Contact

Critical Entities Resilience (CER) Directive

The Critical Entities Resilience (CER) Directive

Strengthening the ability of essential infrastructures to withstand and recover from physical and cyber incidents

What is the CER Directive?

The European Directive on the Resilience of Critical Entities (CER), adopted on 14 December 2022, establishes a framework to strengthen the robustness of essential infrastructures across the European Union. Its purpose is to ensure that these infrastructures can anticipate, withstand, and recover from major disruptions, whether caused by natural disasters, accidents, or malicious acts.

The central ambition of the directive is to guarantee a high level of operational resilience, combining protective measures against threats with robust business continuity mechanisms. It also promotes better coordination and cooperation between Member States, thereby improving information sharing and enabling more effective collective responses to cross-border crises.

Complementary to the NIS2 Directive, which focuses on cybersecurity and digital incident management, the CER Directive specifically addresses the physical and organizational dimensions of resilience. Together, these two texts form a coherent framework to safeguard the security and continuity of essential services throughout the European Union.

The NIS2 Directive and Its Implications

The identification of critical entities under the CER Directive is based on the national risk assessment carried out by each Member State. This analysis determines which organizations, among the essential sectors covered by the directive – energy, transport, banking, financial market infrastructures, health, drinking water and wastewater, digital infrastructures, public administration, space, and food – must be designated as critical entities.

Once this process is completed, Member States are required to formally notify the entities concerned. This notification confirms their status as a critical entity and specifies the resulting obligations, notably the implementation of enhanced security measures and appropriate resilience plans. The objective is to ensure that each identified entity is fully aware of its strategic role and of the requirements in terms of resilience and business continuity.

How to prepare for compliance

The obligations set out by the regulator under the CER Directive are designed to strengthen the resilience of critical entities. They must implement a structured approach that encompasses risk management, business continuity, and cooperation with authorities. In practical terms, this means:

  • Carrying out a comprehensive risk assessment, explicitly including climate-related risks, technological risks, and human-induced risks such as industrial accidents and acts of terrorism.

  • Deploying organizational and technical preventive measures to reduce vulnerabilities.

  • Developing business continuity and recovery plans, ensuring the availability of essential services in the event of disruption.

  • Establishing governance for resilience, with clearly defined responsibilities, staff training, and the promotion of a strong resilience culture.

  • Notifying national authorities of any serious incident affecting the continuity of services.

  • Cooperating with regulators and submitting to supervision and audits as part of ongoing oversight.

In complement to other European frameworks, the CER Directive provides a global and systemic approach to resilience. It reinforces the NIS2 Directive (focused on cybersecurity) and the DORA Regulation (specific to the financial sector), by integrating the physical, organizational, and climate-related dimensions of threats.

Learning Objectives

This training aims to enable participants to:

  • Gain an in-depth understanding of the CER Directive, its scope, its obligations, and its interaction with NIS2.

  • Identify the sectors and entities concerned, as well as the related compliance obligations.

  • Conduct a risk assessment that integrates climate change and natural disasters.

  • Develop and document continuity and adaptation plans in line with the directive’s requirements.

  • Compile the evidence expected by regulators (policies, procedures, reports, exercises, audits).

  • Implement governance and a resilience culture, including supply chain and critical service providers.

ICT-Law-2-1248x826
european-flag-1096272_1920
climate
business

Target Audience and Prerequisites

  • Executives and managers of entities operating in a critical sector.

  • Compliance officers, risk managers, security and business continuity managers.

  • CISOs, DPOs, operations directors, and general managers involved in risk governance.

  • Basic knowledge in risk management, regulatory compliance, or business continuity is required. Familiarity with frameworks such as NIS2, DORA, ISO 22301 (business continuity), or ISO 27001 (information security) is an asset but not mandatory.

Course curriculum

  • Introduction to cybersecurity and digital operational resilience
  • Resilience & Incident Management
  • Articulate the appropriate communication strategy
  • Designing and Executing a Mitigation Strategy
  • The CER Directive
    • Why the CER Directive
    • Which critical sectors and entities will be affected
    • The fundamentals, the pillars and the potential sanctions under the CER Directive
    • How to prepare and be compliant
    • Interdependencies with other regulations and standards
CONTACT US TO KNOW MORE ABOUT THIS COURSE
Linkedin
  • © MAET Consulting - Tous droits réservés
  • Dernière mise à jour - Juin 2025

La certification qualité a été délivrée au titre de la catégorie d’action suivante : ACTIONS DE FORMATION

Organisme de formation enregistré sous le numéro 11922603292.
Cet enregistrement ne vaut pas agrément de l’Etat