Tekve Oy Logo
Regulatory Guidance

What is the CER Directive?

The Critical Entities Resilience Directive strengthens the physical security and operational resilience of infrastructures critical to society.

What is the CER Directive?

The CER Directive (Critical Entities Resilience Directive) is a European Union regulation that entered into force on January 16, 2023. Its primary goal is to strengthen the physical and operational resilience of critical entities and infrastructures that provide essential services to society across the EU.

While the NIS2 Directive focuses heavily on cybersecurity and digital systems, the CER Directive addresses physical and operational hazards, such as natural disasters, accidents, sabotage, terrorist attacks, and hybrid threats.

The directive must be transposed into the national legislation of EU member states. In Finland, the national transposition is underway, with the new legislation expected to take effect around mid-2025.

Which sectors fall under the CER Directive?

The CER Directive covers 11 sectors essential for the functioning of society:

  1. Energy: Electricity, district heating/cooling, oil, natural gas, and hydrogen.
  2. Transport: Air, rail, water, and road transport, along with their physical infrastructure.
  3. Banking: Credit institutions.
  4. Financial Market Infrastructure: Trading venues and central counterparties.
  5. Health: Healthcare providers, laboratories, and the manufacturing of basic pharmaceutical products and medical devices.
  6. Drinking Water: Collection, treatment, and distribution of water.
  7. Wastewater: Collection, treatment, and disposal.
  8. Digital Infrastructure: DNS services, TLD registries, cloud computing, data centers, CDN networks, and public telecommunications networks/services.
  9. Public Administration: Critical government agencies and public authorities.
  10. Space: Operators of ground-based infrastructure supporting space-based services.
  11. Food: Industrial production, processing, wholesale distribution, and logistics of food products.

How are Critical Entities identified?

Each member state (in Finland, the sector-specific ministries) must identify and designate the critical entities within their borders by July 17, 2026. This designation is based on a harmonized assessment framework that considers:

  • Service Criticality: Whether the entity provides a service that is vital for the maintenance of key societal or economic activities.
  • Geographical Location: Where the infrastructure is located and how it relies on other critical resources.
  • Interdependencies: How a disruption in one sector (e.g., electricity supply) would cascade into other sectors (e.g., water supply or transport).
  • Cross-border Impact: Whether a disruption at the entity would have negative spillover effects on other EU member states.

Designated critical entities are added to a secure national registry, which is updated at least every four years.

What requirements does the CER Directive place on entities?

Once designated as a “critical entity,” an organization must fulfill several obligations:

1. Risk Assessment

Entities must conduct their own risk assessment regularly (at least every four years). This assessment must analyze both national-level threat models and facility-specific risks, including floods, fires, power failures, or physical intrusions.

2. Resilience Plans and Protective Measures

Entities must draft a resilience plan and implement appropriate and proportionate measures to:

  • Physical Protection: Securing facilities, equipment, and access control (e.g., fencing, CCTV monitoring, security patrols).
  • Operational Recovery: Preparing for disruptions with alternative supply chains, backup power generators, and emergency communication systems.
  • Personnel Security: Managing access to critical zones and conducting security background checks on staff where necessary.

3. Incident Notifications

Critical entities must notify their supervisory authority immediately (no later than 24 hours after becoming aware of the incident) of any significant incident that disrupts or has the potential to disrupt the continuity of their essential services.

4. Supervision and Inspections

Authorities have the power to conduct announced or unannounced site inspections, request documentation, and test the effectiveness of protective measures. Non-compliance can lead to administrative penalties defined in national law.

How can Tekve help?

The boundaries between physical and digital security are increasingly blurred. We help your organization manage resilience holistically and prepare for the national requirements of the CER Directive:

  1. Pre-assessment & Scope Determination: We help determine if your organization is likely to be designated as a critical entity by national ministries.
  2. Physical and Operational Risk Analysis: We perform thorough threat and risk assessments, taking into account facilities, supply chain vulnerabilities, and sector interdependencies.
  3. Business Continuity Planning (BCP/DR): We develop and test resilience and continuity plans, ensuring your organization can maintain core functions during crises.
  4. Compliance Reporting Readiness: We set up incident detection, escalation, and notification workflows to ensure you can meet the strict 24-hour reporting window.
Contact

Speak with Our Advisors

Ready to discuss your security requirements? Fill out the form below and our team will get back to you shortly.