As the EU’s CER Directive (Directive 2022/2557 on the Resilience of Critical Entities comes into effect across Member States, organisations in critical sectors face new strategic and operational challenges. While much attention focuses on external threats, like cyberattacks, natural disasters, or supply-chain disruptions, insider risk remains the silent disruptor. Under the CER Directive, addressing internal vulnerabilities is no longer optional; it’s a legal and operational necessity.
While the CER Directive officially entered into application on 18 October 2024, many Member States are still finalising their national transposition, with 24 of the 27 EU countries receiving formal notices from the European Commission in November 2024 for missing the transposition deadline. This implementation landscape underscores the urgency for organisations to begin preparations now, as compliance deadlines will arrive quickly once national frameworks are finalised.
We identified three major challenges related to insider risk to look out for when complying with the CER-Directive. These challenges should play a key role in any organisation’s insider risk approach:
Under the CER Directive, organisations must identify and secure critical roles—those positions that, if compromised, could endanger the continuity of essential services. This requires more than a box-checking exercise. It involves a deep understanding of who holds sensitive knowledge or access, how those roles are supported, and how to mitigate risk without compromising performance. Our insider risk program includes role-based risk analysis, clearance controls, and succession planning to reduce exposure.
Sabotage, particularly when orchestrated from the inside, can have devastating consequences. The CER Directive emphasises the need to safeguard essential operations from both malicious acts and negligent behaviour that could disrupt services. Insider sabotage is uniquely difficult to detect. Employees and contractors often have trusted access, making traditional security measures insufficient. Our insider risk assessments help organisations spot behavioural anomalies, conduct access reviews, and create a layered defence to prevent internal sabotage before it happens.
The directive requires Member States and critical entities to protect employees working in critical positions, especially those exposed to targeted threats or operating in high-risk areas. This goes beyond physical safety—it includes understanding behavioural patterns, addressing burnout, monitoring for insider threats, and proactively managing vulnerabilities that may be exploited. A robust insider risk program supports employee protection by identifying early warning signs that could lead to the critical pathway of insider risk and reducing both intentional and unintentional harm from within.
Compliance with the CER Directive isn’t just about avoiding penalties—it’s about building operational resilience that is sustainable, holistic, and human-focused. Our consulting approach combines risk analysis, behavioural assessment, policy development, and response planning to deliver a full-spectrum insider risk program.
The widespread transposition delays across Member States underscore the complexity of implementing robust insider-risk programmes. However, this transition period offers forward-thinking organisations an opportunity to develop capabilities that exceed compliance requirements and deliver operational-resilience benefits from day one.
As most Member States work through Commission infringement proceedings and finalise national transposition, now is the critical time to get ahead of the curve. Rather than waiting for final national legislation, organisations can begin building the internal awareness, controls, and culture needed to not only meet future requirements but to transform insider risk from a compliance burden into a strategic advantage.
Contact us today to discuss how our tailored insider-risk assessments and programmes can support your compliance and resilience goals.