The CER Directive has a date on it now, and it is close. By 17 July 2026, every EU member state must finish identifying which organizations on its territory count as critical entities. If your firm operates essential infrastructure in energy, transport, water, health, or one of the other sectors in the Annex, that identification decision is happening with or without your input. The notification that follows starts a clock you cannot reset.
This is the moment the Critical Entities Resilience Directive stops being a national-framework exercise and becomes an operator obligation. The supervision powers, the resilience plan, the incident notification timing, the background-check regime — all of it switches on for designated entities on a fixed schedule after you are named. Here is what changed, what triggers it, and how fast the obligations land.
What is the CER Directive, and how is it different from NIS2?
The CER Directive is the EU's physical-resilience counterpart to NIS2. Where NIS2 governs cybersecurity, CER governs the ability of an entity to prevent, resist, absorb, and recover from incidents that disrupt essential services — physical attacks, sabotage, natural disasters, public-health emergencies, and other antagonistic threats. The directive defines resilience as a critical entity's ability to "prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident."
The two regimes are deliberately separated at the legal level. The CER Directive states it does not apply to matters already covered by the NIS2 Directive, and it requires member states to implement both in a coordinated manner because of the relationship between physical security and cybersecurity. That coordination is not optional. Competent authorities under each regime are directed to cooperate and exchange information on both cyber and non-cyber risks.
So the CER Directive NIS2 overlap is real, but it is structured rather than redundant: NIS2 covers your cyber posture, CER covers your physical and organisational resilience, and the two competent-authority tracks are meant to talk to each other about the same entity.
Who gets designated a critical entity, and what triggers the 17 July 2026 deadline?
By 17 July 2026, each member state must identify the critical entities for the sectors and subsectors in the Annex. That is the hard deadline, set in the identification article.
A member state applies three criteria together. The entity provides one or more essential services. The entity operates, and its critical infrastructure is located, on the territory of that member state. And an incident affecting the entity would have significant disruptive effects on the provision of those essential services. The significance test itself turns on factors like the number of users relying on the service, cross-sector dependencies, the geographic area affected, and the availability of alternatives.
You do not designate yourself. The member state does it, using its own national risk assessment and strategy. But once it makes the list, it must notify each identified entity that it has been designated a critical entity within one month of that identification. That notification is the event that matters. It tells you your obligations under Chapters III and IV and the date from which they apply.
One important carve-out: entities the member state identifies in the banking, financial market infrastructure, and digital infrastructure sectors are designated, but Chapters III, IV, and VI do not apply to them under the directive. Member states must inform those entities that they carry no obligations under those chapters unless national measures provide otherwise. If you are a bank or an FMI operator, you can still be named — but your CER operational obligations are generally displaced.
Once you're notified, what is the 10-month clock to Chapter III obligations?
Here is the part to put on the wall. For the critical entities concerned, Chapter III applies from 10 months after the date of the designation notification. That is stated directly in the identification article.
Chapter III is where the operator obligations live: the critical entity risk assessment, the resilience measures, the resilience plan, the liaison officer, and incident notification. The 10-month clock is not from 17 July 2026 — it runs from the date your member state notifies you. If a national authority is slow to identify and notify, your clock starts later. If it moves fast, your clock starts sooner. Either way, the gap between "you have been named" and "your obligations are enforceable" is 10 months, and it is fixed.
That window is short for what it asks. You are expected to have assessed your risks, documented resilience measures across physical and organisational domains, and stood up an incident-notification capability — all before the clock expires.
What does the critical entity risk assessment have to cover — and why nine months?
The directive sets a tighter internal deadline inside the 10-month window. Notwithstanding the Chapter III application date, member states must ensure that critical entities carry out a risk assessment within nine months of receiving the designation notification. That is the critical entity risk assessment, and it then repeats whenever necessary and at least every four years.
So you have nine months to complete the assessment and 10 months before the broader obligations bite. The one-month difference is deliberate: the assessment is the input to everything else, so the directive front-loads it.
The critical entity risk assessment must account for all relevant natural and man-made risks that could lead to an incident — including cross-sectoral and cross-border risks, accidents, natural disasters, public-health emergencies, and hybrid or other antagonistic threats. It must also weigh how much other sectors depend on your essential service and how much you depend on services provided by others, including in neighbouring member states and third countries. If you have already done equivalent risk work under other legal acts, the directive lets you reuse those assessments and documents to meet the requirement, and a competent authority can declare an existing assessment compliant in whole or in part.
Which technical, security, and organisational resilience measures must your resilience plan document?
Once the assessment is done, the resilience measures article requires appropriate and proportionate technical, security, and organisational measures, based on both the member state risk assessment and the outcomes of your own. The directive names the categories your measures must address:
→ Prevent incidents from occurring, taking disaster risk reduction and climate adaptation into account → Ensure adequate physical protection of premises and critical infrastructure — fencing, barriers, perimeter monitoring, detection equipment, access controls → Respond to, resist, and mitigate the consequences of incidents through crisis-management procedures and alert routines → Recover from incidents through business continuity measures and the identification of alternative supply chains → Ensure adequate employee security management, including categories of personnel in critical functions, access rights, and background-check procedures → Raise awareness among relevant personnel through training, materials, and exercises
These measures must be captured in a resilience plan or equivalent document or documents describing what was done. The directive again allows reuse: if you have drawn up documents or taken measures under other legal acts that are relevant, you can use them, and the competent authority can declare existing measures compliant in whole or in part. You must also designate a liaison officer or equivalent as the point of contact with the competent authority.
