CER: Find and close the gaps to limit access to your business

Published 14.04.25

The CER Directive on the Resilience of Critical Entities requires that companies within critical infrastructure have adequate physical security. However, the directive doesn’t specify how to implement it. Jesper Florin, head of DBI’s Security and Resilience Department, provides the answers.

What does physical security (fences, locks and access control, surveillance, etc.) mean in the context of the CER Directive?

The CER Directive requires companies to carry out a risk assessment and evaluate how best to secure themselves physically based on the specific threat level. This can be described in a security plan that supports the points the CER Directive requires. Adequate physical security must be in place, but the directive does not define exactly how this should be done. If a company is large enough to have a policy describing how it implements its security, then a security plan will typically be structured beneath that policy.

Physical security is fundamentally about keeping unauthorized persons out, being able to detect intrusion attempts, and being able to verify what has happened. This means security solutions typically include outer protection, which can consist of fences, CCTV surveillance, and distance to buildings. In addition, access control through gates and doors at building entrances and an alarm system inside the building are included.

How companies choose to approach this depends entirely on their risk assessments and the sector responsibilities where guidance and guidelines are provided. Some may already have a receptionist who registers visitors, which can meet some of the access control requirements. But what if a door is left unlocked, or a gate to the production area is consistently left open? Then there are holes in the access control.

What exactly should companies do?

Companies should start with a risk and vulnerability assessment, where they analyze how their employees, buildings, production, and knowledge can be accessed, and how best to protect them. A good, practical exercise is to stand in front of the business and think: “If I were trying to get in, how would I do it?” Many companies have never had to consider themselves part of critical infrastructure before, so it can be advantageous to involve external consultants with experience in security and protection.

The assessment should also cover contingency planning for operations and service delivery, and companies must have plans for what to do if their security systems fail. For example, if a gate control breaks down and the access control is thereby disabled, what is the alternative? Should a guard be stationed on-site? How can you ensure the system is restored quickly? It’s important that companies don’t just install security systems without considering the consequences if they fail.

The CER Directive also emphasizes that a company’s security culture should be cultivated and trained. It’s not just about securing buildings but also about behavior and procedures. It’s no use having access control if people just wedge the door open because they find it too inconvenient to use their cards. If no one enforces the security procedures, companies risk that the systems become more of a formality than real protection.

What is a good approach?

An effective approach is to work with a layered security model, where perimeter protection with fences and surveillance acts as the first barrier. Then comes access control on doors and gates, as well as registration of who comes and goes. Surveillance and detection should ensure that unwanted activity is discovered, while a plan for verification and response ensures that incidents are dealt with when they occur.

Physical protection such as fencing should not stand alone but should be integrated with electronic solutions. Surveillance should not only be used to record incidents but also to respond in real time. If a camera detects a person in a restricted area, there must be a clear procedure for how this is handled. Should a guard be dispatched? Should the police be contacted? And how quickly should a response occur?

It’s also important to align expectations with security suppliers. If a company orders 100 cameras without considering blind spots or how surveillance is used in practice, they may end up with a solution that doesn’t meet their needs. On one hand, companies should listen to and benefit from the suppliers’ expertise. On the other hand, they must also get involved and ensure that the solutions match their risk assessments and actual needs.

Furthermore, ongoing checks and tests are necessary. Companies should test at least once a year whether their security measures are functioning as expected. For example, test whether access control actually works, whether the alarms respond correctly, and whether people actually follow the rules that have been put in place.

Are there pitfalls to be aware of?

One of the biggest pitfalls is that companies risk investing in expensive security solutions without ensuring that they actually meet their needs. There’s little point in having cameras installed if no one reacts when an alarm goes off. Companies should always ask themselves what the purpose of a given security measure is and whether it truly fulfills that purpose.

There is also the behavioral aspect. If employees don’t understand why there is access control, they will find their own shortcuts. It’s important to involve employees in the process so they understand the necessity. On the other hand, the security measures shouldn’t be so cumbersome that they hinder day-to-day operations.

Lastly, companies should remember that physical security is not only about preventing intrusion but also about ensuring operations. Therefore, physical security should be described in a security plan and integrated with a contingency plan.