The deadline is approaching. By 17 July 2026, EU Member States must identify their critical entities under the Critical Entities Resilience (CER) Directive, and once that list is published, the pressure shifts squarely onto those entities and their suppliers. First compliance deadlines follow in May 2027, meaning now is the time to turn awareness to action.
We recently brought together two leading experts to unpack what that looks like in practice. Their verdict was clear: organisations that treat CER as a compliance exercise are already approaching it wrong. Read on for the key takeaways or jump straight to the full on-demand webinar featuring Christel Teglers (Kromann Reumert) and Patrick Moloney (Ramboll).
What Makes CER Different
Unlike NIS2, which is focused on cybersecurity, CER demands something broader: all-hazards resilience. That includes physical security, operational continuity, and supply-chain risk management across 11 critical sectors, such as energy, transport, banking, health, and more. This isn’t a matter of ticking boxes in a security audit. It’s a mandate to ensure that essential services can withstand and recover from incidents regardless of their cause. That can be a cyberattack, flood, supplier failure, or geopolitical disruption. This also extends beyond the entities directly named as critical. Even if you supply to a critical entity, you are likely inside the perimeter of their resilience obligations.
The Real Obstacles Are Internal
Christel Teglers, Partner at Kromann Reumert, explains: “Almost all the things that entities struggle with in practice are not really because of the requirements. It’s because of all the internal hassle. It’s because of all the silos. It’s because of the lack of registers or inventories.”
This is one of the most important perspectives for any leadership team approaching CER. The directive is not the hard part, but the organisational reality is. Christel points to siloed teams that don’t share information or missed asset registers and infrastructure inventories. It is the unclear ownership of cross-functional risk processes and incident reporting workflows that exist on paper but have never been tested under pressure. These are the things that derail implementation, and they’re all fixable if you start preparing now.
Compliance-First Thinking Will Backfire
The temptation with any new regulation is to assign it to a legal or compliance team, produce a gap analysis, and work through requirements item by item. That approach has a poor track record with resilience mandates, and CER is no exception.
Patrick Moloney, Global Director of Sustainability & Resilience Advisory at Ramboll, is direct on this point: “The team that will handle it the best are those that don’t treat it as a compliance exercise. Seeing it as a must-do, as a business imperative, rather than a compliance.“
Meaning that it is important to treat CER as what it actually is: a strategic imperative. Resilience built to pass an audit is fragile. Resilience built because leadership genuinely believes continuity is a competitive advantage. That is what makes it real, rather than merely documented.
The Supply Chain Dimension
CER’s all-hazards framing also makes supply-chain risk a central concern. Critical entities are expected to understand their dependencies and ensure that key suppliers meet appropriate resilience standards.
In practice, this cascades obligations across the supply chain. A utility may be named as a critical entity; its software vendor, maintenance contractor, or logistics provider may face indirect pressure to show their own resilience posture. Due diligence processes, contractual requirements, and supplier assessments are all likely to become more rigorous as the July deadline approaches and Member States begin enforcement activity. For suppliers who haven’t started thinking about this, the window to get ahead of it is closing.
What Good Preparation Looks Like
Here is what organisations can do to prepare before the July 2026 deadline:
- Map their critical functions and dependencies honestly. This is not about the idealised version, but the real operational picture, including single points of failure and undocumented workarounds.
- Assign clear cross-functional ownership, with a resilience lead who has the authority to drive workstreams across legal, operations, IT, procurement, and communications. Build 24-hour incident reporting capability that has been tested, not just described in a policy document.
- Leverage existing compliance work from NIS2, DORA, ISO 22301, or sector-specific frameworks rather than starting from scratch. CER overlaps significantly with other mandates, and smart organisations are integrating rather than duplicating.
The organisations that come through this period well will be the ones that used regulation as a forcing function and a real opportunity to build something genuinely resilient.
If you want to learn more, watch the full on-demand webinar featuring legal expert Christel Teglers (Kromann Reumert), resilience advisor Patrick Moloney (Ramboll), and the team at Human Risks for a detailed breakdown of CER scope and practical tools for audit readiness.
