CER Directive

Critical Entities Resilience Directive

Directive (EU) 2022/2557Active — In application since October 2024

Establishes physical and operational resilience requirements for critical entities across 11 sectors. Complements NIS2 (cyber) with physical security, business continuity, and supply chain resilience obligations. Member States must identify critical entities by July 2026.

Sectors Covered

Articles

24h

Incident Reporting

10mo

Compliance Window

Implementation Timeline

16 January 2023

CER Directive enters into force

17 October 2024

Member State transposition deadline

17 January 2026

National resilience strategies adopted

17 July 2026

Member States identify critical entities

17 May 2027

Identified entities must comply with resilience measures

Who's In Scope

Critical Sectors

Energy (electricity, oil, gas, hydrogen, district heating)
Transport (air, rail, water, road)
Banking
Financial market infrastructure
Health
Drinking water
Wastewater

Additional Sectors

Digital infrastructure
Public administration (central government)
Space
Food production, processing and distribution

Key Requirements

Art. 12

Resilience Plans

Critical entities must adopt resilience measures covering physical security of premises and infrastructure, personnel screening, business continuity planning, and supply chain security.

Art. 15

Incident Reporting

Report incidents that significantly disrupt or could disrupt essential service provision to the competent authority within 24 hours.

Art. 13

Risk Assessments

Conduct comprehensive risk assessments covering natural hazards, man-made threats, accidents, pandemics, and cross-border or cross-sector dependencies.

Art. 14

Background Checks

Background verification checks for personnel in sensitive roles within critical entities, subject to national law and EU data protection rules.

Art. 16

Supervision & Compliance

Member States ensure entities can demonstrate compliance. Competent authorities have supervisory powers including on-site inspections and audits.

Penalties & Enforcement

Non-compliant critical entities

Set by Member States

Must be ‘effective, proportionate and dissuasive.’ Each Member State defines specific penalty amounts in their national transposition legislation.

How Orizon Can Help

NIS2 & DORA Readiness

We provide structured preparation and compliance support for CER Directive.

Learn more

Official Sources

Assess Your Readiness

Schedule a consultation with our regulatory experts to assess your CER Directive compliance posture and build a practical roadmap.

Get Started

CER Directive

Critical Entities Resilience Directive

Directive (EU) 2022/2557Active — In application since October 2024

Who's In Scope

Critical Sectors

Energy (electricity, oil, gas, hydrogen, district heating)
Transport (air, rail, water, road)
Banking
Financial market infrastructure
Health
Drinking water
Wastewater

Additional Sectors

Digital infrastructure
Public administration (central government)
Space
Food production, processing and distribution

Key Requirements

Art. 12

Resilience Plans

Critical entities must adopt resilience measures covering physical security of premises and infrastructure, personnel screening, business continuity planning, and supply chain security.

Art. 15

Incident Reporting

Report incidents that significantly disrupt or could disrupt essential service provision to the competent authority within 24 hours.

Art. 13

Risk Assessments

Conduct comprehensive risk assessments covering natural hazards, man-made threats, accidents, pandemics, and cross-border or cross-sector dependencies.

Art. 14

Background Checks

Background verification checks for personnel in sensitive roles within critical entities, subject to national law and EU data protection rules.

Art. 16

Supervision & Compliance

Member States ensure entities can demonstrate compliance. Competent authorities have supervisory powers including on-site inspections and audits.