The EU CER Directive: Why Physical Resilience Has Its Own Law Now

Resilience, in the language of European law, is no longer a metaphor. It is a defined obligation, with named entities, named risks, named plans, and named penalties.

The CER Directive, formally Directive (EU) 2022/2557 on the resilience of critical entities, is the quieter sibling of NIS2. It received a fraction of the attention, generated a fraction of the consultancy briefings, and produced almost none of the boardroom alarm that its cyber counterpart triggered. That asymmetry of attention is not a reflection of asymmetry of importance. It is a reflection of how operators tend to think about risk. Cyber feels new, urgent, and reportable. Physical feels old, familiar, and absorbed into existing security budgets. The directive corrects that bias by force of law.

This article reads CER from the perspective of the manufacturer. Not as a compliance text to be summarised, but as a structural change in how operators of critical infrastructure are required to think about fences, doors, perimeters, substations, water pumps, rail corridors, hospital generators, and the technology that protects them. The frame is operator to operator. The conclusions are not legal advice.

What the directive actually changes

CER replaces the 2008 European Critical Infrastructure Directive, which was narrow in scope and limited in ambition. The 2008 text covered energy and transport, focused mainly on cross-border effects, and left member states wide discretion in implementation. CER expands the scope to eleven sectors, including energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration, space, and the production, processing and distribution of food. It introduces a uniform definition of critical entities. It requires member states to identify those entities by July 2026 and to maintain a national resilience strategy.

The substantive change sits in the obligations placed on the entities themselves. A designated critical entity must conduct a risk assessment within nine months of notification, must adopt technical, security and organisational measures proportionate to the identified risks, must report significant incidents, must designate a liaison officer for the competent authority, and must accept on-site inspections. The directive is explicit that the measures cover physical protection against intrusion, sabotage, terrorism, insider threats, natural hazards, and hybrid threats. It is not a cyber directive with a physical chapter appended. It is a physical resilience directive with a cyber awareness clause.

The shift in baseline matters. Before CER, physical security at a substation or a water plant was governed by national rules, sectoral codes, insurer requirements, and operator discretion. The result was a patchwork. A German energy operator and a Spanish water utility could face entirely different expectations for perimeter design, intrusion detection, response time, and incident reporting. CER replaces the patchwork with a floor. Above the floor, member states remain free to set higher standards. Below the floor, no member state may go. Operators with multinational footprints will find this consolidating effect either helpful or expensive, depending on where their current practice sits.

Resilience defined, not assumed

The directive does something unusual for European legislation. It defines resilience operationally. Article 2 frames resilience as the ability of a critical entity to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident. Eight verbs. Each verb implies a different capability, a different investment, and a different evidence base. An operator that can protect but cannot recover is not resilient. An operator that can absorb a single incident but cannot accommodate a sequence of them is not resilient. The eight verbs are a checklist masquerading as a definition.

The practical consequence is that resilience plans under CER cannot be reduced to a perimeter drawing and a guard contract. They must demonstrate capability across the full lifecycle of an incident. Prevention covers threat assessment, deterrent design, access management, and personnel screening. Protection covers barriers, detection, surveillance, and intervention. Response covers alerting, escalation, coordination with public authorities, and continuity of essential services. Recovery covers restoration of function, lessons learned, and adaptation. Each phase requires its own documentation, its own training, and its own test regime.

For manufacturers of physical security technology, this definition is operationally useful. It tells the buyer what the buyer needs to be able to show. A camera that records is not enough. A camera connected to an analytics layer that classifies, a workflow that escalates, a log that survives audit, an intervention path that has been timed, and a recovery procedure that has been rehearsed, taken together, begin to constitute the evidence base that an inspector will ask for. Equipment sold without that surrounding architecture meets a procurement need, not a compliance need. The market has not finished adjusting to that distinction. BOSWAU + KNAUER. From Building to Security Technology argues that this is the structural reason traditional security suppliers are being outflanked by integrators who build platform logic into the product from the first day.

