Karin Palmblad, Mads Østerby
29 October 2025
The EU CER Directive: Understand the basics
Understand the EU CER Directive 2022/2557. In this piece we cover everything from scope, obligations, timelines, and why resilience is now a board-level responsibility for critical entities.
The European Union’s Critical Entities Resilience Directive (CER Directive, EU 2022/2557) is a landmark regulation designed to strengthen Europe’s ability to withstand systemic disruptions. Entering into force in January 2023, it applies across 11 essential sectors, from energy and healthcare to finance, digital infrastructure, and transport.
But this Directive is not just another compliance checkbox. It represents a strategic shift in how resilience is governed. For the first time, resilience is positioned as a board-level responsibility, equal in importance to financial oversight and ESG.
If your organisation operates in any of the covered sectors, the CER Directive could fundamentally reshape your operating obligations within the next years. National authorities will soon begin designating which organisations count as “critical entities,” and once designated, compliance will be mandatory within nine months.
For leaders, the CER Directive is both a challenge and an opportunity:
- A challenge because the Directive requires organisations to move beyond traditional risk management and adopt a system-wide, all-hazards approach.
- An opportunity because organisations that act early can turn compliance into a source of competitive advantage — building resilience that investors, regulators, and customers increasingly demand.
On this page you’ll find out what the CER Directive is, who it applies to, key obligations and deadlines, and how organisations can turn compliance into strategic resilience.
Why the CER Directive matters now
Europe is experiencing an era of compounding risks. Climate change brings more frequent floods, heatwaves, and storms. Geopolitical tensions disrupt global energy and food supply chains. Cyber-attacks increasingly cause real-world disruption, from pipeline outages to hospital shutdowns. These risks are no longer isolated; they are interconnected, cascading across sectors and borders.
The CER Directive is the EU’s response to this new reality. It broadens the focus from asset protection to system resilience, requiring both public and private operators to anticipate, withstand, and recover from disruption.
3 Ways the Directive Affects Organisations
- :
1. Legal obligation
If designated as a critical entity, compliance is mandatory and enforceable at the national level.
- :
2. Strategic imperative
Resilience is now a governance responsibility, not a technical afterthought.
- :
3. Competitive differentiator
Early movers can leverage resilience as part of their market positioning, investor relations, and supply chain attractiveness.
In short, understanding CER is not optional. If your company or organisation provides essential services in the EU, learning how to comply — and how to benefit — should be a strategic priority.
What is the CER Directive?
The CER Directive (EU 2022/2557) replaces the European Critical Infrastructure Directive (2008/114/EC), which only covered energy and transport assets. The old directive was narrow, asset-focused, and ill-suited for today’s interconnected risk environment.
CER expands both the scope and ambition, and it applies to 11 sectors:
The Directive introduces an all-hazards approach. Instead of focusing only on terrorism or physical sabotage, it covers the full spectrum of risks: natural disasters, industrial accidents, cyber-physical attacks, systemic supply chain failures, and geopolitical shocks.
Importantly, CER is designed to complement the NIS2 Directive. Together, the two laws form Europe’s most comprehensive resilience framework — CER covering physical and operational resilience, and NIS2 covering cybersecurity.
Get the CER Quick Guide
Find all the need-to-know information about the CER-directive in our Quick Guide. The guide is available for free. Learn more about the critical entities and the CER Directive.
Who falls within scope?
Not every organisation in a covered sector will be designated as “critical.” The Directive places responsibility on Member States to identify which entities qualify, using risk-based criteria.
Designation is based on:
- The scale of service delivery and number of users dependent on it.
- Geographic spread, including cross-border activity.
- The degree of interdependence with other essential services.
- The availability of alternatives if the service fails.
Entities active in six or more Member States are given EU-level advisory support to reflect their pan-European importance.
This approach recognises that resilience is a shared European concern. A disruption in one Member State can cascade across borders, making coordinated oversight essential.
Key timeline for CER
The Directive’s rollout is staged to give governments and organisations time to prepare:
- 16 January 2023 – Directive enters into force.
- 18 October 2024 – Member States must transpose CER into national law.
- 17 January 2026 – Member States must complete national risk assessments.
- 17 July 2026 – Member States begin designating critical entities.
- 9 months after designation – Critical entities must comply with obligations.
These dates create a structured roadmap. However, the compliance window is short: once designated, organisations have less than a year to meet all obligations. That makes early preparation essential.
Compliance obligations for organisations
The CER Directive creates a dual layer of obligations: those for Member States and those for the entities they designate as critical.
Member State obligations:
- Develop a national strategy for resilience.
- Conduct a comprehensive national risk assessment.
- Identify and notify critical entities.
- Establish competent authorities to monitor and enforce compliance.
Designated organisations must implement a robust set of resilience measures.
Obligations for critical entities include:
- Risk assessments covering a wide spectrum of hazards, including interdependent and cross-border risks.
- Resilience planning and measures across governance, operational processes, supply chains, and physical infrastructure.
- Incident notification to authorities in the event of significant disruptions.
- Coordination with NIS2 obligations to ensure integrated cyber-physical resilience.
What sets CER apart is its insistence that resilience is not a one-time plan but a continuous governance responsibility. Boards must ensure resilience is integrated into risk appetite statements, investment decisions, and performance metrics.
Critical entities must implement resilience measures across governance, supply chains, and infrastructure.
This governance lens elevates resilience to the same level as financial management and sustainability. Boards that fail to take ownership of resilience may expose their organisations to regulatory, reputational, and strategic risks.
From compliance to competitiveness
While the CER Directive imposes obligations, it also creates an opportunity. Resilient organisations enjoy clear advantages:
- Reduced downtime and financial loss in the face of disruption.
- Enhanced trust with regulators, investors, and customers.
- Improved supply chain positioning, as resilience becomes a procurement criterion.
- Alignment with ESG and other non-financial reporting frameworks.
For forward-looking organisations, CER compliance is not just about avoiding penalties. It is about future-proofing the business and securing a stronger competitive position in volatile markets.
The CER Directive is not only about avoiding penalties but about creating competitive advantages.
Roadmap for getting started
Preparing for CER compliance requires a structured approach. Key steps include:
- Gap analysis – Compare current resilience practices against CER obligations.
- Dependency mapping – Identify upstream, downstream, and cross-border dependencies.
- Scenario planning and stress testing – Test resilience in realistic disruption scenarios.
- Leadership anchoring – Ensure board-level accountability with resilience KPIs.
- Engagement with authorities – Build early dialogue with regulators to align expectations.
Building a strong coalition
As organisations move forward, building a strong coalition centred around the right competencies is key. In this, finding the right project manager will be a critical task for management.
Specialist knowledge to include could be – but is not limited to:
- Risk analysis, risk management, and legal
- Business continuity planning
- Training and capability building
- Project/programme management
- Cyber security and NIS2
- Climate adaptation and mitigation
- Emergency preparedness and response planning
- Physical security, access control, and perimeter security
Organisations that start now will not only be ready for compliance but will also reap the benefits of enhanced resilience sooner than competitors.
CER Directive FAQ
Want to know more?
Karin Palmblad
Local Service Lead, Resilience & Risk
+46 70 724 70 00
Mads Østerby
Local Service Lead, Sustainability Consulting & ESG
+45 51 61 03 67
Patrick Moloney
Global Director, Sustainability Consulting & ESG
+45 51 61 66 46