We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services.
Our privacy statement:
Below you can choose for which purposes you want to allow cookies on the website of De Clercq.
The Critical Entities Resilience Directive (CER Directive) and the Network and Information Security Directive (NIS2 Directive) were established by the European Union at the end of 2022. These directives aim to strengthen the physical, digital, and economic resilience of European member states. What is the difference between these directives? The CER Directive focuses on protecting organizations against physical threats, such as the consequences of (terrorist) crimes, sabotage, and natural disasters. In contrast, the NIS2 Directive focuses on digital (cyber) risks for network and information systems, such as the internet and payment traffic. Both directives impose a duty of care on organizations to take security measures and a reporting obligation to report incidents. In this blog, we will delve into how you can prepare for the CER Directive.
First, the question: who does the CER Directive apply to? The CER Directive targets so-called 'critical' entities that provide essential services within the following sectors: energy, drinking water, transport, digital infrastructure, food, healthcare, financial market infrastructure, wastewater, government, banking, and space.
The CER Directive is being implemented in the Critical Entities Resilience Act (Wwke). This law, like the Cybersecurity Act, has not yet come into effect. However, the Dutch government advises organizations not to wait but to take measures now. The risks that organizations and systems face are already present. By taking action early, organizations can better protect themselves against existing risks and be better prepared for the new legislation.
It is important to start with the following measures as soon as possible:
The CER Directive requires organizations to take action to protect themselves against physical threats. By taking measures now, organizations can not only comply with future legislation but also increase their resilience against these threats. The National Risk Analysis indicates that various threats are considered 'very likely' and that several scenarios are outlined with an impact of 'serious' or higher. This is all the more reason to take action now and not wait until the Critical Entities Resilience Act comes into effect.
For questions about the CER Directive, contact Natascha van Duuren, Partner & Lawyer IT, Privacy & Cybersecurity.
Would you like to receive a monthly overview of updates and blogs in your mailbox? Click here to subscribe to the newsletter!