CER Directive: where does Europe stand on critical infrastructure resilience?
Published January 26, 2026
- Cybersecurity
Key takeaways
- The European CER Directive (Resilience of Critical Entities) aims to strengthen the resilience of critical infrastructures (energy, transport, healthcare, etc.) across Europe.
- Its implementation is progressing very unevenly across European countries, which can be grouped into different levels of maturity:
- Advanced countries: draft law approved
- Moderately advanced countries: draft law in progress
- Less advanced countries: intermediate level of implementation
What’s the CER directive?
Directive (EU) 2022/2557 of December 14, 2022, known as the Critical Entities Resilience (CER) Directive, establishes a European legal framework to ensure that services essential to the maintenance of vital societal or economic functions are delivered continuously throughout the single market. It replaces Directive 2008/114/EC, which was deemed outdated in light of the increasing number of threats (cyber, physical, climate, hybrid) and the growing interdependence of infrastructures across Europe.
The directive requires Member States to identify, supervise, and support public or private entities considered critical within 11 key sectors, such as energy, transport, health, and water. These entities must implement organizational and technical measures to prevent, resist, mitigate, and recover from incidents likely to impact the provision of essential services.
The directive was to be transposed into national law by October 17, 2024 at the latest, imposing a tight schedule on national authorities. The text also requires each Member State to adopt, by January 17, 2026, a national resilience strategy based on risk assessment and accompanied by support measures. It further sets out enhanced coordination between national and European authorities, closely linked to the cybersecurity requirements of the NIS2 directive.
However, the transposition of the directive is progressing unevenly across the Union, with some Member States having fully integrated the requirements into their national legislation. This article compares the level of transposition in each Member State as of January 9th , 2025.
Discover where are European countries in transposing the NIS2 directive.
CER transpositions at an European level
This map, updated on January 9, 2026, shows the different maturity levels of all European countries in relation to the REC Directive.
- Maturity level 1:
Limited progress or insufficient information shared on transposition. No country concerned. - Maturity level 2:
Several key milestones reached, with a moderate level of transposition. The countries concerned are: Malta, Sweden, Bulgaria. - Maturity level 3:
Proposed bill pending legislative approval. The countries concerned are: Poland, Luxembourg, France, Spain, Netherlands, Germany. - Maturity level 4:
Proposed legislation adopted. The countries concerned are: Denmark, Ireland, Italy, Portugal, Estonia, Slovakia, Lithuania, Hungary, Romania, Slovenia, Finland, Belgium, Croatia, Greece, Latvia, Czech Republic, Austria, Cyprus.
Countries that have approved their transposition (maturity level 4)
Countries that have made significant progress in the transposition process (maturity level 3)
Countries with an intermediate level of transposition (maturity level 2)
Focus on some European countries
Maturity Level: 4
The LXXXIV 2024 law was adopted on 30 December 2024 and entered into force upon its publication in the Magyar Közlöny (Official Journal of Hungary). Government Decree 474/2024 (XII. 31.) details the implementation of the law.
National Specificities:
- The implementation decree published by Hungary provides a common baseline of 16 measures applicable to all Hungarian critical entities. In addition, there is a list of supplementary measures to be applied to different entities depending on their level of criticality (2 measures for level 1; 18 measures for level 2; 25 measures for level 3).
- These three levels of criticality are identified by the competent authorities based on the number of users served by the entity, the service’s geographic coverage, the number of sectors concerned, and the impact of an extraordinary event.
Competent Authority(ies):
- The competent authorities are the line ministries responsible for the critical organizations, led by an Interministerial Committee for Resilience (CIR). In Hungary, the central professional disaster management authority is designated as the general authority responsible for the designation of critical infrastructures.
Maturity Level: 3
The NIS2 Implementation Act law was adopted on 5 December 2025 and entered into force upon its publication in the Bundesgesetzblatt (Official Journal of Germany, “Gesetz zur Umsetzung der NIS-2-Richtlinie und zur Regelung wesentlicher Grundzüge des Informationssicherheitsmanagements in der Bundesverwaltung”).
