Critical Entities Resilience (CER) EU Act

TLDR

The CER Directive requires Member States and identified critical entities to perform detailed, recurring, cross-sector and cross-border risk assessments and implement comprehensive resilience measures (prevention, protection, response, recovery). It aligns with NIS2 and other EU frameworks, replaces Directive 2008/114/EC, adds the space sector, introduces structured identification & notification timelines, mandates liaison officers, incident notifications (24h initial / 1 month detailed), and enables advisory missions for entities of particular European significance.

What new things does this Directive bring?

Large-scale, detailed cyber and non‑cyber risk assessments become central (public + private coordination).
Member States must share relevant portions of their own risk assessments to aid critical entities.
Critical entities’ risk assessment results are reported (in part) to the Commission.
Exemptions possible where sector-specific Union acts provide equivalent resilience measures.
Banking, financial market infrastructure and certain digital infrastructure entities treated differently (limited obligations under Chapters III/IV).
Alignment and coordinated implementation with NIS2 and GDPR (physical + cyber coherence).
Exclusion of defense, security and law enforcement entities; possibility to exempt others for national security reasons.
Attempts to avoid disproportionate burden on SMEs.
Space sector explicitly included.
Replaces Directive 2008/114/EC.

Most important timeline & structural aspects

By 17 Jan 2026: Member State resilience strategy adopted.
By 17 Jan 2026 (and at least every 4 years): Member State risk assessment completed.
By 17 Jul 2026: Identification & notification of critical entities (per Annex sectors/subsectors).
10 months after notification: Chapter III obligations become applicable to the notified entity.
Every 4 years: Review/update list of critical entities & repeat risk assessments.

Subject matter and scope

Ensure unobstructed provision of essential services; identify & support critical entities.
Critical entities must enhance resilience (technical, organizational, physical security, continuity).
Establish supervisory/enforcement rules & advisory mission framework.
Common cooperation/reporting processes → uniform implementation.
Measures for high resilience to improve internal market functioning.
Avoid overlap with NIS2; coordinate cyber + physical security implementation.
Exemptions where sector-specific Union law gives equivalent measures.
Protect confidential & sensitive information (national security / commercial interests).
Exclude entities focused on national security, public security, defense, law enforcement.
Allow targeted exemptions tied to national security functions.
No disclosure of information that harms national security.
Full compliance with EU data protection law.

Strategy on resilience of critical entities (due 17 Jan 2026)

Must include: strategic objectives & priorities; governance framework (roles & responsibilities); measures & risk assessment process (Art.5); identification process (Art.6); support & public–private cooperation processes; list of authorities/stakeholders; coordination framework with NIS2 authorities (info exchange cyber & non‑cyber); SME support measures.

Member State risk assessment (by 17 Jan 2026; ≥ every 4 years)

Commission delegated act (non‑exhaustive essential services list) guides scope.
Assess natural + man‑made, cross-sector/cross-border, accidents, disasters, public health emergencies, antagonistic/terrorist threats.
Consider sector interdependencies (Annex sectors), upstream/downstream reliance including third countries.
Cooperate with other Member States where interdependencies exist.
Share relevant parts with identified critical entities (input for entity risk assessment & resilience measures).
Report to Commission within 3 months of completion (risk types + outcomes per sector/subsector).
Voluntary common reporting template developed by Commission + Member States.

Identification of critical entities (by 17 Jul 2026)

Criteria:

Provides one or more essential services.
Operates / infrastructure located within Member State territory.
Incident disruption would have significant effects on its own or other essential services. Process:
Establish list → notify entities (within 1 month) → inform obligations (or exemptions for sectors 3,4,8 unless national law extends).
Notify NIS2 competent authorities of identities (including exempt sectors).
Review/update list ≥ every 4 years; notify additions/removals.
Commission develops recommendations & non-binding guidelines to support identification.

Treatment of banking, financial market infrastructure & digital infrastructure sectors

Articles 11 & Chapters III, IV, VI do not apply to sectors 3, 4, 8 (unless national law extends).
Member States may adopt national measures for higher resilience—must not conflict with Union law.

Competent authorities & single point of contact

Designate competent authority(ies) for enforcement; clarify tasks if multiple; cooperate with single point of contact (SPoC).
Typical authorities: those under DORA (Regulation (EU) 2022/2554) for banking/financial; NIS2 authorities for digital infrastructure.
SPoC facilitates cross-border cooperation, liaises with Commission, may coordinate with third countries.
SPoC reporting (by 17 Jul 2028; then biennially) on incident notifications using common template.
Ensure adequate financial, human, technical resources.
Mandatory cooperation & info exchange with NIS2 authorities (cyber + non‑cyber risks/incidents).
Notify Commission of identities/tasks within 3 months; publish identities; Commission publishes SPoC list.