Parallel to NIS2, not subordinate

NIS2, the network and information security directive in its second iteration, was adopted on the same day as CER. The two texts are explicitly designed to operate together. NIS2 governs cybersecurity. CER governs physical and organisational resilience. The same entity may fall under both directives. In most sectors covered by CER, the entities also fall under NIS2 by default. The two regimes are intended to be complementary, with coordinated reporting, coordinated authorities, and coordinated incident notification.

In practice, the coordination is imperfect. Member states have implemented NIS2 and CER through separate transpositions, often with different deadlines, different competent authorities, and different sectoral scopes. An energy operator in one country may report a cyber incident to one agency and a physical incident to another, with overlap in cases where the incident has both dimensions. The directive anticipates this by requiring member states to ensure cooperation between the two authority lines. Operators should not assume that the cooperation is seamless in their jurisdiction. It usually is not.

The deeper risk is that operators allocate resources asymmetrically between the two regimes. NIS2 has higher public visibility, attracts more board attention, and produces more vendor pressure. CER risks being treated as the lesser obligation, handled by the existing physical security team with the existing budget. That is a strategic misreading. The fine framework under CER allows penalties up to a percentage of annual turnover in several member states, comparable to NIS2 ranges. The reputational exposure from a physical incident at a designated critical entity is at least as severe as that from a cyber incident, and often more visible to the public. A water utility that loses pressure because a pumping station was sabotaged generates news coverage that a ransomware event rarely matches. The directive equalises the legal exposure. The market has not yet equalised the budget response.

ISO 27001, IEC 62443, NIST CSF 2.0 and NIST 800-53 all provide structured frameworks that can be mapped to CER obligations, particularly on the organisational and risk management side. ASIS International publishes physical security standards that operators are increasingly using as evidence baselines. CISA in the United States and BSI in Germany have published guidance that aligns with the directive's logic on protective measures and resilience testing. None of these frameworks is mandated by CER. All of them are accepted as evidence that the operator has thought structurally about the problem.

What inspectors will actually look at

The directive empowers competent authorities to conduct on-site inspections and to require operators to provide evidence of compliance. The inspection regime is the part of the text that operators tend to read last and that determines, in practice, whether their preparation has been adequate. Inspectors are not auditors in the financial sense. They are not checking a balance sheet. They are checking whether the resilience plan exists, whether it has been tested, whether incidents have been logged, and whether the operator can demonstrate the eight verbs of resilience in concrete terms.

A resilience plan that exists only as a document fails on first contact with inspection. Inspectors ask to see the log of the last drill. They ask to see the incident register. They ask to interview the designated liaison officer. They ask to walk the perimeter. They ask to see the maintenance records for the detection systems. They ask how the operator confirmed that a particular alarm chain works at three in the morning on a Sunday, not at two in the afternoon on a Wednesday. The gap between a plan that looks good on paper and a plan that holds under inspection is measured in operational discipline, not in document quality.

The technology layer is where many operators are vulnerable. A perimeter intrusion detection system that has not been calibrated since installation. A camera array with three out of twelve units offline and no service ticket. An access control database that still contains former employees. A mobile patrol record that shows identical timestamps every night for six months. Each of these is a finding. None of them is unusual. The inspector's job is not to be impressed by the brochure. It is to find the gaps between the brochure and the operation. The directive's enforcement model assumes that gaps will be found and that the operator will be required to close them within defined timelines. Repeat findings escalate to penalties.

Manufacturers who build for inspection rather than for demonstration produce different equipment. Logging that survives subpoena. Calibration cycles that are documented automatically. Maintenance intervals that are part of the contract, not an afterthought. Interfaces that allow inspectors to verify status without bespoke access. The shift from selling boxes to selling auditable systems is the structural response to the directive. The book BOSWAU + KNAUER. From Building to Security Technology describes this shift from the manufacturer's side. The market is following slowly.

The timeline that operators are already inside

CER entered into force in January 2023. Member states were required to transpose the directive into national law by 17 October 2024. National resilience strategies were due by 17 January 2026. Designated critical entities are to be identified by 17 July 2026. Once notified, an entity has nine months to complete its risk assessment and a further period to adopt the required measures. The arithmetic, read forward from the writing moment of this article, places the operational compliance horizon firmly in 2026 and 2027 for most designated entities.

