What is the CER Directive?
The CER Directive (EU 2022/2557), Critical Entities Resilience Directive, strengthens the physical resilience of critical entities across the EU. It complements NIS2 by addressing physical threats: natural disasters, sabotage, insider threats, and terrorism.
Background: From CIIP to CER
CER replaces the 2008 European Programme for Critical Infrastructure Protection (EPCIP) Directive, which only covered energy and transport. CER dramatically expands scope to 11 sectors and introduces a modern, risk-based approach to physical resilience, aligned with the cyber-focused NIS2 framework.
Unlike NIS2 (which uses size thresholds), CER uses a designation-based approach: member states must first perform a national-level risk assessment, then designate entities as 'critical' based on the results. This makes the process more nuanced, not all large companies in covered sectors are automatically in scope.
Find out if your company is in scope
Does your organisation fall under Annex I (Essential) or Annex II (Important) entities?
Core Obligations Under CER
Risk Assessment
Every 4 years (or after significant changes), conduct a risk assessment covering all relevant physical, cyber, and hybrid threats.
Resilience Measures
Implement physical security measures (access controls, perimeter security, CCTV), operational plans, and system redundancies.
Incident Reporting
Report significant physical incidents affecting service delivery to the competent authority within 24 hours.
Personnel Security
Background checks on critical staff (where permitted nationally), insider threat programmes, and security awareness training.
Supply Chain
Assess physical supply chain security risks, particularly for critical goods and services that cannot be substituted quickly.
Authority Cooperation
Participate in regular security checks and enable authority inspections and security assessments of physical sites.
Find out if your company is in scope
Does your organisation fall under Annex I (Essential) or Annex II (Important) entities?
CER & NIS2 Overlap: Sector Coverage Matrix
The matrix below shows which sectors fall under NIS2, CER, or both. Entities in overlap sectors should develop an integrated compliance programme to avoid duplication and cover all obligations efficiently.
| Sector | NIS2 🔐 | CER 🏗️ | Both? |
|---|---|---|---|
| Energy | ✅ | ✅ | Dual |
| Transport | ✅ | ✅ | Dual |
| Banking | ✅ | ✅ | Dual |
| Financial Markets | ✅ | ✅ | Dual |
| Health | ✅ | ✅ | Dual |
| Drinking Water | ✅ | ✅ | Dual |
| Wastewater | ✅ | ✅ | Dual |
| Digital Infrastructure | ✅ | ✅ | Dual |
| Public Administration | ✅ | ✅ | Dual |
| Space | ✅ | ✅ | Dual |
| Food | ✅ | ✅ | Dual |
| Postal Services | ✅ | - | NIS2 only |
| Waste Management | ✅ | - | NIS2 only |
| Chemicals | ✅ | - | NIS2 only |
| Manufacturing | ✅ | - | NIS2 only |
| Digital Providers | ✅ | - | NIS2 only |
| Research | ✅ | - | NIS2 only |
Building an Integrated NIS2 + CER Compliance Programme
For entities falling under both directives, the European Commission explicitly recommends an integrated approach. Many measures, such as risk assessments, business continuity plans, and supply chain security, can be designed to satisfy both frameworks simultaneously.
Scoping Assessment
Determine whether your entity falls under NIS2, CER, or both. Check with your national competent authority for CER designation status.
Integrated Risk Assessment
Conduct a single, unified risk assessment that covers both cyber and physical risks, satisfying the risk assessment requirements of both directives.
Unified Measure Design
Design a measure set that addresses NIS2 Article 21 controls and CER resilience obligations within a single framework, eliminating redundancy.
Governance & Reporting
Establish unified governance with clear board-level ownership, and design your incident reporting workflows to cover both the 24-hour CER and 24/72/30-day NIS2 obligations.
Find out if your company is in scope
Does your organisation fall under Annex I (Essential) or Annex II (Important) entities?
Frequently Asked Questions
What is the CER Directive?
The CER Directive (EU 2022/2557), the Critical Entities Resilience Directive, establishes obligations for entities providing essential services in 11 critical sectors to strengthen their resilience against physical incidents, including natural disasters, terrorist attacks, insider threats, and sabotage.
What sectors does CER cover?
CER covers 11 sectors: energy, transport, banking, financial markets, health, drinking water, wastewater, digital infrastructure, public administration, space, and food. Note that CER covers all 11 of these sectors for physical resilience, while NIS2 covers digital/cyber aspects across a wider 18-sector scope.
What is the difference between CER and NIS2?
NIS2 focuses on cyber/digital security (network and information systems). CER focuses on physical resilience (buildings, staff, supply chains, and operations). However, many entities in energy, transport, health, and digital infrastructure fall under BOTH directives, and the frameworks are explicitly designed to be complementary.
What are the main obligations under CER?
Critical entities must: conduct risk assessments every 4 years, implement resilience measures based on those assessments, report significant incidents within 24 hours to competent authorities, cooperate with authorities during security checks, and develop and test business continuity plans.
How does CER define a 'critical entity'?
Under CER, an entity is designated as 'critical' by its member state if it provides an essential service in a covered sector and if the disruption of that service would have significant cross-border or societal effects. Unlike NIS2, CER uses a designation-based approach rather than blanket size thresholds.
Sources
This page is based on the following EU legal sources:
- ↗CER Directive (EU 2022/2557) — Directive on the resilience of critical entities — full text in the Official Journal of the EU
- ↗NIS2 Directive (EU 2022/2555) — For sectors with overlap between CER and NIS2 (Annex I)
- ↗ENISA CER Resources — EU Agency for Cybersecurity guidelines and resources on the CER Directive
Also Understand Your NIS2 Obligations
If your organisation falls under CER, it very likely also falls under NIS2 for cybersecurity. Read our complete NIS2 guide to understand the digital security obligations that run in parallel.
Read the NIS2 Guide →