CER Directive (EU) 2022/2557 Explained: EU Rules for Critical Entity Resilience

The EU's Critical Entities Resilience Directive (Directive 2022/2557) entered into force on 16 January 2023, replacing the outdated European Critical Infrastructure Directive of 2008. Where its predecessor focused narrowly on physical protection in just two sectors, CER takes a sweeping all-hazards approach across eleven critical sectors: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, public administration, space, and food production and distribution. The directive's core demand is straightforward and wide-reaching: critical entities must be capable of preventing, withstanding, responding to, and recovering from disruptions, whether caused by natural disasters, terrorism, cyberattacks, sabotage and, as common denominator, insider threats.

Alongside it, the Network and Information Security Directive (NIS2) focuses on safeguarding and improving cyber resilience for essential and important sectors. Together, the two directives aim to strengthen the physical, digital, and economic resilience of EU member states.

The original transposition deadline for both directives, namely when all member states were supposed to have enacted national legislation, was October 17th, 2024. However, several states (Bulgaria, France, Luxembourg, the Netherlands, Spain, Sweden, and Poland) have not proceeded yet with transposing the directive into national law. As per the directive, by July 17th, 2026, members states must not only have transposed CER into a national framework, but also identify which companies are to be designated as critical entities operating within their territories. Subsequently, these companies will have to conduct their own risk assessments and implement any mitigation measure to increase resilience against both natural and man-made risks. Upon identification, states will have one month to notify critical entities of their designation, and they will have nine months to carry out a comprehensive risk assessment. The last deadline for designated critical entities to comply with CER requirements is set for May 2027. Failure to comply will results in penalties determined by the transposition law of each country.

Enforcement is already underway

The transposition delays described above have not gone unanswered. Following formal letters of notice sent to non-compliant member states in November 2024, and reasoned opinions issued in July 2025, the European Commission referred all seven lagging states to the Court of Justice of the European Union on May 7, 2026 – invoking Article 260.3 TFEU to request lump-sum fines and daily financial penalties at the first hearing, without waiting for a second noncompliance ruling. For CISOs and compliance officers at critical infrastructure organisations, this matters beyond the headlines: as member states face mounting financial and political pressure to accelerate transposition, national supervisors will arrive with a tightened mandate, shorter grace periods, and faster designation timelines. Organisations that have not yet begun preparing should not wait for the national law to pass before they do.

The Netherlands is a useful illustration. On April 15th, the Tweede Kamer passed the principal implementing bill of the CER directive – the Wet weerbaarheid kritieke entiteiten (Wwke) – with entry into force expected in Q3 2026. The parallel Cyberbeveiligingswet (Cbw), transposing NIS2, is on the same legislative track. The Dutch government has already published a self-evaluation questionnaire to help organisations determine whether they fall within scope of NIS2, and the consistent advice from authorities is not to wait. Once the Wwke enters into force, hundreds of organisations will be brought formally within its scope, and the designation and risk assessment clock begins immediately. Should critical entities not have complied with the requirements when the time is up, they will incur in financial penalties pursuant to the national law.

CER and NIS2 share the same legislative processes and objectives, as they are both designed at increasing resilience against hybrid threats across the EU. As a result, to avoid duplication, the CER directive does not include matters already addressed by NIS2, aimed at protecting critical digital infrastructure and information systems, and the Digital Operational Resilience Act (DORA), which focuses on the resilience of financial entities specifically. In addition, the penalties scheme is also harmonised. In the NIS2 framework organisations can be classified either as “essential” or “important” entities, with penalties for non-compliance adjusted accordingly. However, any entity deemed critical under CER gets automatically designated as “essential” under NIS2, and therefore subject to heavier fines.

Thus, even if cybersecurity matters are not explicitly mentioned in the CER directive, compliance with CER necessarily entails compliance with NIS2, de facto forcing organisations to adopt a holistic approach to security and resilience.

How do CER and NIS2 impact insider risk?

Until now, insider risk sat in a regulatory grey zone, deemed too human for IT and too technical for HR. CER and NIS2 together are ending that ambiguity, but they do so in different ways, and understanding the distinction matters for how organisations structure their governance.

Even if the official text of CER does not explicitly mention insider risk, it explains the concept as “the risk of employees of critical entities or their contractors misusing, for instance, their access rights within the critical entity’s organisation to harm and cause damage is of increasing concern”, given the intrinsic interconnection of European infrastructure and economy. What the text of the CER directive spells out are the several issues that can derive from it such as sabotage, antagonistic threats, terrorist acts, and hybrid threats. From an insider risk perspective, these problems can be due to malicious, compromised, or negligent staff, which includes both the employees of an organisations and the contractors or third-party vendors it collaborates with across the supply chain.

