New CER Directive to strengthen critical infrastructure in the EU

Published: 18.08.23

A new directive aims to improve companies in selected sectors in preventing, managing and recovering from hybrid attacks, natural disasters, terrorist threats and public health crises. The requirements may also include subcontractors.

The climate is suffering from heatwaves, natural disasters are queuing up, and Europe is in its second year of war. In other words, there are many things that can potentially affect important sectors such as energy, transport, telecommunications and health.

In retrospect, it was a matter of due diligence when the European Commission presented a proposal for a directive on the resilience of critical entities in December 2020. The Critical Entities Resilience Directive (CER) came into force at the beginning of 2023 together with the NIS2 Directive, which it also shares many similarities with, and the EU member states now have until mid-October 2024 to implement CER on a national level.

“Where NIS2 is primarily about cyber and information security, CER focuses on critical infrastructure – both analogue and digital – in terms of e.g. natural disasters, sabotage and supply chain disruption. The aim is to strengthen the resilience of critical infrastructure in the EU. CER must ensure that important sectors are able to withstand and respond to different types of crises, thereby protecting society and maintaining the continuity of vital services and functions," explains Rami Ezzeddine, security advisor at DBI.

Risk assessments and reporting

As mentioned, the CER must first be implemented in the EU Member States, but according to Rami Ezzeddine, it is highly likely that it will require regular risk assessments of companies in sectors covered by the directive. In addition, ongoing reporting must be submitted to relevant authorities to ensure some form of control of the measures taken to increase resilience. It will also probably involve the preparation of contingency plans.

“Perhaps just as relevant, some of the requirements, as with NIS2, may also include subcontractors to the companies, potentially creating a whole plethora of SMEs that are also affected by CER,” says Rami Ezzeddine and continues:

“At the same time, it will be interesting to see how far-reaching the implementation of the directive will be in Denmark. Whether, for example, companies in the food sector will include suppliers of food to nursing homes or the Swedish Armed Forces.”

Special Directive on Financial Entities

Rami Ezzeddine states that CER and NIS2 are two out of three EU directives. Running parallel to CER and NIS2 is also a special Digital Operations Resilience Act (DORA), which aims to strengthen IT security for financial entities such as banks, insurance companies and investment firms.

Read more

Facts about CER

The Critical Entities Resilience Directive (CER) aims to strengthen the resilience of critical infrastructure in the EU.

Critical entities are entities that provide essential services essential to the maintenance of vital societal functions, economic activities, public health, public safety and the environment. They must be able to identify, prevent, protect against, respond to, manage and recover from hybrid attacks, natural disasters, terrorist threats and public health crises. Certain central public administrations will also be subject to certain provisions of the draft directive.

EU Member States will have a national strategy to identify the critical entities providing essential services, increase their resilience and carry out a risk assessment at least every four years.

The CER covers the energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, public administration, space and food sectors.

Also read: New EU directive tightens cyber security requirements


Jesper Florin
Head of Security
Certified Security Advisor®, CFPA
Certified Business Continuity Professional (CBCP), DRII

+45 50 80 96 26