Skip to main content
5 minute read

Critical Entities Resilience (CER) – Are you Ready?

In today’s BANI (Brittle-Anxious-Non-Linear-Incomprehensible) world, the resilience of essential services is critical to safeguarding Europe’s social and economic stability.

To address growing physical threats, including terrorism, sabotage, and natural disasters, the European Union has introduced the Critical Entities Resilience (CER) Directive. Complementing key regulations such as NIS2 (Network and Information Systems Directive) and DORA (Digital Operational Resilience Act), the CER Directive reinforces the EU’s commitment to protecting vital infrastructure and strengthening collective resilience across public and private sectors, taking an all-hazard approach.

Critical Entities Resilience (CER) – Are you Ready?
Download PDF (134KB) View PDF


The countdown has begun. Belgium has officially implemented a landmark law on the resilience of critical entities, transposing EU CER Directive 2022/2557 into national legislation. If your organization operates in one of the below sectors, this is not a future concern —it’s an immediate priority. 

  • Banking
  • Financial market infrastructure
  • Digital infrastructure
  • Transport
  • Energy
  • Health
  • Drinking water
  • Wastewater
  • Public administration
  • Space
  • Production, processing and distribution of foods

As a sectoral authority, by 17 July 2026, you will designate within your respective sector, critical entities. The Belgian transposition of the CER Directive introduces a set of mandatory obligations for designated critical entities, focusing on the continuity of essential services through proactive risk management and resilience planning. 

As a critical entity, understanding these core requirements is the first step towards building a robust compliance framework.  

Within 6 months after notification

Appoint a dedicated CE Point of Contact (art. 16)
The PoC coordinates with the competent authorities, manages all CER-related obligations internally and is available 24/7.

Within 9 months after notification

Conduct a comprehensive all hazards risk assessment (art. 17)
When assessing risks, the CE takes into account the sectoral risk assessment as well as threat analysis by OCAM and accounts for independencies with other sectors. 

Within 10 months after notification

Develop a CE Resilience Plan (WPE/PRE) (art. 18)
Based on the results of the risk assessment, the CE develops and implements a robust plan including the inventory of critical infrastructure and covering prevention, protection, response and recovery. 

*WPE = Weerbaarheidsplan van de entiteit / PRE = Plan de résilience de l’entité

After completion of WPE/PRE

Regularly conduct exercises and simulations (art. 18)
Such exercises and tests validate the effectiveness of the WPE/RPE and ensure organizational readiness for real-world incidents.

From the start

Establish an incident notification process (art. 20)
CE must notify competent authorities without delay and at latest within 24 hours of an incident that significantly disrupts or could disrupt the provision of essential services.

Below are the definitions:

  • Resilience = a critical entity’s ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident.
  • Critical Entity = a public or private entity designated by a Member State that provides an essential service. 
  • Essential Service = a service which is crucial for the maintenance of vital societal functions, economic activities, public health and safety, or the environment.
  • Critical Infrastructure = an asset, a facility, equipment, a network or a system, or a part of an asset, which is necessary for the provision of an essential service. 

Get in touch

Koen Magnus

Koen Magnus

Enterprise Risk Leader, Deloitte Belgium
+ 32 2 800 24 43
Stijn De Win

Stijn De Win

Enterprise Risk Director
+ 32 2 800 22 30
Kim Speijer

Kim Speijer

Enterprise Risk Director, Deloitte Belgium
+ 32 2 800 22 41

Did you find this useful?

Yes
No

Thanks for your feedback

Your feedback is important to us

To tell us what you think, please update your settings to accept analytics and performance cookies.

Need help updating cookies?

Recommendations

Operational Resilience: The Cornerstone of Modern Organizations

Operational resilience refers to an organization's ability to anticipate, prepare for, respond to, and adapt to sudden disruptions and changing environments. 
Perspective
5 minute read
Blog

Operational Resilience: The role of the Board

In an era where the threat landscape has become increasingly complex, organizations face an array of challenges that can have significant consequences. From cyber attacks and natural disasters to geopolitical conflicts and supply chain disruptions, the risks are multifaceted and often interconnected.
Perspective
5 minute read
Blog

Investing in resilience

All organisations now face increased regulatory and governmental scrutiny over their resilience both to planned change and unexpected shocks. Broadly speaking, these regulatory initiatives aim to minimise impact to customers, the organisation and the sectors in which they operate when disruptions occur.
Perspective
5 minute read
Blog