The CER Directive: A paradigm shift for resilience

In an age of converging crises from cyberattacks and climate disasters to geopolitical shocks and pandemics, the resilience of critical infrastructure is no longer just a technical challenge but a societal imperative.

Our modern way of life depends on a continuous and secure supply of essential services such as electricity, drinking water, healthcare, digital connectivity and transportation. Disruption to any of these systems can trigger cascading consequences across sectors, borders and populations.

The EU Critical Entities Resilience (CER) Directive (EU 2022/2557), which came into force in January 2023, is Europe’s regulatory response to this escalating risk environment. It replaces the outdated 2008 European Critical Infrastructure Directive with a broader, more ambitious and more integrated approach to resilience. Where the former directive focused on protecting assets, the CER Directive is about governing risk across entire systems.

At its core, the Directive recognises that safeguarding society requires more than operational continuity; it requires governance frameworks capable of anticipating disruption, adapting to systemic shocks and coordinating responses across physical, digital and institutional boundaries.

The CER Directive – an overview

The CER Directive establishes a common EU framework to enhance the resilience of critical entities against a wide range of threats, whether natural, accidental, malicious or systemic. It mandates a shared responsibility between public authorities and private operators to uphold the continuity of essential societal functions. Key provisions include national strategies for critical entity resilience, supported by regular risk assessments to identify essential services and critical entities. These strategies also involve the designation of critical entities and the obligation of such entities to conduct their own risk assessments and implement risk mitigation and resilience measures.

The Directive applies to entities in 11 sectors, including energy, transport, banking, health, digital infrastructure, food, water and public administration. However, inclusion in a sector does not automatically place an entity in scope. Designation is determined by national authorities based upon several criteria, including an entity’s size and operational reach, its degree of interdependence with other essential services, the potential societal or economic impact of a disruption and its role in critical supply chains.

Private sector actors, including multinational companies and key suppliers, can be designated based on their systemic relevance. Once designated, an entity becomes subject to the Directive’s full suite of obligations.

Four dimensions of governance innovation

The CER Directive marks a fundamental evolution in how resilience is conceptualised and implemented within critical infrastructure systems. It repositions resilience as a governance imperative not a reactive security posture, but a proactive, intelligence-led and future-facing capability embedded across strategic decision-making, enterprise risk and societal interdependence.

This is not merely an extension of previous critical infrastructure protection frameworks. It is a systemic recalibration, underpinned by four dimensions of governance innovation.

1. Multi-hazard integration - from siloed risk models to converged threat assessments

The Directive mandates a comprehensive approach to risk, replacing traditional threat-specific models (e.g. security plans for terrorism, climate adaptation plans for flooding) with a multi-hazard, integrated risk framework. This requires critical entities to move beyond regulatory checklists and instead:

• Conduct probabilistic and non-probabilistic risk assessments that account for both frequent and rare but high-impact threats
• Factor in compounding and cascading risks, such as how cyberattacks on operational systems might coincide with natural disasters, or how civil unrest might disrupt healthcare supply chains
• Account for intentional and unintentional threats equally recognising that malicious actors (e.g. hybrid warfare) and systemic failures (e.g. AI malfunction in control systems) can produce similar levels of disruption

Governance implication

Risk ownership cannot sit solely with physical security or HSE functions. Boards and executive committees must ensure that enterprise risk management processes incorporate cross-functional hazard integration, including regular scenario exercises and intelligence-sharing protocols.

2. Interdependent risk mapping - from entity-focused to ecosystem-based resilience

Where previous approaches treated organisations as isolated units, the CER Directive mandates a shift toward network-aware resilience. Entities are now required to identify and analyse:

• Upstream dependencies: critical services or inputs (e.g. cloud hosting, high-voltage power supply, pharmaceuticals) without which their operations cannot continue
• Downstream reliance: sectors or communities that depend on the entity for continuity of vital services (e.g. regional hospitals depending on oxygen supply logistics)
• Lateral vulnerabilities: shared systems or assets (e.g. national transport corridors, integrated data platforms) whose failure could produce cascading effects

This necessitates the development of risk cartographies, visual and analytical maps of interconnected dependencies, and failure points across sectors.

Governance implication

Business continuity is no longer sufficient. Boards are required to mandate the creation of ecosystem-level risk intelligence, possibly involving participation in national or sectoral resilience platforms and collaboration with competitors, regulators and suppliers in shared risk environments.

3. Cross-border and geopolitical exposure - from national preparedness to transnational vulnerability management

The Directive acknowledges the reality of borderless risk in Europe’s critical systems. Whether it’s an energy provider reliant on gas imports, a logistics company using global just-in-time supply chains or a data processor with cloud servers hosted abroad, critical functions often extend beyond national jurisdiction.

Member States must take this into account when designating critical entities, and designated organisations need to:

• Identify cross-border inputs and distribution nodes essential to service continuity
• Assess geopolitical exposure, such as dependence on materials from adversarial regimes or service providers located in politically unstable regions
• Build resilience strategies that consider EU-wide repercussions and coordination with EU agencies such as the Critical Entities Resilience Group (CERG)

Governance implication

Risk committees and senior leadership are required to develop geostrategic foresight capabilities. This includes stress-testing the business against macro-scale scenarios such as EU-China decoupling, regional conflicts or policy divergence between Member States.

4. Foresight-driven adaptiveness - from static risk controls to dynamic resilience maturity

Perhaps most profoundly, the Directive shifts resilience from a retrospective compliance exercise to a forward-looking adaptive governance model. It encourages entities to adopt a posture of anticipatory governance, in which resilience is understood as a dynamic capability evolving in response to emerging threats, changing technologies and societal transformation. This requires:

• Horizon scanning and futures analysis to detect weak signals and pre-empt disruptions (e.g. AI security threats, critical mineral shortages, pandemics)
• Use of stress-testing and systemic simulation tools to model how risk factors interact under different socio-political or climatic conditions
• Integration of resilience into strategic planning processes, so that new investments, acquisitions, and product lines are resilience-screened from inception

Governance implication

The board must treat resilience as a strategic performance driver, on par with profitability and ESG. Executive accountability frameworks should include resilience KPIs, adaptive strategy reviews, and escalation protocols for emergent risks.

Conclusion - resilience as a strategic mandate

The CER Directive marks a watershed moment in the governance of Europe’s essential systems. By embedding a four-dimensional resilience model into law i.e. multi-hazard integration, systemic interdependence, cross-border foresight and adaptive governance, it makes resilience a new, strategic cornerstone of enterprise leadership.

This is not a compliance exercise. It is a structural redefinition of how critical entities are expected to operate, govern and evolve in a world defined by systemic risk and cascading disruption. The Directive encourages organisations to move beyond fragmented risk frameworks and reactive business continuity models. In its place, it demands the development of cohesive, intelligence-led, and forward-looking governance systems that can anticipate disruption, absorb shocks, and adapt continuously.

Resilience, once viewed as a cost centre, is now being recast as a strategic asset, an enabler of operational continuity, regulatory trust, societal stability, and long-term value creation. It belongs not only in the remit of crisis managers but also on the agenda of executive teams and boards of directors.

The Directive challenges critical entities to move:

• From compliance to competence, building institutional knowledge and decision-making capacity beyond regulatory minimums
• From control to coordination, engaging across networks, supply chains, sectors and jurisdictions to manage systemic risk collectively
• From reactive continuity to anticipatory transformation, embedding foresight, simulation and scenario planning into strategic governance.

Entities that respond proactively to this shift will not only demonstrate regulatory leadership but will build the adaptive capacity necessary to thrive in a volatile, interconnected, and rapidly changing world.