Skip to content
Subscriber Assistance+1 215 942 8226
Access Portal
Select
Shop Here
eShop

Popular Keywords

ISO 31030Mental HealthConsulting

Article

The Critical Entities Resilience Directive: Compliance Readiness Before and After July 2026

Updated

CER Compliance Readiness Before and After July 2026 International SOS Crisis Management and Business Continuity Expertise

Regulatory change often takes effect well before it becomes a practical priority. Requirements are published, timelines are clear, and terminology is familiar, yet for many organizations likely to fall within scope, the operational consequences remain underexplored. This is the current situation with the EU’s Critical Entities Resilience Directive (Directive (EU) 2022/2557), known as CER, an EU Directive that must be transposed into national law and is enforced at country level through national implementing legislation.

As EU Member States move through the 17 July 2026 milestone for identifying critical entities, this article offers an informational overview and context for organizations that may be impacted by the Directive. It is intended for executives, risk owners, security directors, corporate secretaries and boards supporting internal discussions and implementation planning around CER’s potential implications.

What is the CER Directive (EU) 2022/2557?

The CER Directive (EU) 2022/2557 is the EU’s framework to strengthen the resilience of organizations that provide essential services, shifting the focus from protecting individual assets to sustaining services through disruption. It replaces the 2008 European Critical Infrastructure Directive (2008/114/EC), which was narrower and focused mainly on physical protection in the energy and transport sectors. The world has changed since 2008. Pandemics, hybrid threats, state-sponsored sabotage, extreme weather, cyber-physical convergence, cascading supply-chain failures, the post-COVID risk landscape is structurally different, and European policymakers concluded that the old framework no longer matched the threat environment.

CER expands the scope from two sectors to eleven: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, public administration, space, and the production, processing and distribution of food. It adopts an all-hazards approach, spanning natural disasters, terrorism, insider threats, sabotage, hybrid campaigns, pandemics and accidents, rather than focusing on a single risk type.

CER sits alongside and complements other EU resilience frameworks. NIS2 focuses on cybersecurity and network-and-information-systems resilience, while DORA applies specifically to digital operational resilience in the financial sector. Depending on sector and footprint, organizations may fall under more than one of these regimes, making coordination important to avoid duplicated workstreams.

What is the implementation timeline of the CER Directive?

By 17 July 2026, EU Member States are required to have identified which organizations on their territory qualify as “critical entities” under the Directive. From the moment an organization is notified, the clock starts on a ten-month window of CER compliance readiness for meeting a set of resilience obligations that, for many, will require rethinking how they govern risk, continuity and crisis response. That is roughly what you have between a notification letter and a compliance audit, and it is considerably less time than most transformation programs of this ambition deserve.

The key implementation milestones below provide a general guide. In practice, timing, supervision and enforcement will vary by Member State depending on national implementation:

  • 14 December 2022: Directive adopted.
  • 17 October 2024: Transposition deadline for Member States. Most missed it; national laws are still being adopted across the bloc, which in turn is compressing the timeline for everyone downstream.
  • 17 January 2026: Member States required to have adopted their national resilience strategy and completed their national-level risk assessment.
  • 17 July 2026: Member States are required to identify critical entities and initiate notification processes.
  • Notification + 10 months: Each identified entity must comply with the Directive’s obligations. For those notified on or close to the July 2026 date, that lands in May 2027.

Does the CER Directive apply to my organization, and what does “critical entity designation” mean?

CER applies in practice when a national authority designates and notifies an organization as a critical entity because it provides an essential service in a covered sector. If your organization operates essential services across multiple EU Member States, it may be considered for designation in more than one jurisdiction. However, designation criteria and outcomes will depend on assessments by national competent authorities and the specifics of national implementation.

What does the 10-month compliance window mean for CER compliance readiness?

By 17 July 2026, EU Member States must identify designated critical entities, and after notification, organizations typically have a compressed window to demonstrate CER compliance readiness. Therefore, the next twelve to eighteen months are where theory becomes practice. Here is what we expect to see, and what we are already seeing with client organizations.

