Skip to main content
Analysis:
Analysis

The Critical Entities Resilience (CER) directive

What the CER means for your organisation

The CER (Critical Entities Resilience) directive strengthens the physical, digital and economic resilience of organisations that provide essential services. In the Netherlands the directive is implemented through the Wet weerbaarheid kritieke entiteiten (Wwke). The law places obligations on organisations designated as critical entities and on organisations that provide significant services to these critical entities.

If you are, or may become, a critical entity, start a Readiness Assessment now — not only to confirm compliance, but to secure a strategic advantage through better operational efficiency, stronger incident resilience and greater confidence from customers and regulators.

Download: CER/Wwke Readiness Assesment
Download PDF (300KB) View PDF

Timeline


The Wwke is the Dutch national implementation of the European Critical Entities Resilience (CER) Directive. Transposition into national law will take place in phases. In the Netherlands the Wwke requirements are expected to come into force around Q2 2026. Member States and supervisory authorities will publish implementation rules and designation criteria in steps. Early action is therefore essential.

Background

The CER is an EU directive to boost resilience of critical infrastructure against natural disasters, sabotage, terrorism and other disruptions. The Wwke is the Dutch implementation of the CER. The laws require risk assessments, timely incident notification, recovery and protection measures, and demonstrable governance.

Organisations whose service outage would have significant societal impact are in scope. Examples of typical sectors are: energy, drinking water, wastewater, health, transport, food production and distribution, digital infrastructure, financial market infrastructure and space. Formal designation is done by the responsible ministry per sector. Major suppliers and key chain partners could also fall into scope when their failure causes domino effects.

NIS2 focuses mainly on cyber and ICT resilience. CER/Wwke takes a broader view, covering physical, operational and climate risks as well as digital risks. DORA applies specifically to financial institutions; overlap exists but some rules differ. Organisations already working on NIS2 or DORA can often reuse elements for CER/Wwke compliance.

Core requirements

  • Integrated risk assessments covering natural and man made risks, including climate and disaster scenarios;
  • An incident reporting structure for events that significantly disrupt the delivery of essential services — Critical entities must make an initial report to the competent authority within 24 hours, unless the critical entity is operationally unable to do so.
  • Specific business continuity and recovery measures (BCM): plans, alternative suppliers, recovery scenarios and restoration procedures;
  • Adequate physical security and personnel security, including access control, detection measures and, where required, background checks;
  • Incident, crisis and communication protocols, together with regular exercises and training.

Continuity, crisis and physical security planning, including recovery plans and alternative operating arrangements; identification of Interests to be Protected (ITP), (tabletop-) exercises and other training drills to test plans and procedures; clear reporting and escalation routes to the regulator and to internal stakeholders.

Non compliance can lead to operational outages and higher recovery costs, reputational damage and loss of trust among customers and partners, increased insurance premiums and potential enforcement action — for example, a financial penalty under the Wwke of up to €10 million and/or up to 2% of global annual turnover.

Preparation

Start with a structured approach: map your organisation’s critical processes and dependencies to identify which services are essential for the delivery of critical services, carry out a Business Impact Analysis (BIA) and objective risk assessments that include natural, human‑caused and climate scenarios, and test your reporting and response routes with simple exercises. Begin with concrete quick wins and scale these into formal governance, monitoring and continuous improvement. 

Based on the scope of critical services and the dependencies identified in the BIA, review the presence, adequacy and effectiveness of existing controls and measures. Establish whether current arrangements are sufficient or whether additional or more extensive measures are required to meet CER/Wwke expectations.

Readiness Assessment provides insight into the current status of measures linked to the CER (Critical Entities Resilience) / Wwke within an organisation. It identifies gaps, prioritises improvements and delivers a pragmatic roadmap of recommended actions to raise readiness, assign responsibilities and support compliance.

Typical domains assessed include risk assessment (including climate and disaster risks), reporting structure and governance, awareness and training, business continuity and recovery capabilities (RTO/RPO and alternate sites), physical security, and incident and crisis management.

