This website uses cookies

We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services.

Our privacy statement:

Blogs / 

How to prepare for the CER directive?

IT, Privacy & Cybersecurity

5 February 2025

Written by

Natascha van Duuren

Blog Image

The Critical Entities Resilience Directive (CER Directive) and the Network and Information Security Directive (NIS2 Directive) were established by the European Union at the end of 2022. These directives aim to strengthen the physical, digital, and economic resilience of European member states. What is the difference between these directives? The CER Directive focuses on protecting organizations against physical threats, such as the consequences of (terrorist) crimes, sabotage, and natural disasters. In contrast, the NIS2 Directive focuses on digital (cyber) risks for network and information systems, such as the internet and payment traffic. Both directives impose a duty of care on organizations to take security measures and a reporting obligation to report incidents. In this blog, we will delve into how you can prepare for the CER Directive.

Who does the CER directive apply to?

First, the question: who does the CER Directive apply to? The CER Directive targets so-called 'critical' entities that provide essential services within the following sectors: energy, drinking water, transport, digital infrastructure, food, healthcare, financial market infrastructure, wastewater, government, banking, and space.

Why is it important to take action now?

The CER Directive is being implemented in the Critical Entities Resilience Act (Wwke). This law, like the Cybersecurity Act, has not yet come into effect. However, the Dutch government advises organizations not to wait but to take measures now. The risks that organizations and systems face are already present. By taking action early, organizations can better protect themselves against existing risks and be better prepared for the new legislation.

How can you prepare your organization?

It is important to start with the following measures as soon as possible:

  1. Conduct a risk analysis: Identify the physical risks that could disrupt your organization's services. The National Risk Analysis (RbRa) can be used to map out risks. This Risk Analysis provides an analysis of threats that could disrupt our society. In the RbRa 2022, many scenarios are considered 'very likely.' These scenarios are related to both safety (wildfires, flu epidemics) and security threats (hybrid operations, disruptions in international trade, collateral damage from cyberattacks). Since the likelihood of these types of threats occurring is relatively high according to the National Security Analyst Network, it is essential to be prepared to mitigate the impact of these threats. Once you have mapped out the risks, it is important to identify the so-called crown jewels of your organization. It is useful to work with scenarios. Consider which scenarios might occur and determine what measures are needed to improve resilience for each scenario.
  2. Implement security measures: Then implement measures that better protect your organization against the identified risks.
  3. Establish incident management procedures: Develop procedures to quickly detect, respond to, and recover from incidents. Quick action is an absolute requirement. In a subsequent blog, we will discuss the development of an Incident Response Plan.

Action Required

The CER Directive requires organizations to take action to protect themselves against physical threats. By taking measures now, organizations can not only comply with future legislation but also increase their resilience against these threats. The National Risk Analysis indicates that various threats are considered 'very likely' and that several scenarios are outlined with an impact of 'serious' or higher. This is all the more reason to take action now and not wait until the Critical Entities Resilience Act comes into effect.

Questions?

For questions about the CER Directive, contact Natascha van Duuren, Partner & Lawyer IT, Privacy & Cybersecurity.

Newsletter

Would you like to receive a monthly overview of updates and blogs in your mailbox? Click here to subscribe to the newsletter!