Between now and summer, national competent authorities are expected to finalize their identification methodologies, essentially the thresholds and criteria that define “significant disruptive effect” on the provision of an essential service. Some Member States are running informal consultations; others are keeping their cards close. Either way, in some Member States, identification letters may begin landing on corporate doorsteps during the spring and early summer of 2026. For multinationals, the letters will not all arrive at the same time, and they will not all say exactly the same thing.

What actions are typically expected after a critical entity is notified?

Once notified, an organization becomes a “critical entity” in the legal sense and is generally expected to take steps such as the following within its ten-month window to demonstrate compliance:

  • Conduct its own (systemic) risk assessment, covering all relevant natural and human-induced hazards, including insider threats, sabotage, public health emergencies and hybrid threats, and keep it current (at least every four years, sooner if conditions change).
  • Put in place appropriate and proportionate technical, security and organizational measures to ensure resilience. The Directive names the categories expected: preventing incidents, ensuring adequate physical protection, responding to and absorbing incidents, recovering, managing personnel security (including background checks for sensitive roles), and raising staff awareness.
  • Designate a liaison officer or equivalent point of contact with the competent authority.
  • Notify significant incidents, typically within 24 hours of becoming aware, followed by a more detailed report (often within one month), as set out in applicable national implementing laws, when incidents disrupt or could disrupt the provision of essential services.
  • Prepare for on-site inspections and audits by the competent authority and cooperate with information requests.
  • For entities operating in six or more Member States, be prepared for the possibility of additional coordination and oversight at EU level to be treated as “critical entities of particular European significance.”

Specific obligations and how they are applied will depend on national implementation legislation.

Sanctions will be set in national law and are required to be “effective, proportionate and dissuasive.” Several Member States are signaling figures that will get the attention of any CFO. More importantly for many executives I speak with, the reputational and operational consequences of finding non-compliance, particularly after a real incident, are harder to quantify but generally more damaging than the fine itself.

What does operational resilience look like under CER?

There is a tendency to approach CER as a compliance checklist. In practice, this may be insufficient, as the Directive places significant emphasis on operational resilience, governance and decision-making in disruption scenarios.

The Directive is, at its core, a governance instrument dressed as a security one. It asks whether your organization genuinely has the structures, the decision rights, the rehearsed muscle memory and the cross-functional fluency to absorb and recover from a serious disruption to an essential service. A beautifully written risk assessment that lives in a SharePoint folder and is not connected to how the executive committee actually takes decisions under pressure will not satisfy a competent authority for long, and it certainly will not help you on the night a crisis actually occurs.

How does the Directive impact crisis management and business continuity (BCM)?

The organizations that will come out of this exercise stronger, not just compliant, but actually more resilient, tend to share a few characteristics.

  • They treat CER as a chance to consolidate fragmented programs (business continuity, crisis management, physical security, insider threat, supply-chain risk, business continuity planning and disaster recovery) into a single coherent resilience architecture with one executive sponsor.
  • They align the work with ISO 22361, ISO 22301, and ISO 31030, which are widely used international references that provide practical implementation scaffolding and help organizations evidence maturity.
  • They invest in tabletop exercises and simulations that are uncomfortable, not the ones that confirm the plan works. And they get their boards properly educated early, so that when the liaison officer escalates something at 2 a.m., there is no re-explanation of roles and authorities mid-incident.

CER vs NIS2 vs DORA: Where can duplicate workstreams and gaps appear?

Many organizations may be subject to more than one framework, including CER, NIS2 and, where relevant, DORA, so it’s common to see questions about duplication, accountability and gaps. We will not turn this into a recipe, because what this looks like in practice genuinely differs by sector, by national transposition, and by your organization’s existing maturity. But a few patterns recur often enough to be worth naming.

The first is treating CER as a pure compliance project, assigning it to legal or to a single risk function and producing a deliverable. This produces paper, not resilience. The Directive’s spirit is operational.

