CER Directive

The CER Directive (Critical Entities Resilience, Directive 2022/2557) sets requirements for physical and organisational resilience of critical service providers in the EU. The directive supplements NIS2 by focusing on the physical dimension of security rather than cybersecurity.

Back to Dictionary

What is the CER Directive?

The CER Directive (Directive 2022/2557) is an EU directive that establishes a framework for ensuring the resilience of critical entities. Whilst NIS2 focuses on cybersecurity, CER addresses the physical and organisational aspects of resilience — such as natural disasters, terrorism, insider threats and sabotage.

The directive requires member states to identify critical entities within key sectors and ensure that these entities take adequate measures to protect their ability to deliver essential services. CER works alongside NIS2 to create a comprehensive security framework covering both the digital and physical domains.

Who is covered by CER?

CER applies to entities that are designated as critical by the relevant national authority. Designation is based on the entity's importance for the maintenance of vital societal functions or economic activities within one of the 11 CER sectors. Member states must carry out a risk assessment every four years and identify critical entities based on the results.

What does CER require?

Critical entities designated under CER must fulfil several obligations:

Risk assessment: Entities must carry out their own risk assessment of all relevant risks that may disrupt the delivery of their essential services.
Resilience measures: Based on the risk assessment, entities must implement proportionate technical, security and organisational measures to ensure resilience.
Background checks: Entities must ensure that personnel performing sensitive functions undergo appropriate background checks.
Notification obligation: Incidents that significantly disrupt or have the potential to disrupt the delivery of essential services must be reported to the competent authority.
Resilience planning: Entities must have plans and procedures in place to ensure continuity and rapid recovery of essential services.

Physical plus digital: CER and NIS2 are designed to be complementary. An entity designated as critical under CER that also falls within the scope of NIS2 must comply with both sets of requirements — physical resilience under CER and cybersecurity under NIS2.

CER vs NIS2

CER and NIS2 share the same goal — protecting essential services — but address different threat domains. NIS2 focuses on network and information security (cybersecurity), whilst CER covers physical security and organisational resilience. Many organisations will fall under both directives and must maintain a holistic approach to risk management that covers both physical and digital threats.

Frequently Asked Questions about CER Directive

What is the CER Directive?

The CER Directive (Directive 2022/2557) is an EU directive that sets requirements for the physical and organisational resilience of critical entities — organisations that provide essential services within key sectors such as energy, transport and health.

What is the difference between CER and NIS2?

NIS2 focuses on cybersecurity and network security, whilst CER addresses physical and organisational resilience. They are complementary: NIS2 protects against digital threats, CER protects against physical threats such as natural disasters, sabotage and terrorism.

Who decides which entities are critical under CER?

Each EU member state must identify critical entities within the 11 CER sectors. This is done by national competent authorities based on a national risk assessment that must be carried out every four years.

What must critical entities do under CER?

Critical entities must carry out risk assessments, implement resilience measures, ensure background checks for sensitive personnel, report significant incidents and maintain resilience plans for continuity and recovery.

Does CER apply to cybersecurity?

No. CER specifically addresses physical and organisational resilience. Cybersecurity requirements are covered by NIS2. However, entities subject to CER will often also be subject to NIS2 and must comply with both.