Member State support to critical entities

Guidance, exercises, training, advisory, financial support (consistent with State aid rules).
Exchange information & best practices; promote voluntary info sharing (respect classified info, competition, data protection).

Risk assessment by critical entities

Timeline: within 9 months of notification (Art.6(3)) & ≥ every 4 years. Scope: natural & man‑made, cross-sector & cross-border, hybrid threats, terrorism (Directive (EU) 2017/541), dependencies of other sectors on its services and vice versa (including other Member States & third countries). Reuse: Can leverage existing assessments/documents under other legal acts; authorities may declare partial/full compliance.

Resilience measures by critical entities (Chapter III)

Measures (risk-based):

Prevent incidents (incl. disaster risk reduction & climate adaptation aspects).
Physical protection of premises & infrastructures.
Respond, resist, mitigate consequences.
Recover (business continuity, alternate supply chains).
Employee security (training, where feasible background checks, awareness). Documentation: Resilience plan or equivalent (may reuse existing artifacts); authorities can recognize existing measures as compliant. Governance: Designate liaison officer for authority interface. Commission support: Advisory missions (on request), non‑binding guidelines, implementing acts for technical/methodology specifications.

Incident notifications

Notify competent authority of significant disruptions or potential disruptions.
Initial notification within 24h of awareness; detailed follow-up within 1 month (if relevant).
Significance factors: number/proportion of users affected; duration; geographic spread.
Content: nature, cause, potential consequences, cross-border effects (confidential handling; no added liability).
Cross-border: SPoC informs other affected Member States; ensure confidentiality of commercial & security interests.
Follow-up: Competent authority provides supporting info; public may be informed if in public interest.

Critical entities of particular EU significance

Criteria:

Already identified nationally as critical.
Provides similar essential services to/in ≥ 6 Member States. Notification chain:
Entity informs national competent authority (services + Member States) → Member State informs Commission → Commission consults other Member States & entity → if threshold confirmed, Commission notifies entity of status; Chapter applies from notification date. Advisory missions: See dedicated section below.

Advisory missions (entities of EU significance)

Initiation: At request of identifying Member State; or by Commission / other served Member States (with originating Member State agreement). Inputs: Risk assessment, resilience measures list (Art.13), supervisory actions summary. Outputs: Report within 3 months → Member States analyze → Commission issues opinion (compliance + recommended improvements). Composition: Experts from Commission, identifying MS, served MS (professional capacity + geographic balance). Commission funds & organizes mission. Procedures: Implementing act will define process, confidentiality, sensitive info handling. Must respect host Member State law & national security. Past inspection reports under other EU regimes considered. Commission informs Critical Entities Resilience Group (findings & lessons).

Supervision & enforcement

Authority powers: On-site inspections, off-site supervision, order independent audits (entity expense), request info/evidence (including audit results) within deadlines. Remediation: Order corrective measures proportionate to seriousness; ensure procedural safeguards (transparency, right to be heard, defense, legal remedy). Cooperation: Exchange info with NIS2 authorities; may request exercise of supervisory/enforcement powers.

Reasons & background (selected highlights)

Shift from asset-centric protection to systemic, risk-based resilience across interdependent sectors.
Addresses evolving threat landscape (including climate change impacts & hybrid threats).
Harmonizes divergent national requirements; reduces fragmentation; improves cross-border coordination.
Integrates space sector given cross-border dependency chains.
Ensures alignment with NIS2 for cybersecurity while covering broader physical/non‑cyber resilience.
Establishes notification mechanisms & minimum identification criteria to avoid inconsistent thresholds.
Recognizes foreign ownership risk & supply chain dependencies for critical infrastructure services.
Supports SMEs: balance resilience obligations vs disproportionate burden.
Delegated powers: Commission list of essential services; Implementing acts for uniform technical application.
Repeals Directive 2008/114/EC (modernized scope & methodology).

Excluded / condensed items (not reproduced verbatim)

Detailed cooperation group procedural text (focus retained on functional outcomes).
Background check granular HR specifics (retained only requirement & rationale).
Penalties (qualitative requirement: effective, proportionate, dissuasive; no fixed amounts stated).
Delegated/implementing act legal machinery steps.
Final provisions / formal closing articles.

References

Official text: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32022L2557
Related: NIS2 Directive (EU) 2022/2555, GDPR, DORA (EU) 2022/2554.