CER prioritizes three key areas

1. Enhancing resilience against various threats, including cyberattacks, natural disasters, and terrorist activities.
2. Protecting digital service users by fostering trust, minimizing exposure to illegal, harmful, or manipulative content.
3. Ensuring transparency and oversight, with specific regulatory requirements for monitoring digital service providers and enforcing transparency in critical entities' operational practices.

To meet these objectives, EU Member States must develop and implement a national strategy to enhance the resilience of critical entities. Entities covered by the strategy will be required to conduct risk assessments at least once every four years, identify risks that could significantly disrupt service delivery, implement appropriate measures to strengthen their resilience, and report incidents that impact their resilience to the relevant authorities.

Alongside the DORA regulation and the NIS2 directive, CER represents another key legislative instrument requiring careful preparation. However, it does not automatically impose direct obligations on individual entities; instead, each EU Member State must transpose its provisions into national legislation and define specific enforceable requirements. Besides, by January 2026, each Member State must develop a strategy to enhance the resilience of critical entities and subsequently, by July 2026, they are required to compile a list of critical entities. The final step is to submit a report on compliance with the directive's requirements to the European Commission by July 2027 at the latest.

Overall, CER thus serves as a framework of recommendations and measures designed to ensure the high resilience of identified critical entities, safeguarding essential services across the EU, and improving the functioning of the internal market. Adhering to the guidelines set forth by the European institutions is essential for enhancing security, building trust, ensuring regulatory compliance, and maintaining a strong reputation and competitiveness. Failure to prepare adequately or comply with CER requirements could lead to penalties or operational restrictions. Specific sanctions will be determined by national legislations.

Both the NIS2 directive and the DORA regulation share several common objectives with CER, particularly in terms of enhancing resilience and improving the security of critical sectors. While CER covers a broad range of industries, NIS2 also applies to many of these sectors, such as transport, energy, healthcare, and public administration. NIS2's focus is on strengthening the cybersecurity of network and information systems, emphasizing national cybersecurity strategies, risk assessments, incident response, and the protection of digital infrastructures. Both CER and NIS2 promote resilience strategies and national frameworks, but NIS2 places a distinct emphasis on cybersecurity risk management, providing more detailed provisions for IT security, including encryption, vulnerability management, and cyber crisis frameworks.

DORA, in comparison, is a directly applicable and sector-specific regulation, targeting banking, financial market infrastructures, and digital infrastructure. While CER and NIS2 are broader in scope, DORA concentrates on ICT risk management in the financial sector, with specific requirements for incident reporting, third-party risk management, and digital operational resilience testing. DORA aligns with CER in its goal to enhance resilience, particularly in the context of operational and business continuity, but it is more focused on the technological and digital aspects of resilience in the financial industry.

Our team of experienced professionals is ready to provide a comprehensive range of services to address your needs, from initial gap analysis to strategic advisory and implementation support.