The CER directive is an EU regulation, which went into effect by the European Parliament on January 16, 2023, replacing the previous European Critical Infrastructure Directive from 2008. CER Directive aims to strengthen the resilience of essential entities and infrastructure across Europe and businesses operating in the EU by providing a more robust framework for securing vital services and infrastructure. Although NIS 2 and CER Directives do co-align the CER directive differs by setting rules to reduce the vulnerabilities and strengthen the physical resilience of critical entities.
EU Member States must adopt and publish the necessary measures to comply with CER Directive by 17 October 2024.
Previous Directive only covered energy and transport sectors and was lacking a harmonized approach to protection of critical national infrastructure by Member States undermining “level playing field” in Europe. The updated CER Directive places emphasis on the Commission, Member States, and 6 new, in total 11 sectors, using an all-hazards approach to resilience requirements.
As the purpose of CER Directive is strengthening the resilience of EU and its Member States it is also relevant to understand the Member state requirements of the directive. In brief, the Member States must define a resilience strategy and conduct risk assessments to understand consequences caused by potential all-hazard risks and identify entities which are crucial for the economy and society. Member States must notify entities regarding their criticality, provide support to enhance their resilience and maintain updated listing on critical entities and report to the EU Commission.
The first requirement is to understand where your organization currently stands, and then plan the next steps to prepare your organization to succeed by fulfilling the regulatory needs. Organizations in scope should start preparing for CER soon. With our comprehensive expertise and utilization of your organization's already existing capabilities we can address regulatory needs in an integral manner and work towards CER compliancy. Even if the deadline for identifying critical entities is set for July 17, 2026, the compliancy requirements should be taken seriously, because non-compliance could lead to penalties. The directive itself does not set limits on fines, leaving the determination to national implementation.
We can help you to identify the necessary action points to help your organization take the first steps to increase your readiness for resilience.
An example approach includes the following steps:
Readiness assessment: Gain a high-level overview of your organization’s key attention points on resilience and CER requirements and identify the next steps and roadmap for your journey towards resilient organization.
Implementation of the next level resilience capabilities: all-hazard risk identification and assessment, identifying current resilience measures and developing new measures based on the risk assessment and documenting the resiliency plans.
More information about the upcoming CER Directive:
EUR-Lex - 52020PC0829 - EN - EUR-Lex (europa.eu)
We at Deloitte, are happy to discuss more and provide further information on this matter.