16 January 2023 – the CER Directive came into force. Companies need to take care of the preparatory measures for compliance with CER now.
18 October 2024 – Member States will apply the measures that they have adopted in the course of the implementation of the CER Directive at local level.
While the NIS2 Directive aims to respond to the security concerns for the cyber dimension, the CER Directive sets rules to reduce the vulnerabilities and strengthen the physical resilience of critical entities. These are entities active in such sectors as energy, transport, health, drinking water, waste water, and space and providing vital services on which the livelihoods of EU citizens and the proper functioning of the internal market depend.
The CER Directive will replace the Directive 2008/114/EC on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection, which was limited to energy and transport sectors.
The Act covers eleven sectors: energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure (i.e., IXP providers; DNS service providers; TLD name registries; providers of cloud computing services; providers of data centre services; providers of content delivery network; trust service providers; and providers of public electronic communications networks as well as providers of publicly available electronic communications services), public administration, space, and food.
Critical entities within the scope of the new rules will need to:
By 17 October 2024, Member States will need to adopt and publish the measures necessary to comply with the CER Directive. They will apply those measures from 18 October 2024.
Importantly, each Member State may extend the scope of the new rules and obligations. At Bird & Bird, we monitor the developments for all EU Member States and identify national add-ons. See our free CER Directive Implementation Tracker.
*Information is accurate up to 22 April 2024