Climate-related and geopolitical events have exposed how underprepared many organizations are for serious disruption. In response, the EU has introduced the Critical Entities Resilience Directive (CER), a mandatory legislation that demands action.
What is the EU Critical Entities Resilience Directive (CER)?
Replacing the 2008 European Critical Infrastructure Directive, the EU CER Directive is a legislation that protects organizations delivering essential services across the EU. In force since 16 January 2023, it has fully applied across all Member States since 18 October 2024.
The Directive specifically addresses 11 critical sectors, including energy, transport, digital infrastructure, banking, and healthcare, to ensure essential services continue despite any disruption. It does this by enforcing mandatory risk assessments, business continuity planning, and incident reporting, with a focus on proven operational readiness.
Using an all-hazards approach, the Directive addresses natural disasters, cyber-physical attacks, terrorism, pandemics, and supply chain failures. It recognizes that critical entities don’t operate in isolation, making resilience a shared responsibility. Beyond continuity, the legislation:
- Holds senior management directly accountable for resilience outcomes.
- Requires organizations to manage, recover from, and report significant disruptions.
- Addresses interdependency risks across digital and supply chains.
- Shifts the regulatory focus from policy existence to operational preparedness and evidence.
The legislation focuses on physical and operational resilience, while its counterpart, the Network and Information Security Directive (NIS2), addresses cybersecurity. Together they provide comprehensive protection for both physical and digital infrastructure.
Why does it matter now?
EU Member States must designate critical entities by July 2026, giving affected organizations just 10 months to achieve full compliance by May 2027. That might sound reasonable, until you factor in mapping complex supply chains, standing up new reporting systems, and overhauling resilience governance.
Compliance timeline
|
By January 17, 2026: |
Member States must complete national risk assessments and adopt resilience strategies. |
|
By July 17, 2026: |
Critical entities across 11 sectors identified by Member States. |
|
Within 1 month of designation: |
Member States to notify entities of their critical status. |
|
By May 2027: |
Critical entities must achieve full compliance. |
What does this mean for you?
Whether or not your organization is designated as critical, the CER Directive will change how you operate.
If you're designated as a critical entity
From July 2026, you will have just 10 months to:
- Implement comprehensive resilience measures across your supply base.
- Conduct detailed risk assessments of your supply chain dependencies.
- Establish incident-reporting systems that can detect and report disruptions within 24 hours.
- Map cross-border and cross-sectoral dependencies.
- Develop and maintain detailed business continuity plans.
If you supply critical entities
Article 13 requires critical entities to push these measures down through contracts, due diligence, and supplier codes of conduct. If you supply into a critical sector, expect:
- Detailed questionnaires about your business continuity plans, alternative sourcing strategies, geographic dependencies, and incident-response capabilities.
- Contractual assurances around resilience, incident-notification timelines, and continuity of supply.
- Immediate notification requirements if you’re the source of a disruption. Your customer has just 24 hours to report.
- Visibility requirements into your sub-tier suppliers, particularly for single points of failure.
How can you prepare?
Before designation in July, every organization should be able to answer:
- What are our critical services and dependencies?
- How do we understand and manage risks to those services?
- Who owns oversight and how is it evidenced?
- Could we manage a significant disruption tomorrow (operationally and communicatively)?
- How do we govern dependency on critical suppliers?
If those answers are clear, consistent, and evidence-backed, you're in a good position. If they’re not, start mapping your dependencies, stress-testing continuity plans, and building genuine resilience now to be better prepared for the next crisis.
Subscribe to the Experts Corner-2-Go newsletter for the latest supply chain insights.
