstructing controls and inspections
Potential sanctions
Based on other EU regulations (DORA, NIS2), we can expect:
- Administrative fines reaching millions of euros
- Orders to remedy irregularities
- Temporary business activity bans
- Personal liability of board members
Reputation and business
Beyond formal penalties, non-compliance may result in:
- Loss of customer and partner trust
- Insurance problems
- Exclusion from supply chains
- Negative impact on valuation and rating
How will CER affect suppliers of critical entities?
Critical entities must manage supply chain risk. This means new requirements for their suppliers.
Supplier verification
Critical entities will be required to:
- Identify critical suppliers
- Assess their ability to ensure supply continuity
- Verify their security measures
- Monitor their condition
Contractual requirements
Contracts with suppliers will need to include:
- Supply continuity clauses
- Right to audit
- Information obligations for incidents
- Alternative plans in case of disruptions
Opportunity for suppliers
For suppliers, this is an opportunity to stand out. Certifications, security audits, documented resilience can become competitive advantages in tenders.
How to integrate CER requirements with existing management systems?
Many critical entities already have implemented management systems - ISO 27001, ISO 22301, ISO 9001. CER doesn’t require building everything from scratch.
Using ISO 22301
The ISO 22301 standard (business continuity management) covers a significant part of CER requirements regarding:
- Business impact analysis (BIA)
- Risk assessment
- Business continuity plans
- Testing and exercises
If you have a certified ISO 22301 system, you have a solid foundation for CER compliance.
Using ISO 27001
ISO 27001 (information security) covers aspects of:
- Risk assessment (though focused on information)
- Access control
- Incident management
- Supplier management
Gaps to fill
Existing ISO systems typically don’t fully cover:
- Protection against physical and natural threats
- Specific incident reporting requirements to authorities
- Verification of employees in sensitive positions
- Cooperation with state authorities
These elements require supplementation.
What tools support CER compliance?
Effective resilience management requires appropriate tools. Here are solution categories worth considering.
Risk management systems
GRC (Governance, Risk, Compliance) platforms allow:
- Centralizing risk register
- Automating assessments
- Tracking mitigation actions
- Generating reports for supervision
Business continuity management systems
Dedicated BCM (Business Continuity Management) tools:
- Continuity plan documentation
- Test and exercise schedules
- Crisis notification
- Recovery status tracking
Physical security systems
Modern PSIM (Physical Security Information Management) systems:
- Integration of access control, CCTV, alarm systems
- Central monitoring
- Event response automation
- Analytics and reporting
Testing tools
Resilience testing platforms:
- Crisis scenario simulations
- Penetration tests (for cyber/NIS2 aspects)
- Automated configuration verification
- Test result documentation
Summary - key actions before July 2026
Six months is sufficient time to achieve basic CER compliance. However, it requires decisive action.
Immediately (this week)
- Determine if your entity will likely be recognized as critical
- Establish CER implementation team
- Inform board about requirements and deadlines
Within one month
- Conduct gap analysis
- Begin comprehensive risk assessment
- Determine budget for adjustment actions
Within three months
- Complete risk assessment
- Develop remediation action plan
- Begin implementing priority measures
- Prepare incident reporting procedures
By July 2026
- Implement all required measures
- Conduct tests and exercises
- Complete documentation
- Prepare for supervisory inspections
CER readiness checklist
| Element | Status | Priority |
|---|---|---|
| Risk assessment conducted | ☐ | Critical |
| Physical protection measures implemented | ☐ | High |
| Business continuity plans developed | ☐ | Critical |
| Incident reporting procedures ready | ☐ | High |
| Personnel trained | ☐ | Medium |
| Suppliers verified | ☐ | Medium |
| Tests conducted | ☐ | High |
| Documentation complete | ☐ | High |
The CER directive is not just a regulatory requirement - it’s an opportunity to genuinely increase organizational resilience. Entities that take it seriously will be better prepared for crises, regardless of their source.
Need support implementing CER requirements? Contact us - we’ll help conduct risk assessment, design resilience measures, and prepare for compliance.
Related Terms
Learn key terms related to this article in our cybersecurity glossary:
- Ransomware — Ransomware is a type of malicious software (malware) that blocks access to a…
- Security Operations Center (SOC) — Security Operations Center (SOC) is a central location where a team of security…
- SOC as a Service — SOC as a Service (Security Operations Center as a Service), also known as…
- Network Security — Network security is a set of practices, technologies, and strategies aimed at…
- Cybersecurity — Cybersecurity is a collection of techniques, processes, and practices used to…
Learn More
Explore related articles in our knowledge base:
- Cyber security in the health sector: How to protect patient data and critical infrastructure of hospitals?
- KSC/NIS2: Why is one end-to-end partner critical to the success of the implementation?
- National Cybersecurity System: Protective Shield of Polish Critical Infrastructure
- Critical Infrastructure - Key Systems and Objects Determining the Security of the State and Its Citizens
- How Does DORA Implementation Work in Companies? Process, Procedures, and Challenges
Explore Our Services
Need cybersecurity support? Check out:
- Security Audits - comprehensive security assessment
- Penetration Testing - identify vulnerabilities in your infrastructure
- SOC as a Service - 24/7 security monitoring
