Published: 22.05.25
The core requirement of the CER Directive regarding incident management is to conduct a risk assessment and develop a contingency plan. DBI’s security advisors offer useful guidance.
Incident management in the CER Directive is about ensuring that companies covered by the directive have solid emergency preparedness, including a plan for handling incidents that could negatively affect the organization. The goal is to be proactive in preventing and managing potential risks.
In practice, this is not completely new territory. Many companies already have contingency plans in place, but the CER Directive makes it a formal requirement for a number of critical infrastructure entities. Previously, it was mainly companies with specific risks or those governed by emergency legislation that needed to address this. Now, the requirements extend to more industries.
The CER Directive doesn’t just require companies to manage incidents – it also mandates reporting them. This means that when a relevant incident occurs, it must be reported in a structured and timely manner to the competent authority. It’s important to note that only incidents with consequences for the delivery of critical services need to be reported.
The first step is to carry out a risk assessment to identify which assets are essential and critical to the company, and what vulnerabilities and threats could have a negative impact. The assessment focuses on five main areas: people, buildings, operations, finances, and reputation. Common incidents that often appear in risk assessments include fires, supply failures, terrorism, and weather-related events (e.g., storm surges).
Once the risk assessment is complete, the next step is to develop a contingency plan with concrete procedures based on the identified risks. The plan should clearly define who does what if an incident occurs. It involves mapping out what the incident affects and deciding how to minimize the consequences – internally (who acts?) and externally (who gets informed?).
It’s advisable to create an internal process to quickly identify whether an incident must be reported, and who in the organization is responsible for the reporting. This reporting process should be an integral part of the contingency plan.
Employees must also be familiar with the contingency plan, including the incident handling procedures. If the plan is not well-known or accessible, it cannot be expected that employees will act appropriately in a crisis. Therefore, staff should be trained in incident management so it becomes embedded in the company’s culture.
The third step is to test the contingency plan during ‘peacetime’, evaluate how it performed, and make necessary adjustments. Evaluations should also take place after an actual incident. The incident should be analyzed to identify what worked well and where improvements are needed. This helps refine the plan and strengthens preparedness for next time.
A contingency plan that’s never been tested might be useless when a crisis hits. Exercises are crucial. These might include a crisis management drill for executives to respond to a scenario, or an evacuation drill to see how staff reacts in practice. The goal is to learn what works and what needs improvement.
The most important thing is that contingency planning doesn’t become a paper exercise, but is something alive within the organization. A good starting point is to gather the right people and dedicate time to a thorough risk assessment. This could take place as a workshop where all potential incidents are discussed – from low-probability but high-impact events to those that are more common.
It may be helpful to bring in an external facilitator to lead the risk assessment. An outsider can ask the questions that might otherwise be overlooked internally and ensure that all significant risks are objectively assessed.
Once the overview is in place, the next step is to prioritize: What are the most critical incidents? How can we reduce the risk? Where should we focus our resources? The key is to find the right balance between prevention and management. You can’t guard against everything, but you can ensure the best possible preparedness.
Companies within the same industry can benefit from sharing knowledge about risk assessments and contingency plans. This can offer insights into incidents others have experienced and how they were managed. The network can help uncover risks a company might not have considered.
A classic mistake is treating emergency preparedness as mere compliance – just having a plan to tick a box. If no one knows the plan or has tested it, the company is vulnerable in a real crisis.
Leadership buy-in is also crucial. If contingency planning is assigned to a single employee with minimal resources or authority, it’s hard to embed its importance across the organization. Preparedness requires executive involvement and an understanding that it’s a necessary investment.
Another pitfall is overlooking the reporting requirement. In a high-pressure situation, it can be tempting to focus only on response and operations, but the CER directive requires that certain incidents be reported to the authorities within a specific timeframe. Failure to report can have both legal and operational consequences. That’s why there must always be clear internal procedures and assigned responsibilities for assessing whether an incident is reportable – and for actually submitting the report.
It’s also risky for a company to copy another organization’s plan or use a generic plan without tailoring it. That might seem like the easy way, but key differences can be missed, as every organization has its own unique challenges and conditions.
Finally, it’s important to understand that emergency preparedness is never finished. A plan that worked yesterday may not be sufficient tomorrow. Contingency plans must be regularly updated to remain useful and reflect the organization’s development and changes in its risk landscape.
Mette B. Westergaard
Security Advisor
+45 50 80 65 27
mew@dbigroup.dk
