The CER Directive (Critical Entities Resilience Directive, EU 2022/2557) is European legislation that requires organizations providing essential services to strengthen their resilience against all types of threats, including physical attacks, natural disasters, supply chain failures, and geopolitical disruption. It applies across 11 critical sectors and replaces the older European Critical Infrastructure Directive with a far broader mandate: not just protecting assets, but ensuring essential services continue to function no matter what happens.
The deadline is approaching. By 17 July 2026, EU Member States must identify their critical entities under the Critical Entities Resilience (CER) Directive, and once that list is published, the pressure shifts squarely onto those entities and their suppliers. First compliance deadlines follow in May 2027, meaning now is the time to turn awareness to action.
We recently brought together two leading experts to unpack what CER compliance looks like in practice. Their verdict was clear: organisations that treat CER as a compliance exercise are already approaching it wrong. Read on for the key takeaways or jump straight to the full on-demand webinar featuring Christel Teglers (Kromann Reumert) and Patrick Moloney (Ramboll).
The CER Directive entered into force in January 2023 as the physical resilience counterpart to NIS2, which covers cybersecurity. Together, the two directives form the EU's answer to a threat landscape where sabotage, hybrid attacks, extreme weather, and cascading supply chain failures can disrupt essential services just as effectively as any cyberattack.
Where the previous European Critical Infrastructure Directive focused narrowly on protecting individual assets in energy and transport, the CER Directive shifts the focus to resilience: the ability of an entire organisation to anticipate, absorb, and recover from disruption. According to the European Commission, Member States were required to transpose the directive into national law by 17 October 2024, and many have introduced national legislation that goes further than the EU baseline. This means CER compliance is not one uniform standard. Organisations operating across multiple Member States need to track how each country has implemented the directive.
The CER Directive covers 11 critical sectors: energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, public administration, space, and food production, processing, and distribution.
Each Member State must identify the specific organisations within these sectors that qualify as critical entities, based on the essential services they provide and the potential impact of their disruption. The European Commission adopted guidelines in September 2025 to support Member States in this identification process, which concludes by 17 July 2026. Once an organisation receives notification that it has been designated, its compliance obligations begin within ten months.
Enforcement carries real teeth. Member States define their own penalty regimes, and several have already signalled fines comparable to those under NIS2, alongside powers to compel remediation. The reputational cost of being publicly identified as a critical entity that failed its obligations may prove even more damaging than the financial one.
Crucially, the directive's reach extends well beyond the named entities themselves. If you supply software, logistics, maintenance, or any other critical input to a designated entity, you sit inside the perimeter of their resilience obligations. Expect your critical customers to start asking harder questions about your own continuity arrangements.
Unlike NIS2, which is focused on cybersecurity, CER demands something broader: all-hazards resilience. That includes physical security, operational continuity, and supply-chain risk management across 11 critical sectors, such as energy, transport, banking, health, and more. This isn't a matter of ticking boxes in a security audit. It's a mandate to ensure that essential services can withstand and recover from incidents regardless of their cause. That can be a cyberattack, flood, supplier failure, or geopolitical disruption. This also extends beyond the entities directly named as critical. Even if you supply to a critical entity, you are likely inside the perimeter of their resilience obligations.
Christel Teglers, Partner at Kromann Reumert, explains:
This is one of the most important perspectives for any leadership team approaching CER. The directive is not the hard part, but the organisational reality is. Christel points to siloed teams that don't share information or missed asset registers and infrastructure inventories. It is the unclear ownership of cross-functional risk processes and incident reporting workflows that exist on paper but have never been tested under pressure. These are the things that derail implementation, and they're all fixable if you start preparing now.
The temptation with any new regulation is to assign it to a legal or compliance team, produce a gap analysis, and work through requirements item by item. That approach has a poor track record with resilience mandates, and CER is no exception.
Meaning that it is important to treat CER as what it actually is: a strategic imperative. Resilience built to pass an audit is fragile. Resilience built because leadership genuinely believes continuity is a competitive advantage. That is what makes it real, rather than merely documented.
Once designated, critical entities face a set of concrete obligations. The details vary by Member State, but the directive establishes a common baseline:
None of these requirements is exotic. Most map directly onto disciplines that mature security and continuity teams already practise. The challenge is doing them systematically, keeping the evidence current, and connecting them into a single coherent picture that leadership and regulators can both trust.
CER's all-hazards framing also makes supply-chain risk a central concern. Critical entities are expected to understand their dependencies and ensure that key suppliers meet appropriate resilience standards.
In practice, this cascades obligations across the supply chain. A utility may be named as a critical entity; its software vendor, maintenance contractor, or logistics provider may face indirect pressure to show their own resilience posture. Due diligence processes, contractual requirements, and supplier assessments are all likely to become more rigorous as the July deadline approaches and Member States begin enforcement activity. For suppliers who haven't started thinking about this, the window to get ahead of it is closing.
Here is what organisations can do to prepare before the July 2026 deadline:
The organisations that come through this period well will be the ones that used regulation as a forcing function and a real opportunity to build something genuinely resilient.