A major shift is underway in how Europe protects its critical infrastructure — and it’s set to reshape risk management, supply chains, and operational resilience across sectors.
This transformation comes in the form of the CER Directive (Directive (EU) 2022/2557), an EU-wide law designed to strengthen the physical security and operational resilience of essential services in sectors such as energy, water, health, digital infrastructure, and more.
Although timelines and implementation vary by country, the message is clear: resilience is no longer optional, it’s expected.
What Is the CER Directive?
The Critical Entities Resilience (CER) Directive was introduced in January 2023, alongside its digital sibling, NIS2. While NIS2 focuses on cybersecurity, CER addresses physical and operational threats, such as natural disasters, sabotage, insider threats, and system failures.
Its objective is to ensure that organisations providing essential services can withstand, respond to, and recover from disruption and, by extension, so can the societies and economies that rely on them.
In short: it’s about keeping essential services running, no matter what happens.
A Staggered but Active Rollout Across Europe
Under EU law, all Member States were required to transpose CER into national law by 17 October 2024. In practice, many countries missed that deadline, prompting formal notices from the European Commission.
Some examples of current status:
- Ireland successfully enacted the CER Directive via Statutory Instrument No. 559 of 2024 and is now a model for practical implementation.
- The Netherlands published a draft law in early 2025, with public consultation closing in March and enforcement expected in Q3 2025.
- Denmark is targeting July 2025 for full enforcement.
- Other Member States are still finalizing their national risk assessments and critical entity identification strategies, all of which must be complete by July 2026.
Despite the different speeds, the end goal is the same: a coordinated, EU-wide approach to resilience.
Which Sectors Are Affected?
The CER Directive applies to 11 critical sectors, including:
- Energy (electricity, oil, gas)
- Transport (road, rail, air, maritime)
- Banking and financial market infrastructure
- Health
- Drinking water and wastewater
- Digital infrastructure (data centers, cloud services, IXPs)
- Public administration
- Space
- Large-scale food production and distribution
If your organisation operates in or supports one of these sectors, you may be designated as a “critical entity” under the directive, and that comes with new responsibilities.
Key Requirements for Critical Entities
Once designated, critical entities must:
- Risk assessments: Entities must identify physical and operational threats, including those originating in their supply chains.
- Resilience planning: Document how you’ll prevent, respond to, and recover from disruptions.
- Physical protection: Implement appropriate controls, from surveillance to emergency planning.
- Supplier evaluation: Extend your risk lens to include key third parties and dependencies.
- Incident reporting: Notify authorities within 24 hours of significant service disruption and submit a full report within one month.
Importantly, CER recognises that many critical disruptions cross borders. If your organisation operates in six or more Member States, you may be classified as a “critical entity of particular European significance”, subject to additional oversight and coordination at the EU level.
The Supply Chain Dilemma
One of the most pressing aspects of CER is its impact on supply chains. While the Directive holds critical entities accountable, it also makes clear that resilience is a shared responsibility, stretching to partners, suppliers, and subcontractors.
The question is no longer just “Are we compliant?”
It’s “Are they compliant, and how do we know?”
This places a real burden on security and compliance teams, many of whom already struggle with visibility into third-party risks. However, it also presents an opportunity to elevate supply chain standards and build more robust partnerships.
A Heavy Burden?
This approach might make sense from a regulatory standpoint, but it places a heavy operational burden on already-stretched teams.
It also raises some key questions:
- How far down the chain should compliance go?
Is it realistic (or even possible) to audit every subcontractor?
- Do most organisations have the capacity to assess physical risks across all third parties?
Many don’t even have full visibility into their own risk posture, let alone their suppliers’.
- What happens if one weak link brings down the chain?
The directive doesn’t provide all the answers, but the potential consequences are real, both in terms of service disruption and regulatory penalties.
Why Now Is the Time to Act
If your organisation is likely to fall under the CER Directive, or if you supply those that do, the time to prepare is now. Here’s how we could help you today:
Map Your Critical Infrastructure
Start by identifying your most important assets, locations, and systems, including any external partners or dependencies that directly impact service delivery.
Assess Physical Risks
Don’t just look at cyber threats. Evaluate risks like fire, flooding, power outages, physical intrusion, and vandalism, especially in remote or third-party-operated sites.
Engage Suppliers
Begin conversations with your key vendors. Understand their security posture, request documentation, and consider adding resilience requirements into contracts.
Document Controls and Plans
Create (or update) your resilience plans. Be ready to show regulators how your organisation is protecting itself and its customers.
Final Thoughts
The CER Directive is more than a regulation. It reflects a shift in mindset: resilience is no longer an internal issue, it’s systemic.
From massive data centers to local subcontractors, the security of Europe’s critical infrastructure now depends on every link in the chain. And that means organisations need new ways of seeing, understanding, and managing risk, both inside and outside their walls.
We’ll be closely following how EU countries implement the CER Directive into practice. There will be grey areas. There will be challenges. But there’s also a real opportunity here: to build a more secure, connected, and resilient Europe, one supply chain at a time.
Need Help Getting Started?
If your organisation is affected by the CER Directive, or if you’re unsure whether you are, we’re here to help. Human Risks is a comprehensive security risk management platform designed to help security teams drive effective engagement with asset owners from the ground up.
Across eight core modules, Human Risks helps organisations proactively embed security risk management into everyday business processes: providing clarity on risk accountability, streamlining collaboration, and supporting a dynamic, living risk assessment approach.
Interested in learning more? Connect with the team to see how we’re working with leading organisations to foster proactive security cultures and drive strategic engagement.
