The CER Directive: New physical security requirements for critical entities
While the NIS2 Directive has received a lot of attention for its comprehensive cybersecurity requirements, the EU is now introducing an equally important regulatory framework for physical security and operational resilience: the Critical Entities Resilience Directive (CER Directive 2022/2557), which entered into force in January 2023 and sets requirements that go far beyond digital security.
The directives apply to designated entities in a range of sectors of society, such as energy, transport, banking and finance, health, drinking water, digital infrastructure, and the public sector. For Norwegian entities that operate in such critical sectors, or that deliver to such, it is important to understand how this directive will affect their business.
Two directives, one perspective on security
Where NIS2 focuses on cyber threats, the CER Directive addresses physical and operational risks such as natural disasters, sabotage, terrorist attacks, and system failures. Together, these directives constitute the EU's comprehensive approach to the protection of critical infrastructure. The deadline for national implementation in the EU was 17 October 2024, and the European Commission must report on the member states' level of compliance by 17 July 2027.
In Norway, the directive will be implemented into Norwegian law through the EEA Agreement. The timing of when this will happen has not been clarified. For all entities supplying to entities in the EU, the Directive will nevertheless have an impact through the requirements the customer will set.
The purpose of the CER Directive is to ensure the provision of services in the internal market, which are essential for maintaining critical societal functions or economic activities, and to strengthen the resilience of entities providing such services. CER has been expanded to cover as many as 11 sectors with associated subsectors.
Who is designated as critical?
The system in the CER Directive is that entities within the sectors covered by the Directive must be designated (identified) as critical. See the table below.
The identification process follows a two-step model. First, the member states map critical sectors based on the Directive's annexes. Then, entities are assessed against specific threshold criteria, which include:
- the number of users affected in the event of a lapse,
- economic and social significance,
- market share,
- geographical coverage, and not least
- interdependence with other sectors
This systematic approach ensures that the authorities identify entities that are truly critical to the functioning of society, not just major market players in general.
The table below shows which sectors are covered by CER, with a comparison with NIS2.
| SECTOR | CER (Annex I) | NIS2 (Annex I&II) | DIFFERENCES |
| Energy | Electricity, oil, gas, hydrogen | Same + district heating/cooling | NIS2 includes district heating |
| Transport | Air, rail, water, road, public transport | Air, railway, water, road, | CER covers public transport |
| Banking/Finance | Banks, financial markets | Same | Identical coverage |
| Health | Healthcare, pharmaceuticals, medical devices | Same + distribution license holders | CER covers distribution license holders |
| Water | Drinking water, wastewater | Same | Identical coverage |
| Digital infrastructure | IXP, DNS, TLD, cloud, data center, CDN | Same + trust services | NIS2 includes trust services |
| Public management | Central | Same + and regional management | NIS2 covers regional management |
| Space | Ground-based infrastructure | Same | Identical coverage |
| Food | Production, processing, distribution | Same | Identical coverage |
| Chemicals | Not covered | Production, distribution | Only in NIS2 |
| Waste | Not covered | Waste management covered in NIS2 | CER has wider coverage |
| Post/courier | Not covered | Covered in NIS2 | Only in NIS2 |
| Industrial production | Not covered | Covered in NIS2 | Only in NIS2 |
Chemicals are not listed as a critical sector in CER, but companies that supply chemicals can still be "indirectly" identified as a critical entity if they provide services or products to designated CER entities, such as drinking water or health.
Surprisingly, industrial production is also not covered directly by CER.
Specific obligations and standards
Entities that are identified as critical entities must implement comprehensive measures to ensure resilience based on a risk assessment. This involves not just a traditional risk assessment, but general analyses that cover all relevant threats – from extreme weather to hybrid attacks. The requirements are listed in six groups, with a focus on preventing and responding to physical incidents. Based on the analysis, a resilience plan will be prepared and documented.
The countries must encourage the use of established European and international standards. ISO 22301 for Business Continuity Management will be central, along with ISO 31000 for risk management and ISO/IEC 27001 for information security (the latter of which overlaps with NIS2).
Background check
The Directive also allows for background checks of personnel who are in sensitive roles, may operate operating systems, or that are considered for employment. Certain conditions must be met.s.
Supply chain requirements
A particularly important aspect is the requirements for supply chain security. The entities must map critical suppliers, establish contingency plans in the event of supplier failure, and identify alternative supply chains. This means that Norwegian subcontractors to EU-based critical entities may be subject to extensive documentation and security requirements, even if they themselves are not directly covered by the Directive.
Incident reporting becomes mandatory, with strict deadlines and detailed requirements for what must be reported. The authorities will have expanded supervisory and control options, including the possibility of on-site inspections and orders for corrective measures.
Implementation status in Europe
So far, Denmark, Estonia, Greece, Hungary, Ireland, Italy, Lithuania, Portugal, Romania, Slovakia, and Slovenia appear to have adopted the national implementing act, so that CER will apply in these countries.
Why Norwegian businesses should act now
Even without formal EEA implementation, many Norwegian companies will feel the consequences. Entities with subsidiaries or branches in the European Union must comply with the requirements directly. Suppliers to EU-based critical entities will be able to meet strict contractual requirements for resilience and documentation. Market access may be conditional on compliance, particularly in regulated sectors such as energy and transport.
Waiting for potential Norwegian implementation may lead to competitive disadvantages and increased implementation costs.
The minimum level of sanctions is not specified in the Directive but will be determined by the individual countries.
Action points for the businesses
Immediate measures:
- Appoint a person responsible for security in the business, if not already done
- Carry out an assessment of whether the business can be defined as critical, based on the criteria of the Directive
- Map exposure via EU operations and supplier and customer relationships
- Review and update existing vendor agreements with focus on resilience
Preparations by 2025:
- Conduct risk assessments in line with ISO 31000
- Establish incident reporting procedures that meet the requirements of the Directive
- Update contingency plans to meet ISO 22301 standard
Towards the compliance deadline in 2026:
- Document and test resilience objectives
- Carry out full-scale emergency preparedness exercises
- Establish continuous improvement of resilience systems
The CER Directive represents a paradigm shift in how we think about critical infrastructure. From a focus on reactive crisis management, we are moving towards proactive resilience. For Norwegian businesses, this means that preparations should start now – regardless of when and how Norway implements the Directive.
Do you have questions related to the regulations? Contact Kristian Foss at Bull.
We have one of the country's leading teams in Technology, IT, and AI. You can read more about us here.
New record for Bull in The Legal 500 for 2025
With eight ranked practice areas and 31 recommended lawyers, Bull sets another new high in The Legal 500 for 2025. Ne...
Read more
Our recognition in the market continues to increase
As Chambers and Partners release their rankings for 2024 (Europe edition) today, we are delighted to note the continued upward trend for Bull.
Read more
How can we help?
In need of legal assistance? Call or email us, and we'll figure out how we can help.
Expertise
- Auditing and accounting
- Climate, environment, waste and sustainability
- Company law and transactions
- Competition law, state aid and EU/EEA
- Construction
- Employment law
- Energy
- Familiy law, guardianship and divorce
- Inheritance, probate and succession planning
- Insurance and liability
- Intellectual property and marketing law
- Investigation and compliance
- Life sciences and health technology
- Litigation and dispute resolution
- Logistics and transport law
- Manufacturing, retail and services
- Media, entertainment and culture
- Parental disputes and child custody
- Privacy
- Procurement
- Real estate
- Restructuring, insolvency and bankruptcy
- Space
- Taxes and duties
- Technology, IT and AI