The EU's Critical Entities Resilience Directive (Directive 2022/2557) entered into force on 16 January 2023, replacing the outdated European Critical Infrastructure Directive of 2008. Where its predecessor focused narrowly on physical protection in just two sectors, CER takes a sweeping all-hazards approach across eleven critical sectors: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, public administration, space, and food production and distribution. The directive's core demand is straightforward and wide-reaching: critical entities must be capable of preventing, withstanding, responding to, and recovering from disruptions, whether caused by natural disasters, terrorism, cyberattacks, sabotage and, as common denominator, insider threats.
Alongside it, the Network and Information Security Directive (NIS2) focuses on safeguarding and improving cyber resilience for essential and important sectors. Together, the two directives aim to strengthen the physical, digital, and economic resilience of EU member states.
The original transposition deadline for both directives, namely when all member states were supposed to have enacted national legislation, was October 17th, 2024. However, several states (Bulgaria, France, Luxembourg, the Netherlands, Spain, Sweden, and Poland) have not proceeded yet with transposing the directive into national law. As per the directive, by July 17th, 2026, members states must not only have transposed CER into a national framework, but also identify which companies are to be designated as critical entities operating within their territories. Subsequently, these companies will have to conduct their own risk assessments and implement any mitigation measure to increase resilience against both natural and man-made risks. Upon identification, states will have one month to notify critical entities of their designation, and they will have nine months to carry out a comprehensive risk assessment. The last deadline for designated critical entities to comply with CER requirements is set for May 2027. Failure to comply will results in penalties determined by the transposition law of each country.
The transposition delays described above have not gone unanswered. Following formal letters of notice sent to non-compliant member states in November 2024, and reasoned opinions issued in July 2025, the European Commission referred all seven lagging states to the Court of Justice of the European Union on May 7, 2026 – invoking Article 260.3 TFEU to request lump-sum fines and daily financial penalties at the first hearing, without waiting for a second noncompliance ruling. For CISOs and compliance officers at critical infrastructure organisations, this matters beyond the headlines: as member states face mounting financial and political pressure to accelerate transposition, national supervisors will arrive with a tightened mandate, shorter grace periods, and faster designation timelines. Organisations that have not yet begun preparing should not wait for the national law to pass before they do.
The Netherlands is a useful illustration. On April 15th, the Tweede Kamer passed the principal implementing bill of the CER directive – the Wet weerbaarheid kritieke entiteiten (Wwke) – with entry into force expected in Q3 2026. The parallel Cyberbeveiligingswet (Cbw), transposing NIS2, is on the same legislative track. The Dutch government has already published a self-evaluation questionnaire to help organisations determine whether they fall within scope of NIS2, and the consistent advice from authorities is not to wait. Once the Wwke enters into force, hundreds of organisations will be brought formally within its scope, and the designation and risk assessment clock begins immediately. Should critical entities not have complied with the requirements when the time is up, they will incur in financial penalties pursuant to the national law.
CER and NIS2 share the same legislative processes and objectives, as they are both designed at increasing resilience against hybrid threats across the EU. As a result, to avoid duplication, the CER directive does not include matters already addressed by NIS2, aimed at protecting critical digital infrastructure and information systems, and the Digital Operational Resilience Act (DORA), which focuses on the resilience of financial entities specifically. In addition, the penalties scheme is also harmonised. In the NIS2 framework organisations can be classified either as “essential” or “important” entities, with penalties for non-compliance adjusted accordingly. However, any entity deemed critical under CER gets automatically designated as “essential” under NIS2, and therefore subject to heavier fines.
Thus, even if cybersecurity matters are not explicitly mentioned in the CER directive, compliance with CER necessarily entails compliance with NIS2, de facto forcing organisations to adopt a holistic approach to security and resilience.
Until now, insider risk sat in a regulatory grey zone, deemed too human for IT and too technical for HR. CER and NIS2 together are ending that ambiguity, but they do so in different ways, and understanding the distinction matters for how organisations structure their governance.
Even if the official text of CER does not explicitly mention insider risk, it explains the concept as “the risk of employees of critical entities or their contractors misusing, for instance, their access rights within the critical entity’s organisation to harm and cause damage is of increasing concern”, given the intrinsic interconnection of European infrastructure and economy. What the text of the CER directive spells out are the several issues that can derive from it such as sabotage, antagonistic threats, terrorist acts, and hybrid threats. From an insider risk perspective, these problems can be due to malicious, compromised, or negligent staff, which includes both the employees of an organisations and the contractors or third-party vendors it collaborates with across the supply chain.
The supply chain issue is exactly what the CER directive aims to bring attention to. Following the COVID-19 pandemic, it became apparent how interconnected supply chains are, and how the disruption of one has ripple effects downstream. Something similar is also happening with the current crisis in the Middle East. This is reflective of the biggest conceptual shift that CER brought about and put into legislation, namely that insider risk should be considered as a resilience risk capable of disrupting the provision of essential services. Regulators now must evaluate whether organisations can continue operating during insider-driven disruptions, not only be able to prevent breaches.
In this context, insider risk is especially relevant as insiders have:
NIS2 reinforces this from a different angle. Under Article 20 of the directive, management bodies are required to approve cybersecurity risk management measures and can be held liable for their organisation's infringements. This means that insider-driven cyber incidents are no longer just a technical problem to be handed to IT, but they are becoming a governance matter with accountability at leadership level. When combined with CER's broader resilience obligations, the result is that insider risk can no longer be managed in silos: the physical, digital, human, and operational dimensions must be addressed together, and leadership must own the outcome.
Once designated as a critical entity, an organisation faces a set of concrete, legally binding obligations under the CER directive, including:
While not calling it insider risk, many of the obligations imposed by the CER directive presuppose an organisation that understands and actively manages the risks posed by those already inside its perimeter. This focus reflects a broader legislative recognition, reinforced by NIS2, that the most consequential disruptions to essential services rarely originate from unknown external actors alone. Supply chain failures, sabotage, and operational incidents with cascading societal impact all share a common thread: they are enabled, accelerated, or amplified by people with legitimate access and trusted roles. For organisations approaching CER compliance, this means that insider risk cannot be treated as a parallel workstream to be addressed once the "core" obligations are satisfied.
Given the focus on insider risk pushed forward by the CER directive, Signpost Six is especially placed to help organisations proactively address the risks originating from their internal environments and beyond, enhancing overall resilience while achieving legal compliance.
Taking proactive steps to manage insider risk is not just about compliance – it is about safeguarding your organisation's future. Contact Signpost Six to learn how we can help you navigate the complexities of the CER directive and build a more secure, resilient organisation.