Glossary · EU Critical Infrastructure CER Directive (Critical Entities Resilience Directive (Directive EU 2022/2557))
EU directive establishing harmonised rules to strengthen the resilience of entities providing essential services in 11 critical sectors. Sister regulation to NIS2 — where NIS2 addresses cybersecurity, the CER Directive addresses broader physical, hybrid, and operational resilience. In force January 2023, Member State transposition by October 2024.
## What the CER Directive actually is
The Critical Entities Resilience Directive (CER, Directive EU 2022/2557) is the EU's framework for strengthening the resilience of entities providing essential services across critical sectors. Adopted in late 2022 and in force from January 2023, with Member State transposition required by October 2024, it operates as the **non-cyber sister regulation to NIS2**.
Where [NIS2](/en/glossary/nis2/) addresses cybersecurity for essential and important entities, the CER Directive addresses the broader resilience picture — physical security, hybrid threats, operational continuity, supply-chain dependencies, and recovery capability for the same general entity population.
## What sectors are covered
The CER Directive identifies 11 critical sectors:
| Sector | Examples |
|--------|----------|
| **Energy** | Electricity, oil, gas, district heating, hydrogen |
| **Transport** | Air, rail, water, road |
| **Banking** | Credit institutions |
| **Financial market infrastructure** | Trading venues, central counterparties |
| **Health** | Healthcare providers, EU reference labs |
| **Drinking water** | Suppliers and distributors |
| **Wastewater** | Treatment infrastructure |
| **Digital infrastructure** | IXPs, DNS, TLD registries, cloud providers, data centres |
| **Public administration** | Member State central administrations |
| **Space** | Ground-based infrastructure supporting space services |
| **Food** | Large-scale production, processing, distribution |
The list significantly overlaps with NIS2 — by design, since the same entities typically need both cybersecurity and broader resilience capabilities.
## What the directive requires
The CER Directive imposes obligations across several layers.
### Member State obligations
Each Member State must:
- **Identify critical entities** in each of the 11 sectors based on Commission criteria
- **Conduct national risk assessments** addressing all-hazards exposure
- **Adopt national resilience strategies** addressing cross-sectoral dependencies
- **Designate a competent authority** for CER Directive enforcement
- **Cooperate cross-border** through the Critical Entities Resilience Group
### Critical entity obligations
Identified critical entities must:
- **Conduct risk assessments** considering all-hazards (physical, hybrid, supply-chain, operational)
- **Implement resilience measures** proportionate to identified risks including physical security, business continuity, incident response, supply-chain risk management
- **Notify incidents** disrupting essential services to competent authorities
- **Conduct background checks** for personnel with sensitive roles
- **Submit to compliance verification** by competent authorities
### Cross-border identification
Member States must coordinate identification of critical entities providing services in multiple Member States. The Commission can issue opinions on cross-border identification consistency.
## CER Directive vs NIS2
The two directives are tightly coordinated and many entities are in scope of both:
| Aspect | CER Directive | NIS2 |
|--------|---------------|------|
| Subject | All-hazards resilience | Cybersecurity |
| Sectors | 11 critical | 18+ (essential + important) |
| Entity granularity | Individual critical entities | Sector-wide |
| Physical security | Core | Out of scope |
| Hybrid threats | ✅ | Limited |
| Supply-chain risk | ✅ | ✅ |
| Reporting threshold | Significant incident | Significant incident |
| Penalties | Member State implementation | Up to €10M / 2% turnover |
| In force | January 2023, transposition October 2024 | January 2023, transposition October 2024 |
The directives share aligned timing, complementary scope, and coordinated implementation. Several Member States have created single competent authorities handling both CER and NIS2 compliance.
## Why the CER Directive matters
### 1. Post-COVID resilience lessons institutionalised
The CER Directive emerged from explicit recognition that EU critical-infrastructure resilience had been insufficient in the face of COVID-19, energy market disruptions, and geopolitical instability. The directive institutionalises lessons learned across these shocks.
