The CER Directive (Critical Entities Resilience Directive) is a new European Union legislation that focuses on strengthening the resilience of critical operations and infrastructures against physical threats. This directive is part of the EU's wider security strategy and works alongside the NIS2 directive on cyber security, but focuses specifically on physical security threats such as terrorist attacks, natural disasters and serious accidents. The deadline for incorporating the CER directive into national legislation ended on October 17, 2024, but as with the NIS2 directive, the confirmation of the directive has been delayed in Finland.

Key points of the CER Directive:

• Broader protection for critical sectors: he directive covers several critical sectors such as energy, transport, healthcare, water, food, banking and finance. The goal is to guarantee that these vital services can withstand potential disruptions and are able to recover from them quickly.
• Risk management and preparedness: Organizations need to assess risks and improve their capabilities to protect against physical threats. This includes regular risk analysis and updating contingency plans.
• Cooperation and coordination: The directive promotes cooperation and information exchange between EU member states to protect critical infrastructures. The goal is to achieve a consistent level of protection throughout the EU and enables member states to support each other in crisis situations.
• Supervision and sanctions: Monitoring compliance with the directive remains the responsibility of the member states, and they have the right to impose sanctions or other sanctions if critical organizations do not comply with the requirements.
• Connection to the NIS2 Directive: The CER directive complements the NIS2 directive by providing a physical security perspective, while NIS2 focuses on cyber security. This ensures comprehensive protection against both digital and physical threats.

Meaning for organizations: The CER directive sets higher requirements for operators in critical sectors, who are expected to have enhanced physical security and immunity to disturbances. This requires investment in improving infrastructure and control systems, as well as constant preparation and training. The goal of the CER directive is to ensure that the critical functions and services on which the operation of society relies are also protected from physical threats, and that they can continue or recover quickly in the event of a disturbance.

The CER directive complements the NIS2 directive by providing a physical security perspective, while NIS2 focuses on cyber security. This ensures comprehensive protection against both digital and physical threats.

If you need help with the challenges and requirements brought by the CER Directive, please contact:

mikko.uronen@unax.fi / 040 770 1453

Also read: CER-direktiivi