Notification Obligation (CER)

The CER Directive requires critical entities to notify the competent authorities of incidents that significantly disrupt or have the potential to disrupt the provision of essential services. Notification must take place without undue delay and within the deadlines set by national implementing legislation.

Back to Dictionary

What is the notification obligation under CER?

Article 15 of the CER Directive establishes that critical entities have an obligation to notify the competent authorities of incidents that "significantly" disrupt or have the potential to disrupt the provision of essential services, including incidents caused by cyber events.

The purpose of the notification obligation is to give authorities an early overview of the situation, enable coordination of support and assistance, and prevent the consequences from spreading to other critical entities and infrastructures.

When must notification be made?

An incident must be notified when it "significantly" disrupts the provision of essential services. The CER Directive states that the following factors must be taken into account when assessing whether a disruption is significant:

The number of users affected by the service disruption
The duration of the disruption
The geographical area affected by the disruption
The extent of actual harm to the provision of services
The extent of consequences for other sectors and other entities

Deadlines set nationally: The CER Directive states "without undue delay" but leaves it to national authorities to set precise deadlines in their implementing legislation. Many countries are expected to set deadlines aligned with NIS2 (24 hours for early warning, 72 hours for detailed report).

Comparison with NIS2

The notification obligation under CER and incident reporting under NIS2 cover partially overlapping situations but focus on different aspects:

CER: Focuses on disruptions to the physical delivery of services, regardless of the cause (natural events, attacks, technical failures, etc.).
NIS2: Focuses on cybersecurity incidents affecting network and information systems.

An organisation subject to both regulatory frameworks may in certain cases need to report an incident to two different authorities, although the authorities coordinate with each other.

How to prepare for the notification obligation

Organisations should take a proactive approach to incident notification:

Establish clear procedures: Define internal escalation paths and responsibilities so that incidents are identified and reported within the required timeframes.
Define significance thresholds: Set internal criteria for when an incident meets the significance threshold, aligned with the factors listed in the CER Directive.
Coordinate with NIS2 obligations: If the organisation is subject to both CER and NIS2, align incident reporting processes to avoid duplication whilst ensuring both obligations are met.
Test the process: Conduct regular exercises that include the notification process, not just the technical response.

Frequently Asked Questions about Notification Obligation (CER)

What is the notification obligation under the CER Directive?

The CER Directive requires critical entities to notify the competent authorities of incidents that significantly disrupt or have the potential to disrupt the provision of essential services. This includes incidents caused by cyberattacks, natural events and technical failures.

What is the deadline for notification under CER?

The CER Directive states "without undue delay" but leaves the precise deadlines to national implementing legislation. Most countries are expected to set deadlines aligned with NIS2's model (24 hours for early warning, 72 hours for detailed report).

Must a cyberattack be notified under CER?

Yes. The CER Directive covers all incidents that disrupt the provision of essential services, regardless of whether the cause is a cyberattack, a natural event or a man-made disruption. A cyberattack that disrupts a critical entity's services may trigger notification obligations under both CER and NIS2.

What factors determine whether an incident is significant?

The CER Directive lists several factors: the number of affected users, the duration of the disruption, the geographical area affected, the extent of actual harm to service provision, and the extent of consequences for other sectors and entities.

How does CER notification differ from NIS2 incident reporting?

CER notification focuses on disruptions to the physical delivery of essential services, regardless of cause. NIS2 incident reporting focuses specifically on cybersecurity incidents affecting network and information systems. An organisation subject to both may need to report the same incident to two different authorities.