### 2. Hybrid threats acknowledged
The directive explicitly addresses "hybrid threats" — combinations of cyber attack, disinformation, physical sabotage, and supply-chain disruption that nation-state and non-state actors increasingly use against European critical infrastructure. This is materially different from purely cyber-focused frameworks.
### 3. Cross-border coordination operationalised
European critical infrastructure increasingly operates across Member State borders. Energy interconnectors, transport networks, financial market infrastructure all cross national jurisdictions. The CER Directive's cross-border coordination provisions address this structurally.
### 4. Supply-chain resilience layer
Critical entities must address supply-chain risk explicitly — including for technology providers. This affects EU procurement of cloud services, software platforms, and digital infrastructure where supply-chain disruption could affect essential services.
### 5. Digital infrastructure as critical
The CER Directive explicitly designates digital infrastructure (IXPs, DNS, cloud providers, data centres) as a critical sector. This formalises what was already operationally true and creates direct regulatory obligations on European cloud and infrastructure providers.
## How the CER Directive affects tech procurement
### For European cloud providers and data centres
CER-identified critical entities (in digital infrastructure or other sectors) must address supply-chain risk for technology services. This drives procurement preferences toward providers with strong resilience documentation, EU jurisdiction, and demonstrated continuity capability.
European cloud providers (Infomaniak, OVHcloud, Scaleway, others) that have invested in resilience documentation are positioned as preferred suppliers. US hyperscalers face structural compliance complexity for serving CER-identified entities.
### For SaaS vendors selling to critical entities
If your SaaS product supports operations of CER-identified critical entities — hospitals, banks, energy companies, transport operators — your vendor relationships now have direct regulatory implications under the CER framework.
### For European tech procurement teams
CER compliance considerations are integrating into procurement processes alongside NIS2, DORA, and AI Act compliance. The combined regulatory framework creates a coherent procurement-evaluation matrix that favours providers with demonstrated EU jurisdiction, resilience capability, and supply-chain transparency.
### For incident-response planning
CER incident-notification requirements interact with NIS2, DORA, GDPR, and sectoral requirements. Critical entities increasingly maintain coordinated incident-response playbooks addressing all relevant regulatory notification timelines.
## CER and digital sovereignty
The CER Directive operationalises a structural sovereignty dimension that pure cybersecurity frameworks don't address:
- **Physical security of digital infrastructure** — data centres, IXPs, undersea cables
- **Supply-chain dependencies** — semiconductors, hardware, materials traceability
- **Cross-border continuity** — services that span Member States
- **Hybrid-threat preparedness** — disinformation, sabotage, coordinated disruption
These dimensions interact with the broader EU sovereignty agenda — connecting NIS2 cybersecurity, CRMA materials sovereignty, and Strategic Compass defence positioning into a coherent posture.
## Implementation status (2026)
- **Directive in force** since January 2023
- **Member State transposition deadline** was October 2024 — most Member States have transposed; some still completing implementation
- **Critical-entity identification** in progress — Member States identifying entities under risk-based criteria
- **First incident notifications** flowing through competent authorities
- **Critical Entities Resilience Group** operational with regular Member State coordination
- **Commission opinions on cross-border identification** beginning to issue
## Practical implications
- **For critical-sector operators**: identify your CER status and prepare for compliance obligations
- **For technology providers**: supply-chain disclosure and resilience documentation increasingly procurement-relevant
- **For European cloud providers**: structural opportunity from procurement preferences toward EU-jurisdiction resilience
- **For US-headquartered providers**: structural compliance complexity when serving CER-identified entities
- **For policy and compliance teams**: integrate CER framework alongside NIS2 in coordinated compliance work
The CER Directive is the EU's most operationally significant non-cyber critical-infrastructure regulation of the 2020s. Combined with NIS2, it creates the coherent resilience framework that European critical infrastructure operationally requires given the post-COVID and post-Ukraine geopolitical context.
Was this helpful?
Thanks for your feedback!