Insight

CER Directive: Strengthening critical infrastructure against cyber crises

Published July 17, 2025

  • Cybersecurity
  • Public Sector

What’s the CER directive ?

The European Directive on Critical Entities Resilience (CER) was adopted on December 14, 2022. It aims to strengthen the ability of critical infrastructure to withstand and recover from disruptions, whether of natural or human origin.

The primary objective of the directive is to ensure a high level of cyber resilience among critical entities, both in terms of their ability to protect themselves against attacks and their capacity to maintain business continuity. In addition, the directive aims to strengthen coordination and cooperation between Member States, to improve information sharing and the implementation of collective responses to cross-border crises.

The CER directive complements the NIS2 directive, a broader directive that imposes cybersecurity measures and reporting obligations on essential and important entities within the EU. Together, NIS2 and the CER Directive contribute to ensuring the security and continuity of essential services in the EU, both in the cyber and physical domains.

Overview of the CER transposition at the European level

The stakeholders and sectors concerned  

The Member States of the European Union play a central role in the implementation of the Directive on the Critical Entities Resilience.

  • They are responsible for transposing the directive into their national legislation and for implementing the necessary measures applicable to critical entities. This includes risk assessment, the preparation of resilience plans, and the definition and implementation of security measures on a national scale.
  • They designate the critical entities within their respective national jurisdictions and are responsible for ensuring that these entities comply with the obligations set out in the transposition, particularly regarding incident notification.
  • Finally, Member States must also coordinate their efforts with other EU countries to ensure a harmonized response to cross-border crises and the sharing of relevant information.

Obligations for critical entities

1. Risk evaluation

Critical entities conduct a risk assessment within nine months of receiving notification of their identification. This assessment must be updated as needed and at least every four years.
The assessment must include several types of risk:

  • Natural hazards, such as floods, storms and earthquakes.
  • Man-made risks, such as industrial accidents and acts of terrorism.
  • Technological risks, including cyber-attacks.
  • Dependencies and interdependencies between different sectors and critical entities, including in neighboring Member States and third countries.

If a critical entity has already conducted other risk assessments or produced documents under obligations set out in other legal acts, it may use those assessments and documents to meet the requirements of the CER Directive. This helps avoid duplication of efforts and ensures consistency in risk management.

2. Resilience plan and measures to be taken

Critical entities must establish and implement a resilience plan or equivalent documents describing the measures taken. If they have already developed documents or taken measures under other relevant legal obligations, they may use them to meet the requirements of the CER Directive. Each critical entity must designate a liaison officer or a person with an equivalent role as a point of contact with the competent authorities. This designation ensures effective communication and optimal coordination with the authorities, thereby facilitating the implementation of resilience measures.

The measures to be taken are grouped into six themes:

Take into account disaster risk reduction measures and climate change adaptation.

3. Incident notification obligation

Critical entities must promptly notify the competent authorities of any incidents disrupting their vital services, provide detailed information about these incidents, and cooperate with the authorities to mitigate the impacts and inform the public if necessary. An initial notification must be submitted no later than 24 hours after becoming aware of the incident, followed, if necessary, by a detailed report no later than one month afterward.

To determine the extent of the disturbance, the following parameters are considered:

  • The number and proportion of users affected by the disruption.
  • The duration of the disruption.
  • The geographical area is affected by the disruption, considering any geographical isolation.

Notifications must include all available information necessary to enable the competent authority to understand the nature, cause, and potential consequences of the incident, including any information required to assess cross-border impacts.

4. National transpositions and link with other regulations

Although the CER Directive establishes a common framework to enhance the resilience of critical entities at the European level, its concrete implementation depends on the transposition choices made by each Member State.

In several European countries, including France, the coordination of these regulations is still under discussion and must take into account not only NIS2, but also the regulations applicable to critical entities (such as the LPM, Kritis, etc.), as well as sector-specific regulations relevant to these actors.

Towards useful and lasting compliance

The CER Directive complements existing regulations by placing greater emphasis on business continuity and physical security issues for critical infrastructure. This deepening of the regulatory framework comes in a context of regulatory inflation, where the interplay between different texts can be complex and unclear.

We believe that this complexity calls for a response that takes into account the entity’s full context, in order to avoid addressing regulatory challenges in silos.

Drawing on our extensive experience in regulatory compliance (NIS/NIS2, LPM, DORA, etc.) with over a hundred clients, as well as our expertise in cybersecurity (resilience, crisis management, security audits, etc.), we support organizations in deciphering regulatory impacts, translating them into operational terms, and building tailored compliance strategies and roadmaps aligned with their specific challenges.

Authors

  • Wassim Alidra

    Manager Cybersecurity

    Wavestone

    LinkedIn
  • Loris Girbas Ben Chaabane

    Consultant Cybersecurity

    Wavestone

    LinkedIn
  • Samuel Le Guillois

    Consultant Cybersecurity

    Wavestone