Menu
Request Consultation
  • Fill The Gap, Security Compliance

The EU CER Directive explained – What companies need to know now

🔍 What is the EU CER Directive?

The EU CER Directive (Critical Entities Resilience Directive, Directive (EU) 2022/2557) is a European law that came into force on 16 January 2023. Its aim is to significantly improve the resilience of so-called critical entities in the EU.

Critical facilities are organisations whose failure could have a massive impact on society – for example due to disruptions in the power supply, transport, water supply or healthcare.

The new directive replaces the previous EU Directive 2008/114/EC, which only concerned energy and transport – and then only inadequately. The new version is much more comprehensive.

🛡️ Why has the directive been revised?

Climate change, cyber attacks, political instability, pandemics – the risks to critical infrastructures have changed and multiplied in recent years. The previous regulation was too narrowly defined and did not offer sufficient protection against:

  • Natural disasters and extreme weather
  • Terrorist or deliberate attacks
  • Technical failures
  • Cascading effects between sectors or countries

The EU CER Directive therefore favours a holistic approach that takes all hazards into account – regardless of whether they are natural, technical or man-made.

🏛️What does this mean for Germany?

Germany is currently implementing the CER Directive with the Kritis Umbrella Act (KritisDG). A corresponding draft law has been available since the end of 2024.

For the first time, the KritisDG will formulate requirements for all critical sectors in a standardised law – including

  • Energy
  • Transport and traffic
  • health
  • Drinking water supply
  • ICT and digitalisation
  • Finance
  • Public administration
  • Waste and wastewater management

👥 Who is affected?

Not every company in these sectors is automatically covered by the regulation. The decisive factors are

  • Size and importance of the facility (e.g. many connected households, central role in the network, high potential for disruption)
  • Type of service that is essential for the functioning of the internal market or public safety
  • Categorisation by the competent authorities

These authorities must draw up a list of the critical facilities concerned by October 2026 at the latest.

✅What do affected companies have to do?

As soon as a company is considered a ‘critical facility’, the following obligations apply, among others:

  1. Carry out a risk assessment every 4 years: What hazards can disrupt operations?
  2. Take resilience measures: Organisational, technical and physical (e.g. emergency plans, access controls, redundancies)
  3. Create a resilience plan: Document the risk defence and recovery measures.
  4. Appoint a liaison officer: Contact person for authorities
  5. Report security incidents: Within 24 hours of discovery

📆 By when does all this have to be implemented?

The member states – including Germany – have until 17 January 2026 to submit their national implementation strategy. However, companies that fall under the regulation should start preparing for the obligations at an early stage.

🔄 And how does this relate to NIS2?

The CER Directive focuses on physical resilience, while the NIS2 Directive (EU) 2022/2555 regulates the cyber security of critical facilities. Both directives overlap and are intended to have a complementary effect. In practice, this means double responsibility for many companies – physical and digital.

📌 Conclusion

The EU CER Directive marks a paradigm shift: in future, critical facilities will not only be seen as systems worthy of protection, but also as systems that need to be designed to be resilient. Those who analyse risks and derive measures at an early stage will be ahead of the game in the event of an emergency – and meet regulatory requirements at the same time.

Miriam Strauß

Marketing & Kommunikation
Miriam Strauß is engaged daily in the latest developments in AI and marketing and is responsible for communications at Concepture.
More Posts

Jetzt weiterlesen!

Alle anzeigen

Uncategorized

Vehicle restraint systems planned correctly: Safety begins before the fence

When it comes to protecting properties, infrastructure or public areas, many people first think of access control, video technology or alarm systems. But one central weak point often goes unnoticed: vehicle access - whether through accident, negligence or intent.

Fill The Gap

Robots on patrol – How robotics and AI are changing the security industry with Severin Pfister (Ascento)

Security robots that independently monitor terrain, recognise anomalies and communicate with existing systems - what sounds like science fiction has long since become reality. In the latest episode of FILL THE GAP, the security podcast, we talk to Severin Pfister from Ascento about the use of robotics and artificial intelligence in property protection.

Security Compliance

NIS 2 and CER: How the delayed legal implementation in Germany is putting KRITIS operators under pressure

The resilience of our critical infrastructures (KRITIS) is at stake. While other EU countries have long since created facts, Germany is lagging alarmingly behind in the crucial implementation of European requirements for KRITIS security, in particular the NIS-2 and CER directives.

Alternativ zum Formular können Sie uns auch eine E-Mail an info@concepture.de senden.

Instead of the form, you can also send us an email to info@concepture.de.