Key Steps:
- 16 January 2023: The EU parliament passes the CER Directive
- 28 July 2023: The Federal Ministry of the Interior (BMI) publishes the first draft
- 21 December 2023: The BMI updates this first draft
- 24 January 2024: A second draft is issued, refining the implementation of the CER directive
- 10 April 2024: A revision of the second draft is published
- 6. November 2024: The Federal Cabinet adopts the then-current bill of the KRITIS-Dachgesetz, thereby approving the government bill (Regierungsentwurf) and formally initiating the parliamentary phase of the legislative procedure
- 10 September 2025: The Federal Cabinet approved a new updatesd KRITIS DG draft law, thereby adopting the government proposal.
- 6 November 2025: The first reading of the new KRITIS DG draft law took place in the Bundestag.
- 13 November 2025: The Bundestag approves the NIS2 Implementation Act.
- 5 December 2025: The law was published in the Bundesgesetzblatt and has entered into force.
National Specificities:
- Germany already identified in 2009 a list of “KRITIS” operators, which constitute the entities essential to activities considered critical to national infrastructure.
- 2015 the IT-Sicherheitsgesetz was implemented, which expanded the scope of the previous law.
- The draft law KRITIS-Dachgesetz is a national framework law introducing general, cross-cutting, and proportionate obligations for the physical protection of critical infrastructures, following an “all-risks” approach. CER obligations are therefore intended to apply at minimum to existing KRITIS operators while expanding to additional sectors and entities.
- The draft law introduces uniform minimum standards across ten sectors, supplemented by sector-specific resilience standards developed with industry associations.
Competent Authority(ies):
- Federal Office for Information Security (BSI)
- Federal Office of Civil Protection (BBK)
Maturity Level: 3
The draft law consolidating NIS 2, CER, and the text on the resilience of the financial sector was presented to the Council of Ministers on 15 October 2024. It is currently under examination at the National Assembly.
Key Steps:
- 15 October 2024: The draft law was submitted to the Senate by the government, with fast-track procedure invoked.
- 12 March 2025: First reading adoption by the Senate (text No. 78, 2024–2025) and transmission of the text to the National Assembly on 13 March.
- March to July 2025: Expert sessions conducted by the Special Commission.
- 10 September 2025: Publication of the Special Commission’s report and unanimous adoption of the draft law.
National Specificities:
- France has chosen to integrate the CER directive by complementing its national framework for the security of Vital Importance Activities (SAIV) established in 2006, notably retaining the structuring concepts of national law. Critical infrastructures are defined as Points of Vital Importance (PIV) and Information Systems of Vital Importance (SIIV), while their scope is expanded to include the new European obligations.
- OIVs (Operators of Vital Importance) must detail appropriate resilience measures in an Operator Resilience Plan (PRO), as well as a Specific Resilience Plan (PPR) for each Point of Vital Importance (PIV).
Competent Authority(ies):
- National Cybersecurity Agency of France (ANSSI)
- General Secretariat for Defense and National Security (SGDSN)
Maturity Level: 4
Italy finalized the transposition of the CER directive through the Legislative Decree No. 134 of 4 September 2024, published in the Official Journal No. 223 on 23 September 2024. In July, the final report of the consultation on the Strategy for the Resilience of Critical Entities was published, marking progress in the development of the national strategy envisaged by the directive.
National Specificities:
- No reference framework has been published to date.
- La transposition nationale italienne de la Directive CER inclut spécifiquement le secteur des eaux irriguées, en plus des 11 secteurs initialement prévus par le cadre européen.
Competent Authority(ies):
- The competent authorities are the line ministries responsible for the critical organizations, led by an Interministerial Committee for Resilience (CIR), under the overall supervision of the delegation of Deputy Secretary of State Alfredo Monatavano
Maturity Level: 3
A draft law entitled Ley de medidas para la protección y resiliencia de las entidades críticas was approved on 27 May 2025, with implementing bodies already identified. A public consultation phase concluded on 10 June.
