The Critical Entities Resilience (CER) Directive 2022/2557, forming a set of EU guidelines and recommendations aimed at reducing vulnerabilities and enhancing the resilience of critical entities against various threats, came into effect in 2024. Adopted on December 14, 2022, it replaced the European Critical Infrastructure Directive 2008/114 which had been limited to selected sectors and covered only specific aspects of resilience. The updated rules in CER aim to strengthen the resilience of critical entities against a broad spectrum of threats, including natural disasters, terrorism, hybrid threats, insider threats, and sabotage across multiple industries.
CER defines critical entities as those essential for maintaining the continuity of societal and economic functions in the EU and an entity is classified as a critical entity of European significance if it provides fundamental services in at least six EU Member States and operates within one of the 11 designated sectors deemed essential for maintaining key societal functions, economic activities, public health and safety, or environmental security, including
Critical entities face risks not only from natural disasters but also from targeted attacks by hackers or terrorist groups, highlighting the need for comprehensive protection and resilience-building measures. Under the CER Directive, EU Member States are required to identify critical entities by July 17, 2026, and support them in fulfilling their obligations stemming from CER.
CER prioritizes three key areas
To meet these objectives, EU Member States must develop and implement a national strategy to enhance the resilience of critical entities. Entities covered by the strategy will be required to conduct risk assessments at least once every four years, identify risks that could significantly disrupt service delivery, implement appropriate measures to strengthen their resilience, and report incidents that impact their resilience to the relevant authorities.
Alongside the DORA regulation and the NIS2 directive, CER represents another key legislative instrument requiring careful preparation. However, it does not automatically impose direct obligations on individual entities; instead, each EU Member State must transpose its provisions into national legislation and define specific enforceable requirements. Besides, by January 2026, each Member State must develop a strategy to enhance the resilience of critical entities and subsequently, by July 2026, they are required to compile a list of critical entities. The final step is to submit a report on compliance with the directive's requirements to the European Commission by July 2027 at the latest.
Overall, CER thus serves as a framework of recommendations and measures designed to ensure the high resilience of identified critical entities, safeguarding essential services across the EU, and improving the functioning of the internal market. Adhering to the guidelines set forth by the European institutions is essential for enhancing security, building trust, ensuring regulatory compliance, and maintaining a strong reputation and competitiveness. Failure to prepare adequately or comply with CER requirements could lead to penalties or operational restrictions. Specific sanctions will be determined by national legislations.
Both the NIS2 directive and the DORA regulation share several common objectives with CER, particularly in terms of enhancing resilience and improving the security of critical sectors. While CER covers a broad range of industries, NIS2 also applies to many of these sectors, such as transport, energy, healthcare, and public administration. NIS2's focus is on strengthening the cybersecurity of network and information systems, emphasizing national cybersecurity strategies, risk assessments, incident response, and the protection of digital infrastructures. Both CER and NIS2 promote resilience strategies and national frameworks, but NIS2 places a distinct emphasis on cybersecurity risk management, providing more detailed provisions for IT security, including encryption, vulnerability management, and cyber crisis frameworks.
DORA, in comparison, is a directly applicable and sector-specific regulation, targeting banking, financial market infrastructures, and digital infrastructure. While CER and NIS2 are broader in scope, DORA concentrates on ICT risk management in the financial sector, with specific requirements for incident reporting, third-party risk management, and digital operational resilience testing. DORA aligns with CER in its goal to enhance resilience, particularly in the context of operational and business continuity, but it is more focused on the technological and digital aspects of resilience in the financial industry.
Our team of experienced professionals is ready to provide a comprehensive range of services to address your needs, from initial gap analysis to strategic advisory and implementation support.
Opens in new window