CER Directive: Strengthening critical infrastructure against cyber crises
Published July 17, 2025
- Cybersecurity
- Public Sector

What’s the CER directive ?
The European Directive on Critical Entities Resilience (CER) was adopted on December 14, 2022. It aims to strengthen the ability of critical infrastructure to withstand and recover from disruptions, whether of natural or human origin.
The primary objective of the directive is to ensure a high level of cyber resilience among critical entities, both in terms of their ability to protect themselves against attacks and their capacity to maintain business continuity. In addition, the directive aims to strengthen coordination and cooperation between Member States, to improve information sharing and the implementation of collective responses to cross-border crises.
The CER directive complements the NIS2 directive, a broader directive that imposes cybersecurity measures and reporting obligations on essential and important entities within the EU. Together, NIS2 and the CER Directive contribute to ensuring the security and continuity of essential services in the EU, both in the cyber and physical domains.
Overview of the CER transposition at the European level

The stakeholders and sectors concerned
The Member States of the European Union play a central role in the implementation of the Directive on the Critical Entities Resilience.
- They are responsible for transposing the directive into their national legislation and for implementing the necessary measures applicable to critical entities. This includes risk assessment, the preparation of resilience plans, and the definition and implementation of security measures on a national scale.
- They designate the critical entities within their respective national jurisdictions and are responsible for ensuring that these entities comply with the obligations set out in the transposition, particularly regarding incident notification.
- Finally, Member States must also coordinate their efforts with other EU countries to ensure a harmonized response to cross-border crises and the sharing of relevant information.
Critical entities are infrastructures and organizations vital to the proper functioning of society and the economy. The CER directive describes them as playing an ‘indispensable role in maintaining societal functions or vital economic activities in the internal market, in the context of an increasingly interdependent Union economy.
Critical entities of particular European importance are those that provide essential services in at least six Member States of the European Union. These entities play a crucial role in maintaining vital societal functions and economic activities at the European level, and as such, specific obligations for these actors are foreseen.
The eligibility of critical entities under the CER directive is defined within the framework of risk assessment carried out at the national level by Member States. This risk assessment helps identify the critical entities subject to the CER, among the sectors of activity targeted by the directive: energy, transport, banking sector, financial market infrastructure, healthcare, drinking water & wastewater, digital infrastructure, public administration, space, food sector.
Once these entities are identified, Member States are required to officially notify them. This notification informs the entities of their status as critical entities and of the resulting obligations, such as implementing security measures and resilience plans. This procedure ensures that critical entities are fully aware of their role and expectations regarding resilience and security.
Obligations for critical entities
1. Risk evaluation
Critical entities conduct a risk assessment within nine months of receiving notification of their identification. This assessment must be updated as needed and at least every four years.
The assessment must include several types of risk:
- Natural hazards, such as floods, storms and earthquakes.
- Man-made risks, such as industrial accidents and acts of terrorism.
- Technological risks, including cyber-attacks.
- Dependencies and interdependencies between different sectors and critical entities, including in neighboring Member States and third countries.
If a critical entity has already conducted other risk assessments or produced documents under obligations set out in other legal acts, it may use those assessments and documents to meet the requirements of the CER Directive. This helps avoid duplication of efforts and ensures consistency in risk management.
2. Resilience plan and measures to be taken
Critical entities must establish and implement a resilience plan or equivalent documents describing the measures taken. If they have already developed documents or taken measures under other relevant legal obligations, they may use them to meet the requirements of the CER Directive. Each critical entity must designate a liaison officer or a person with an equivalent role as a point of contact with the competent authorities. This designation ensures effective communication and optimal coordination with the authorities, thereby facilitating the implementation of resilience measures.
The measures to be taken are grouped into six themes:
Take into account disaster risk reduction measures and climate change adaptation.
Ensure adequate protection of premises and critical infrastructure, for example with fences, barriers, surveillance tools and procedures, and access control and detection equipment.
Implement risk and crisis management procedures and protocols, as well as alert procedures to respond to, withstand, and mitigate the consequences of incidents.
Ensure business continuity and identify alternative supply chains to resume the delivery of vital services after an incident.
Define categories of personnel performing critical functions, establish access rights to premises, critical infrastructure, and sensitive information, implement background check procedures, and define appropriate training requirements and qualifications.
Organize training sessions, provide informational materials, and conduct exercises to raise staff awareness of resilience measures.
3. Incident notification obligation
Critical entities must promptly notify the competent authorities of any incidents disrupting their vital services, provide detailed information about these incidents, and cooperate with the authorities to mitigate the impacts and inform the public if necessary. An initial notification must be submitted no later than 24 hours after becoming aware of the incident, followed, if necessary, by a detailed report no later than one month afterward.
To determine the extent of the disturbance, the following parameters are considered:
- The number and proportion of users affected by the disruption.
- The duration of the disruption.
- The geographical area is affected by the disruption, considering any geographical isolation.
Notifications must include all available information necessary to enable the competent authority to understand the nature, cause, and potential consequences of the incident, including any information required to assess cross-border impacts.
4. National transpositions and link with other regulations
Although the CER Directive establishes a common framework to enhance the resilience of critical entities at the European level, its concrete implementation depends on the transposition choices made by each Member State.
In several European countries, including France, the coordination of these regulations is still under discussion and must take into account not only NIS2, but also the regulations applicable to critical entities (such as the LPM, Kritis, etc.), as well as sector-specific regulations relevant to these actors.
Towards useful and lasting compliance
The CER Directive complements existing regulations by placing greater emphasis on business continuity and physical security issues for critical infrastructure. This deepening of the regulatory framework comes in a context of regulatory inflation, where the interplay between different texts can be complex and unclear.
We believe that this complexity calls for a response that takes into account the entity’s full context, in order to avoid addressing regulatory challenges in silos.
Drawing on our extensive experience in regulatory compliance (NIS/NIS2, LPM, DORA, etc.) with over a hundred clients, as well as our expertise in cybersecurity (resilience, crisis management, security audits, etc.), we support organizations in deciphering regulatory impacts, translating them into operational terms, and building tailored compliance strategies and roadmaps aligned with their specific challenges.