Key Steps:
- 29 October 2024: Congress on infrastructure protection and the resilience of critical entities.
- 27 May 2025: The Council of Ministers approves the draft law.
- 27 May to 10 June 2025: Public consultation phase.
National Specificities:
- The text provides for the creation of a national certification mechanism to attest to the quality, security, and compliance levels of entities. The content and procedures of the certification mechanism will be determined by future regulations
Competent Authority(ies):
- The State Secretariat for Security is the central competent authority, responsible for supervision, plan development, and implementation of the certification mechanism.
- CNPREC (Centro Nacional para la Protección y la Resiliencia de las Entidades Críticas) handles the identification of critical entities, their notification, and acts as a point of contact in case of incidents.
- The National Commission for the Protection and Resilience of Critical Entities is a collegiate body responsible for approving sectoral strategic plans and identifying the relevant entities.
- The Interministerial Working Group provides support in the development of the national strategy and in threat assessment.
Maturity Level: 4
The decree-law “n°22/2025”, transposing the CER directive, was approved on 12 March and published on 19 March, 2025. The text came into force on 24 March, 2025.
National Specificities:
- No reference framework has been published to date.
- Critical entities must regularly test their resilience and security plans through exercises supervised by sectoral authorities and the Secretary General of the Internal Security System (SGSSI), with prior communication, post-exercise reports, and the possibility of cross-border exercises involving other EU Member States.
Competent Authority(ies):
- The transposition of the CER Directive (EU Directive 2022/2557) via Decreto Lei No. 22/2025 establishes a dual governance framework: at the national level, the Secretary General of the Internal Security System (SGSSI) ensures overall coordination of activities related to the resilience of critical entities and serves as the central contact point for European cooperation. At the sectoral level, each Autoridade Setorial Competente (ASC) is responsible for identifying critical entities within its sector, overseeing the implementation of resilience measures, and transmitting information to the SGSSI.
Maturity Level: 3
The draft law Wet weerbaarheid kritieke entiteiten (Wwke) concluded its public consultation on 1 July 2024. It received the opinion of the Council of State on 20 February 2025 and was submitted to the House of Representatives, which published its report on the draft law on 4 September 2025.
Key Steps:
- 21 May 2024: Publication of the NIS2 transposition draft law and the draft law on the resilience of critical entities (Wwke).
- 21 May – 2 July 2024: Public consultation.
- 2 July 2024: Closure of the internal consultation on the resilience of critical entities.
- 20 February 2025: The draft law was validated by the Council of State.
- 4 September 2025: The House of Representatives published its report on the draft law.
- 10 November – 21 December 2025: New public consultation phase on the draft law
National Specificities:
- The competent authority may recognize certain EU sectoral acts as equivalent to the measures in Article 16, which require critical entities to implement proportionate technical, security, and organizational measures to ensure their resilience; in such cases, these measures do not apply to the relevant entities.
- The Netherlands already has a policy for the protection and cyclical strengthening of critical infrastructure (Aanpak vitaal), which CER will reinforce. This policy is structured around the “instrumentarium vital,” a process cycle that must be repeated at least every four years.
- The procedure is implemented by the competent minister and, in cases where developments, new events, or threats justify it, may be applied before the minimum four-year period at the discretion of the competent minister or the Minister of Justice and Security.
Competent Authority(ies):
- Justice and Security Ministry coordinates the national strategy.
- Each ministry is responsible for the entities within its sector. Ministries appoint supervisors to monitor compliance with obligations, including audits and inspections.
Strengthening critical infrastructure cyber security now requires more than technical controls. Regulatory frameworks such as the EU CER Directive offer valuable insights into how resilience can be structured and governed. Wavestone supports organizations in translating regulation into actionable security and resilience strategies.
