CER Directive Summary

What is the Critical Entities Resilience (CER) Directive about?

The CER directive is an EU regulation, which went into effect by the European Parliament on January 16, 2023, replacing the previous European Critical Infrastructure Directive from 2008. CER Directive aims to strengthen the resilience of essential entities and infrastructure across Europe and businesses operating in the EU by providing a more robust framework for securing vital services and infrastructure. Although NIS 2 and CER Directives do co-align the CER directive differs by setting rules to reduce the vulnerabilities and strengthen the physical resilience of critical entities.

EU Member States must adopt and publish the necessary measures to comply with CER Directive by 17 October 2024.
 

What are the applicable sectors of CER Directive?

Previous Directive only covered energy and transport sectors and was lacking a harmonized approach to protection of critical national infrastructure by Member States undermining “level playing field” in Europe. The updated CER Directive places emphasis on the Commission, Member States, and 6 new, in total 11 sectors, using an all-hazards approach to resilience requirements.

• Sectors included in CER Directive: Banking, Financial market infrastructure, Digital infrastructure, Transport, Energy, health, Drinking water, Wastewater, Public administration, Space and production, processing, and distribution of food.

Key requirements of CER Directive for organizations

•  Risk assessments: Critical entities must conduct a risk assessment taking into consideration all the relevant natural and human-caused risks, which could lead to an incident, including those of a cross-sectoral or cross-border nature, accidents, natural disasters, public health emergencies and hybrid threats and other antagonistic threats, including terrorist offences.
•  Resilience measures: Critical entities must review its business and identify the relevant risks and measures to ensure its resilience. Critical entities are also obligated to implement appropriate and proportionate technical, security and organizational measures to ensure their resilience in preventing incidents, ensuring adequate physical protection of premises, and responding, recovering, and mitigating the consequences of incidents. Additionally, organizations are expected to train employees and exercise for incidents.
• Background checks: Ensure that there is a process for conducting background checks for persons who hold sensitive positions in the organization.
• Resilience plans: Organizations should document resilience plans or business continuity plans containing details on resilience measures in place.

• Notifying obligations: Critical entities have a responsibility to notify the competent authority of incidents that significantly disrupt or have a potential to disrupt the provision of an essential service. The notification will have to be made without undue delay and no later than 24 hours after becoming aware.

• Point of contact: Organizations in scope should designate a point of contact, which should be communicated to the local authorities.

• Review of risk assessments: The critical entity risk assessment must be reviewed at least every four years or whenever necessary to assess all relevant risks that could disrupt the provision of their essential services

Key requirements of CER Directive for EU Member States

As the purpose of CER Directive is strengthening the resilience of EU and its Member States it is also relevant to understand the Member state requirements of the directive. In brief, the Member States must define a resilience strategy and conduct risk assessments to understand consequences caused by potential all-hazard risks and identify entities which are crucial for the economy and society. Member States must notify entities regarding their criticality, provide support to enhance their resilience and maintain updated listing on critical entities and report to the EU Commission.

Steps to fulfil requirements

The first requirement is to understand where your organization currently stands, and then plan the next steps to prepare your organization to succeed by fulfilling the regulatory needs. Organizations in scope should start preparing for CER soon. With our comprehensive expertise and utilization of your organization's already existing capabilities we can address regulatory needs in an integral manner and work towards CER compliancy. Even if the deadline for identifying critical entities is set for July 17, 2026, the compliancy requirements should be taken seriously, because non-compliance could lead to penalties. The directive itself does not set limits on fines, leaving the determination to national implementation.

We can help you to identify the necessary action points to help your organization take the first steps to increase your readiness for resilience.


An example approach includes the following steps:

Readiness assessment: Gain a high-level overview of your organization’s key attention points on resilience and CER requirements and identify the next steps and roadmap for your journey towards resilient organization.

Implementation of the next level resilience capabilities: all-hazard risk identification and assessment, identifying current resilience measures and developing new measures based on the risk assessment and documenting the resiliency plans.

More information about the upcoming CER Directive:
EUR-Lex - 52020PC0829 - EN - EUR-Lex (europa.eu)
We at Deloitte, are happy to discuss more and provide further information on this matter.