The supply chain issue is exactly what the CER directive aims to bring attention to. Following the COVID-19 pandemic, it became apparent how interconnected supply chains are, and how the disruption of one has ripple effects downstream. Something similar is also happening with the current crisis in the Middle East. This is reflective of the biggest conceptual shift that CER brought about and put into legislation, namely that insider risk should be considered as a resilience risk capable of disrupting the provision of essential services. Regulators now must evaluate whether organisations can continue operating during insider-driven disruptions, not only be able to prevent breaches.

In this context, insider risk is especially relevant as insiders have:

• Privileged access: employees or contractors working in critical entities can easily bypass all security measures meant to keep external actors at bay.
• Potential for impact: insiders amplify risks, as an internally-caused incident has the potential to cause widespread disruption, financial losses, and reputational damage.
• Regulatory compliance: other than the harm deriving directly from an individual’s action, the lack of measures in place to prevent or contain the risk can make the organisation incur in significant fines, as outlined by CER and NIS2.

NIS2 reinforces this from a different angle. Under Article 20 of the directive, management bodies are required to approve cybersecurity risk management measures and can be held liable for their organisation's infringements. This means that insider-driven cyber incidents are no longer just a technical problem to be handed to IT, but they are becoming a governance matter with accountability at leadership level. When combined with CER's broader resilience obligations, the result is that insider risk can no longer be managed in silos: the physical, digital, human, and operational dimensions must be addressed together, and leadership must own the outcome.

What should organisations do?

Once designated as a critical entity, an organisation faces a set of concrete, legally binding obligations under the CER directive, including:

• Conducting a risk assessment: critical entities must carry out risk assessments whenever necessary in view of their particular circumstances and the evolution of risks and, in any event, every four years, in order to assess all relevant risks that could disrupt the provision of their essential services. This covers both natural and man-made threats, including cross-sector and cross-border dependencies. The first risk assessment is due within nine months after receiving notification of having been designated as a critical entity.
• Take all necessary and proportionate measures to ensure resilience. Namely:
  • Prevent incidents from occurring
  • Ensure adequate physical protection of their premises
  • Respond to, resist, and mitigate the consequences of incidents through risk management programmes
  • Recover from incidents, safeguarding business continuity, and considering the identification of alternative supply chains
  • Ensure adequate employee security management, including measures such as privileged access rights and background checks
  • Raise awareness about the measures in the points above among the necessary staff.

While not calling it insider risk, many of the obligations imposed by the CER directive presuppose an organisation that understands and actively manages the risks posed by those already inside its perimeter. This focus reflects a broader legislative recognition, reinforced by NIS2, that the most consequential disruptions to essential services rarely originate from unknown external actors alone. Supply chain failures, sabotage, and operational incidents with cascading societal impact all share a common thread: they are enabled, accelerated, or amplified by people with legitimate access and trusted roles. For organisations approaching CER compliance, this means that insider risk cannot be treated as a parallel workstream to be addressed once the "core" obligations are satisfied.

How can Signpost Six help?

Given the focus on insider risk pushed forward by the CER directive, Signpost Six is especially placed to help organisations proactively address the risks originating from their internal environments and beyond, enhancing overall resilience while achieving legal compliance.

Providing insider risk assessments

• In-depth analysis: Conduct thorough assessments to identify potential insider risks within your organisation, examining both human and technical factors.
• Insider risk mitigation strategies: Develop actionable plans to address identified vulnerabilities, including recommendations for technology solutions and process improvements.
• Continuous monitoring: Implement systems for ongoing assessment and improvement of insider risk management practices.
• Tailored solutions: Signpost Six offers customised insider risk programmes that align with your organisation's specific needs and the requirements of the CER directive.
• Comprehensive training: Equip your staff with the knowledge and skills to recognise and mitigate insider threats through specialised training programmes.
• Policy development: Assist in creating and refining policies and procedures that address insider risk, ensuring they meet regulatory standards and best practices.
• Stay ahead of compliance: By addressing insider risk now, you position your organisation to meet CER requirements ahead of time.
• Enhance organisational resilience: Strengthen your defences against both intentional and unintentional insider threats.
• Expert guidance: Leverage the expertise of professionals dedicated to insider risk management and critical infrastructure protection.

Expertise in insider risk programmes

• Tailored solutions: Signpost Six offers customised insider risk programmes that align with your organisation's specific needs and the requirements of the CER directive.
• Comprehensive training: Equip your staff with the knowledge and skills to recognise and mitigate insider threats through specialised training programmes.
• Policy development: Assist in creating and refining policies and procedures that address insider risk, ensuring they meet regulatory standards and best practices.

Benefits of partnering with Signpost Six

• Stay ahead of compliance: By addressing insider risk now, you position your organisation to meet CER requirements ahead of time.
• Enhance organisational resilience: Strengthen your defences against both intentional and unintentional insider threats.
• Expert guidance: Leverage the expertise of professionals dedicated to insider risk management and critical infrastructure protection.

Get started today

Taking proactive steps to manage insider risk is not just about compliance – it is about safeguarding your organisation's future. Contact Signpost Six to learn how we can help you navigate the complexities of the CER directive and build a more secure, resilient organisation.