Cybersecurity

CER Directive – Directive on the resilience of critical entities

Latest Developments

16 January 2023 – the CER Directive came into force. Companies need to take care of the preparatory measures for compliance with CER now.

18 October 2024 – Member States will apply the measures that they have adopted in the course of the implementation of the CER Directive at local level. 

Summary

While the NIS2 Directive aims to respond to the security concerns for the cyber dimension, the CER Directive sets rules to reduce the vulnerabilities and strengthen the physical resilience of critical entities. These are entities active in such sectors as energy, transport, health, drinking water, waste water, and space and providing vital services on which the livelihoods of EU citizens and the proper functioning of the internal market depend.

How could it be relevant for you?

The CER Directive will replace the Directive 2008/114/EC on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection, which was limited to energy and transport sectors.

The Act covers eleven sectors: energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure (i.e., IXP providers; DNS service providers; TLD name registries; providers of cloud computing services; providers of data centre services; providers of content delivery network; trust service providers; and providers of public electronic communications networks as well as providers of publicly available electronic communications services), public administration, space, and food.

Critical entities within the scope of the new rules will need to:

  • Carry out risk assessments to identify all relevant risks that may disrupt the provision of essential services concerned;
  • Take appropriate technical, security, and organisational measures to ensure their resilience; and
  • Notify without undue delay the competent authority of incidents that significantly disrupt or have the potential to significantly disrupt the provision of essential service

Next steps:

By 17 October 2024, Member States will need to adopt and publish the measures necessary to comply with the CER Directive. They will apply those measures from 18 October 2024.

Importantly, each Member State may extend the scope of the new rules and obligations. At Bird & Bird, we monitor the developments for all EU Member States and identify national add-ons. See our free CER Directive Implementation Tracker.

*Information is accurate up to 22 April 2024

Explore other chapters in the guide

Data as a key digital asset

Crypto assets

AI as a digital asset

Privacy & Data Protection

Cybersecurity

Digital Identity and Trust Services

Consumer