The second is underestimating the interlock with NIS2 and DORA. Many organizations will be simultaneously in scope of two or three regimes. Running parallel, uncoordinated workstreams burns budget, confuses accountability and leaves gaps at the seams between physical and cyber.

The third is stopping at the headquarters level. Critical entity status applies where essential services are delivered, often at sites, plants, data centers, logistics hubs, hospitals, and substations. Governance documents written in the capital that do not translate to operational readiness on the ground will fail their first inspection.

The fourth is the crisis management blind spot. An impressive risk register does not make a crisis response capability. The ability to have rightly identified your Minimum Viable Firm, detect a weak signal, convene the right people in minutes, make decisions with incomplete information, orchestrate internal and external stakeholders, and communicate coherently under pressure, that is a separate, trainable capability. It is also the one most frequently discovered to be missing during the first real test.

The importance of readiness as a key component of CER compliance.

Our teams of experts have been accompanying organizations on their crisis and resilience journey for over 40 years, across sectors, across continents, and through crises that, taken together, have reshaped the way serious organizations think about risk. What strikes us most, looking back over the last several years, is how profoundly the operating environment has changed, and why readiness has become a leadership discipline. The ecosystems we all must operate in are more interconnected, more contested and less forgiving than they were even five years ago. CER is, in many ways, the regulatory acknowledgement of that new reality.

From what we observe, the organizations that navigate this environment best are the ones that have internalized the following key lessons:

  • Resilience is an executive discipline, not a departmental one. The moment it is delegated, it narrows, and narrow resilience breaks first.
  • The quality of decisions in a crisis is set months before the crisis. Not by plans, but by the trust, habits and authorities rehearsed inside the leadership team and beyond.
  • Interconnection is the risk multiplier that almost everyone still underestimates. Mapping your dependencies, people, suppliers, data, third parties, geographies, is now as critical as mapping your assets.
  • Honest post-incident learning is the single highest-return investment in resilience. Most organizations debrief politely; the resilient ones debrief uncomfortably.

How can you accelerate CER compliance readiness?

Ahead of July, organizations may wish to consider a range of measures to strengthen their resilience capabilities, depending on their risk profile and regulatory context.

  • CER readiness and gap assessments against the Directive’s requirements and the relevant national transposition, benchmarked to ISO 22361, ISO 22301, and ISO 31030.
  • All-hazards risk assessments tailored to your essential services, sites and interdependencies, including insider threat and hybrid-threat scenarios.
  • Crisis management program design and maturity uplift, governance, audit readiness and resilience evidence pack development through playbooks, decision-making frameworks, executive-level simulations and after-action learning.
  • Resilience plan development and implementation support, including the organizational, physical-security and personnel-security measures the Directive expects.
  • Incident notification readiness, including the 24-hour reporting workflow to competent authorities and the escalation chain that must function at any hour.
  • Board and executive briefings to align leadership on accountabilities before regulators, auditors or reality ask the question.
  • Integrated support across CER, NIS2 and, where relevant, DORA, so that the workstreams reinforce each other rather than compete for the same budget.

How can we support your organization?

We support organizations in strengthening crisis management and operational resilience capabilities across sectors and geographies, with a focus on practical, real-world readiness.

Join our Crisis Management experts for a brief dedicated webinar on the CER Directive. The experts share a practical, cross-disciplinary perspective on the Directive and discuss how organizations are approaching operational resilience in the lead-up to July 2026.

If your organization is likely to be identified under CER or is looking to strengthen its crisis management and resilience capabilities, we would welcome a conversation. The timeline is fixed, and organizations are increasingly focusing on how best to strengthen their preparedness ahead of implementation, so get in touch.

Disclaimer: This article provides a general overview of the EU Critical Entities Resilience Directive (CER). It is not intended as legal or regulatory advice, and organizations should seek appropriate guidance based on their specific circumstances and applicable national laws.