IT and data

The EU Critical Entities Resilience Directive - What is the impact on your organisation?

Published on 29th July 2025

The EU's CER Directive aims to enhance the physical resilience of critical entities against various threats. This article outlines its key requirements and advises companies on compliance steps amid ongoing national law transpositions.

Virtual map of the world

The EU’s Directive on the resilience of critical entities (Directive (EU) 2022/2557, CER Directive) is the physical security counterpart to the cybersecurity-focused NIS2 Directive. Although the transposition period of the CER Directive ended on 17 October 2024, so far merely 10 out of 27 EU Member States have adopted laws to implement the CER Directive into Member State law. Key EU Member States, such as Germany, France, the Benelux countries, and Spain, are still debating their draft implementation laws, which are expected to be adopted by the end of 2025.

What exactly is the CER Directive and why may it be relevant to your company?

The CER Directive aims to achieve and maintain a high level of resilience of certain critical entities through the ability to prevent, protect against, or recover from (physical) incidents. This ensures that services essential for the maintenance of vital societal functions, economic activities, public health and safety, or the environment (essential services) are constantly available.

Possible incidents include any event with the potential to significantly disrupt, or actually disrupt, the provision of an essential service, including, in particular,

  • natural disasters,
  • terror attacks,
  • public health emergencies, or
  • hybrid warfare by foreign nations.

The CER Directive replaces the European Critical Infrastructure Directive of 2008, which only applied to the energy and transport sectors. The CER Directive now widens the scope to eleven sectors, including banking, financial market infrastructure, health, digital infrastructure, and the production, processing, and distribution of food.

What is the relationship between the CER Directive and the NIS2 Directive?

The CER Directive and the NIS2 Directive aim to reduce vulnerabilities and strengthen the resilience of critical and digital infrastructure against online and offline threats. The NIS2 Directive focuses on requirements to ensure cybersecurity and protect against cyber threats, whereas the CER Directive creates an overarching framework to strengthen the overall physical resilience of critical infrastructures (all-hazards approach). Hence, companies can be subject to both directives. In particular, critical entities under the CER Directive are also considered “essential entities” under the NIS2 Directive.

How do you know whether your company is a critical entity?

Critical entities under the CER Directive are public or private entities belonging to one of the sectors, subsectors and categories listed in the Annex of the CER Directive and which have been identified by an EU Member State in accordance with Article 6 of the CER Directive. Critical entities are further characterised by the following criteria:

  • They provide one or more essential services,
  • They operate, and their critical infrastructure is located, on the territory of that EU Member State, and
  • An incident would have significant disruptive effects on the provision of one or more essential services.

Member States must identify such entities by 17 July 2026. Within one month of that identification, Member States must then create a list of critical entities and inform them about their respective obligations under the CER Directive. Such critical entities will have 10 months from notification to comply with the resilience requirements.

What are the key resilience requirements for critical entities under the CER Directive?

  • Carry out a comprehensive assessment of all relevant natural and man-made risks which could lead to an incident in accordance with the CER Directive and renew it every four years;
  • Implement appropriate and proportionate technical and organisational measures to ensure their resilience based on the outcome of the risk assessment, i.e., their ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate, and recover from an incident;
  • Subject to specific conditions stipulated by each Member State, carry out background checks in duly reasoned cases, in particular for persons holding sensitive roles in or for the benefit of the critical entity; and
  • Notify, without undue delay, the competent authority of any incidents that significantly disrupt or have the potential to significantly disrupt the provision of essential services. An initial notification must be given within 24 hours, and a comprehensive report within one month of becoming aware of the incident.

Additional obligations may apply if critical entities qualify as being of particular European significance. Member States are also free to adopt additional provisions in their national laws to achieve a higher level of resilience of critical entities and may therefore choose to impose additional obligations on critical entities.

What should companies do now to meet the critical entities’ key obligations?

Check if the CER Directive is applicable to your company
Even if the Member States have not yet transposed the CER Directive into national law, companies should proactively assess whether they qualify as a critical entity. For this, companies must operate in one of the eleven sectors with their related subsectors and must fall under the categories of entities as specified in the Annex. Given the complexity of the risk assessment and the implementation of necessary measures, a period of only ten months after notification by the Member State will likely not suffice to achieve compliance with the CER Directive’s resilience requirements.

Evaluate resources
Carrying out a risk assessment and implementing appropriate and proportionate technical and organisational measures are likely to require significant resources. Companies should evaluate whether additional financial and human resources are needed to meet their respective obligations under the CER Directive:

  • For the risk assessment, companies should critically analyse what potential risks exist that may (significantly) disrupt the provision of essential services. This assessment must also consider any interdependencies between the essential service provided by the critical entity and the essential services provided by other entities in other sectors. The assessment should also cover contingency planning/backup plans in case existing security systems fail, and the critical entity’s security culture should also be considered. Risk assessments and similar documents prepared under other legal frameworks can be leveraged if they are relevant for the risk assessment under the CER Directive. Once completed, risk assessments must be revisited every four years.
  • Appropriate measures potentially to be implemented as a result of such risk assessment include, in particular, measures to
  • prevent future incidents,
  • ensure adequate physical protection of premises,
  • respond to, resist, and mitigate consequences of incidents,
  • ensure adequate employee security management, and
  • raise awareness about any such measures.

Critical entities must also prepare a resilience plan that describes the measures taken and designate a point of contact for competent authorities.

Develop a strategy
To ensure compliance with their obligations under the CER Directive, affected companies may need to

  1. develop and implement a governance process to ensure compliance with all relevant obligations;
  2. identify and potentially update existing security measures to make sure they meet the requirements of the CER Directive;
  3. analyse which additional security measures may need to be implemented and document all implemented security measures;
  4. review and strengthen incident detection and reporting procedures to ensure that notification requirements can be met; and
  5. name a contact person that is available for public authorities for questions after reporting an incident.

Follow the legislative process and look at other Member States
Finally, companies located in one of the Member States that have not yet transposed the CER Directive into national law should monitor their national legislative process closely to keep track of all relevant developments. It may also be helpful to look at some of the Member States which have already transposed the CER Directive into national law to develop an understanding of how core obligations of the CER Directive are applied in practice.

Related articles
UK and EU GDPR for HR | Summer 2025
10/07/2025 7 mins
Data (Use and Access) Act becomes law, with first ever changes to UK GDPR
03/07/2025 9 mins
Irish Data Protection Commission imposes fines for transfer of personal data to China
11/06/2025 6 mins
CASP license in Poland
02/06/2025 6 mins
Interested in hearing more from Osborne Clarke?

Register now for more insights, news and events from across Osborne Clarke

Sign up

services

* This article is current as of the date of its publication and does not necessarily reflect the present state of the law or relevant regulation.

Connect with one of our experts

Interested in hearing more from Osborne Clarke?

Register now for more insights, news and events from across Osborne Clarke

Sign up

Upcoming Events