Many member states are behind schedule on transposition. Germany, France, Italy, Spain, the Netherlands and Belgium have taken different routes and different timelines. The Commission has opened or signalled infringement procedures against several member states for delay. Operators in delayed jurisdictions are not exempt. They are exposed to a compressed adjustment window once national law arrives. The prudent assumption is that the formal designation arrives later than planned and the substantive obligations arrive faster than the operator hoped.

The interaction with insurance is the silent accelerator. Property and business interruption insurers are already pricing CER readiness into renewal discussions for entities in covered sectors. An operator that cannot show a current risk assessment, a documented resilience plan, and a recent test record faces premium increases or, in the harder cases, coverage limitations. The GDV in Germany and equivalent industry bodies elsewhere have begun publishing guidance that aligns insurer expectations with the directive's framework. The NICB and comparable bodies on the loss-prevention side are tracking incident data that feeds back into the same pricing logic. Operators who treat CER as a future problem will find their insurance treating it as a present one.

What holds

The CER Directive is not an additional layer on top of existing physical security. It is a redefinition of what physical security means for the entities that operate Europe's critical infrastructure. Resilience is now a legal category with eight verbs, a documented plan, a test regime, an inspection right, and a penalty framework. The directive does not specify the technology. It specifies the evidence. Operators who can produce the evidence will pass inspection. Operators who can only produce the equipment will not.

The asymmetry of attention between NIS2 and CER will correct itself, either through self-awareness or through the first wave of enforcement findings. The operators who correct it through self-awareness will save the difference between budgeted compliance and emergency compliance. That difference is typically a factor of three to five in the cases we have observed.

For operators who want to test their position against the directive's logic before the inspector does, Path I is the right starting point. A sixty-minute confidential conversation, no follow-up obligation, focused on the gap between the current resilience posture and the directive's evidence base. Where the gap is structural, Path II, a three to five day audit, delivers a written report that maps the gap to remediation priorities. Where a specific site has been identified as the weakest link in the resilience chain, Path III, a ninety-day pilot, produces the operational data that turns a remediation argument into a board decision. The three paths are described in the book. The directive will be enforced regardless of which path is chosen.

Frequently asked questions

What is the CER Directive?

The CER Directive is Directive (EU) 2022/2557 on the resilience of critical entities. It was adopted in December 2022 and entered into force in January 2023. It replaces the 2008 European Critical Infrastructure Directive with a substantially broader scope, covering eleven sectors including energy, transport, banking, health, water, digital infrastructure, public administration, space and food. The directive requires member states to identify critical entities and obliges those entities to conduct risk assessments, adopt resilience measures, report significant incidents, and accept inspections. It is the physical and organisational counterpart to NIS2.

How does it relate to NIS2?

CER and NIS2 were adopted on the same day and are designed to operate together. NIS2 governs cybersecurity. CER governs physical and organisational resilience. Most entities designated as critical under CER also fall under NIS2. The directives require member states to ensure that competent authorities cooperate, that incident reporting is coordinated, and that overlapping obligations are not duplicated unnecessarily. In practice, implementation varies by member state, with separate authorities and separate timelines. Operators should map their obligations under both regimes and not assume that compliance with one substitutes for the other.

What is required?

A designated critical entity must conduct a risk assessment within nine months of notification, adopt technical, security and organisational measures proportionate to identified risks, designate a liaison officer for the competent authority, report significant incidents within defined timelines, and accept on-site inspections. Measures must address physical intrusion, sabotage, terrorism, insider threats, natural hazards and hybrid threats. The directive requires demonstrable capability across prevention, protection, response, resistance, mitigation, absorption, accommodation and recovery. Documentation, testing and continuous improvement are part of the obligation, not optional extras.

When is enforcement?

The transposition deadline was 17 October 2024. National resilience strategies were due by 17 January 2026. Critical entities are to be identified by 17 July 2026. After designation, the operator has nine months to complete a risk assessment and further time to implement measures. Several member states are behind on transposition, which compresses the adjustment window once national law arrives. Penalties under national implementations include administrative fines that can reach a percentage of annual turnover. Insurance pricing already reflects CER readiness in many sectors, which functions as a market enforcement mechanism running ahead of the legal one.