What we offer

A compact Readiness Assessment to quickly establish where your organisation stands against Wwke requirements. You will receive a gap analysis, domain by domain  scores and a pragmatic action plan outlining the priority improvements and recommendations.

An interactive Wwke realisation lab to raise awareness and translate the implications of the legislation into concrete steps. Together with stakeholders we define actionable measures and a delivery plan to achieve compliance.

Practical support from setting up BCM governance and recovery capabilities to implementing physical security measures, notification procedures and tabletop exercises. We help implement solutions and deliver targeted training where required.

Support to embed measures into policies and routines, governance, roles and responsibilities, and monitoring. So resilience becomes business as usual rather than a one off project.

Hands on tools and artefacts, including templates, playbooks and test scenarios, to accelerate implementation and testing.

Benefits of implementation

Better preparedness shortens downtime and limits financial and societal damage in the event of an incident.

Clear processes, responsibilities and contingency plans reduce disruption and increase day to day efficiency.

Demonstrable resilience builds confidence with customers, regulators and the public and supports reputation management.

Improved risk management can lead to lower recovery costs and a stronger business case for investments in resilience.

Redundancy, alternative suppliers and robust recovery capabilities lower reliance on other critical entities and on vulnerable links in the value chain.

Organisations that invest proactively in resilience are more competitive, better able to adapt and quicker to respond to unforeseen situations.

Documented measures make you better prepared for oversight and allow you to demonstrate compliance and progress.

Readiness Assessment 

The Readiness Assessment is a practical guide, including a sample gap analysis, to quickly determine where your organisation stands and which steps are needed to become Wwke ready. Want to know where your organisation stands? Download the Readiness Assessment and for further questions or interest contact Danny Tinga, Reinder Ubbens or Jurgen Schot

Download de Readiness Assesment

Did you find this useful?

Yes
No

Thanks for your feedback

Your feedback is important to us

To tell us what you think, please update your settings to accept analytics and performance cookies.

Need help updating cookies?

Neem contact op

Danny Tinga

Danny Tinga

Partner | Resilience, Crisis & Reputation
+3188 288 7951
Reinder Ubbens

Reinder Ubbens

Director
+31612312567

Onze visie

Whole-of-society

Ontdek hoe Nederland zich kan wapenen tegen toenemende geopolitieke spanningen en cyberdreigingen door middel van publiek-private samenwerking. Onze open economie vraagt om een gezamenlijke aanpak van overheden, bedrijven en burgers. Leer meer over hoe strategische autonomie en concrete stappen naar weerbaarheid ons land veiliger maken.
Industry

Drie minuten over veerkracht en vertrouwen

In een drie minuten durende podcastserie over veerkracht en vertrouwen delen experts van Deloitte Risk Advisory belangrijke inzichten om kennis op te doen over hoe je een weg vooruit kunt inslaan en je organisatie kunt versterken.
Perspective

Trust in supply chains

Onderzoek toont aan dat leidinggevenden het vertrouwen van klanten in de bedrijfsvoering van hun organisatie kunnen overschatten. Wilt u weten hoe ze die kloof kunnen dichten om betrouwbaardere toeleveringsketens op te bouwen en hoe u de financiële prestaties kunt verbeteren? Lees het artikel hier.
Research

Crisismanagement | Deloitte

Versterk uw organisatie met onze crisismanagementdiensten, gericht op strategisch en reputatierisico en incidentmanagement. Onze risk advisory biedt AI-gedreven diensten om crises effectief te navigeren en te mitigeren.
Service

Let's connect

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms, and their related entities (collectively, the “Deloitte organization”). DTTL (also referred to as “Deloitte Global”) and each of its member firms and related entities are legally separate and independent entities, which cannot obligate or bind each other in respect of third parties. DTTL and each DTTL member firm and related entity is liable only for its own acts and omissions, and not those of each other. DTTL does not provide services to clients. Please see www.deloitte.com/about to learn more. 

In The Netherlands the services are provided by independent subsidiaries or affiliates of Deloitte Holding B.V., an entity which is registered with the trade register in The Netherlands under number 40346342.

© 2025. For information, contact Deloitte Global.