How fast must you notify an incident, and what counts as a significant disruption?
The incident notification article is precise on timing, and it is worth getting the figure right. Critical entities must notify the competent authority without undue delay of incidents that significantly disrupt or have the potential to significantly disrupt essential services. Unless operationally unable to do so, the entity must submit an initial notification no later than 24 hours after becoming aware of the incident, followed where relevant by a detailed report no later than one month thereafter.
So the 24-hour incident notification is the initial-report deadline, with a one-month detailed follow-up. That is the figure to plan against.
What counts as a significant disruption turns on three parameters in particular: the number and proportion of users affected, the duration of the disruption, and the geographical area affected, taking into account whether that area is geographically isolated. There is also a cross-border escalation trigger — where an incident has or might have a significant impact on the continuity of essential services to or in six or more member states, the competent authorities of the affected member states must notify the Commission.
Notifications must include the information needed for the authority to understand the nature, cause, and possible consequences of the incident, including any cross-border impact. The directive also states that making a notification does not subject the critical entity to increased liability.
What can competent authorities demand in supervision, audits, and enforcement?
The supervision powers are broad. Competent authorities must have the power and means to conduct on-site inspections of critical infrastructure and the premises used to provide essential services, to carry out off-site supervision of the resilience measures taken, and to conduct or order audits of critical entities.
They can require the entity to provide the information needed to assess whether its resilience measures meet the requirements, along with evidence of effective implementation — including the results of an audit conducted by an independent and qualified auditor, selected by the entity and at the entity's own expense. Following supervision, an authority can order the entity to take necessary and proportionate remedial measures within a set time limit and to report back on what it did.
On penalties, the directive does not set a single EU-wide figure. It requires member states to lay down rules on penalties that are effective, proportionate, and dissuasive. The specific amounts are a matter for national transposition, so the exposure varies by jurisdiction.
How do background checks under Article 14 interact with GDPR and national law?
Employee security management is one of the named resilience measures, and the background-check article governs how it is done. Member states specify the conditions under which a critical entity may, in duly reasoned cases, request background checks on people who hold sensitive roles, who are authorised to access premises, information, or control systems, or who are under consideration for such positions.
These requests must be processed in accordance with national law and applicable Union law, expressly including the GDPR and the Law Enforcement Directive (Directive (EU) 2016/680). Background checks must be proportionate and strictly limited to what is necessary, carried out for the sole purpose of evaluating a potential security risk to the critical entity. At minimum, a check corroborates the person's identity and checks criminal records for offences relevant to a specific position, using the European Criminal Records Information System where relevant.
The directive is also explicit that it is without prejudice to Union law on the protection of personal data, naming the GDPR specifically. So the employee-vetting obligation does not override data-protection law — it has to be built inside it.
Map it once, against everything you already do
The CER Directive does not arrive on a blank slate. If you are already inside NIS2 and DORA, much of your risk assessment, business continuity, and incident-handling work is reusable — and the directive explicitly permits that reuse. The hard part is seeing where the obligations overlap, where CER adds genuinely new physical-resilience requirements, and where the 24-hour notification and nine-month assessment clocks sit against deadlines you are already tracking.
That is exactly the problem one organizational profile solves. Map the CER Directive's resilience obligations against your existing NIS2 and DORA posture in one organizational profile at aegis-grc.com. Every obligation is source-grounded — traced to a verbatim quote from the legal text, with article-level citation. No AI hallucinations. When a member state finishes its identification round, your file updates before your board starts asking questions. Answer once. Assess everything.
See how Aegis maps operational resilience, NIS2, and incident reporting into a single posture.
FAQ: CER Directive transposition, scope, and overlap with NIS2
When was the CER Directive supposed to be transposed into national law? Member states were required to adopt and publish the national measures by 17 October 2024 and to apply them from 18 October 2024. The 17 July 2026 deadline is separate — it is the date by which member states must finish identifying their critical entities.
Does being designated a critical entity automatically mean I have CER operational obligations? Not always. Entities identified in the banking, financial market infrastructure, and digital infrastructure sectors are designated but, under the directive, Chapters III, IV, and VI do not apply to them unless national measures provide otherwise. For other sectors, Chapter III obligations apply from 10 months after notification.
How does the CER Directive NIS2 overlap actually work? The CER Directive does not apply to matters covered by NIS2, and the two must be implemented in a coordinated manner. NIS2 governs cybersecurity; CER governs physical and organisational resilience. Competent authorities under the two regimes are required to cooperate and exchange information about the same entities.
Is the incident notification deadline really 24 hours? The initial notification is due no later than 24 hours after the entity becomes aware of the incident, unless it is operationally unable to do so. A more detailed report follows no later than one month thereafter. The 24-hour figure is the first-report deadline, not the full reporting obligation.


