CER Directive

Critical Entities Resilience Directive

EU/2022/2557

Creates a comprehensive framework for physical and digital security, requiring Member States and critical entities to assess risks and implement measures against disruptions like natural disasters, terrorism, and cyberattacks.

It mandates national strategies, risk assessments, and identification of critical entities, applying from October 2024 onwards.

Key Aspects of the CER Directive

Purpose:

To ensure vital societal functions and economic activities aren't disrupted by any incident, covering natural hazards, terrorism, sabotage, and public health emergencies.

Scope Expansion:

Covers 11 sectors, significantly broadening from the old directive's focus on just energy and transport, adding banking, health, digital infrastructure, water, food, space, public administration, and financial market infrastructure.

Framework:

Creates an overarching EU framework for physical resilience, complementing the NIS2 Directive (Network and Information Security) which focuses on cyber resilience.

Obligations:

Member States: Develop national strategies, conduct risk assessments (by Jan 2026), and identify critical entities (by July 2026).

Critical Entities: Understand and analyze risks, implement measures to prevent, withstand, absorb, and recover from disruptions.

Timeline:

Entered into force in January 2023, with transposition by Member States by October 17, 2024, and application starting October 18, 2024.

In Simple Terms

Think of the CER Directive as an EU-wide rulebook for essential services (like power grids, hospitals, banks, major transport) to make sure they can handle big crises, not just cyberattacks, but also floods, pandemics, or even acts of terror, keeping society running smoothly.