Risk Assessment (CER)

The CER Directive requires designated critical entities to carry out an obligatory risk assessment. The analysis must identify the relevant risks -- natural, man-made and hybrid -- that could affect the ability to deliver essential services, and it forms the basis for selecting resilience measures.

Back to Dictionary

What is the risk assessment under CER?

Under CER Directive Article 12, designated critical entities are obliged to carry out a risk assessment within specified deadlines after designation. The risk assessment is the starting point for all subsequent decisions on resilience measures.

The assessment differs from a NIS2 risk assessment by taking a broader perspective: it covers not only cybersecurity risks but all relevant threats to the critical entity's ability to deliver its services -- whether those threats are digital, physical, man-made or natural.

Threat categories

The CER risk assessment must take account of a broad spectrum of threats and risks:

Natural hazards: Floods, storms, earthquakes, extreme weather events arising from climate change.
Man-made incidents: Terrorist attacks, sabotage, crime, insider threats.
Hybrid threats: Attacks combining digital and physical elements.
Dependencies: Risks arising from dependencies on other critical infrastructures, suppliers and services.
Technical failures: Equipment failures, system outages and other technical disruptions.

From assessment to action

The risk assessment is not an end in itself -- it forms the basis for:

Developing a resilience plan with concrete measures.
Prioritising resilience investments based on the identified risks.
Planning notification procedures for incidents.
Cooperating with authorities on sector-wide risk scenarios.

Climate change consideration: The CER Directive explicitly highlights that the risk assessment must take account of the consequences of climate change for infrastructure resilience. This is a new dimension that distinguishes CER from older critical infrastructure directives.

Frequently Asked Questions about Risk Assessment (CER)

What is a risk assessment under the CER Directive?

A CER risk assessment is an obligatory analysis that designated critical entities must carry out to identify all relevant risks -- natural, man-made and hybrid -- that could affect their ability to deliver essential services. It forms the basis for selecting resilience measures.

Must the CER risk assessment be updated regularly?

Yes. The CER Directive requires the risk assessment to be updated when relevant -- for example after an incident, when there are significant changes in the threat landscape, or in the organisation's structure and activities. Authorities may also require updated assessments.

How does a CER risk assessment differ from a NIS2 risk assessment?

A CER risk assessment has a broader scope: it covers all relevant threats including natural hazards, physical attacks and hybrid threats, not only cybersecurity risks. NIS2 risk assessments focus specifically on risks to network and information systems.

Must climate change be considered in the CER risk assessment?

Yes. The CER Directive explicitly requires the risk assessment to take account of the consequences of climate change for infrastructure resilience, including increased frequency and severity of extreme weather events.

What happens after the risk assessment is completed?

The risk assessment forms the basis for a resilience plan with concrete measures, prioritisation of investments, notification procedures for incidents, and cooperation with authorities on sector-wide risk scenarios.