In a world increasingly shaped by a dynamic threat landscape, from cyberattacks to natural disasters and other physical risks, the resilience of essential services is more important than ever. The Critical Entities Resilience Directive (CER Directive) is a major step towards strengthening the security and continuity of these services within the European Union (EU).
What is the Critical Entities Resilience Directive (CER)?
The CER Directive was adopted at the end of 2022 by the European Parliament and the Council of the European Union to enhance the resilience of critical infrastructure. Alongside the CER Directive, the Network and Information Security Directive (NIS2) was also adopted. NIS2 focuses on safeguarding and improving cyber resilience for essential and important sectors. Together, the two directives aim to strengthen the physical, digital and economic resilience of EU Member States. The CER Directive requires Member States to take measures to protect essential services against physical threats such as terrorism, sabotage and natural disasters. It applies to organisations that provide vital services, known as “critical entities”, including energy, drinking water, transport, digital infrastructure, the food industry, public health, financial market infrastructure, wastewater, public administration, banking and space.
The CER Directive in the Netherlands: The Critical Entities Resilience Act
The Critical Entities Resilience Act (Wet Weerbaarheid Kritieke Entiteiten, Wwke) is the Dutch law implementing the CER Directive. Its purpose is to increase the resilience of organisations that provide essential services in the Netherlands. It aims to protect the delivery of essential services in the internal market and thereby safeguard national security. It concerns resilience against threats, whether natural or human-made, that could seriously disrupt or impair these services.
Organisations cannot determine for themselves whether they fall under the Wwke. Instead, the relevant ministries designate which organisations provide essential services that fall within its scope. This determination is based on a risk assessment that evaluates the extent to which an organisation provides a service indispensable for societal functions and or economic activity. Once an organisation is designated as a critical entity, NIS2 automatically becomes part of its compliance obligations, even if it does not otherwise fall within NIS2’s normal scope. This reflects the importance of digital security for critical infrastructure both in terms of resilience and protection against cyber threats.
Obligations under the CER and the Wwke
Whereas NIS2 imposes obligations only on organisations, the CER Directive also places obligations on Member States. This broader approach ensures that the protection of critical infrastructure and services is guaranteed at both organisational and national level. The central government must periodically develop a national strategy aimed at strengthening the resilience of critical entities. It must also periodically conduct (sectoral) risk assessments. The Ministry of Justice and Security prepares the strategy together with other relevant ministries, and the competent minister conducts the sectoral risk assessment. The strategy and assessment are then shared with the designated organisations so that they can use them when carrying out their own risk assessments.
Organisations subject to the CER obligations and therefore the Wwke must comply with several requirements, including:
-
Risk assessment: Organisations must carry out a risk assessment and take measures to safeguard their service delivery and protect their information. The first risk assessment must be completed within nine months of designation as a critical entity, and the assessment must be carried out and reviewed periodically. From that point on, organisations must perform the assessment every four years or sooner if required. The CER Directive also states that if a risk assessment has already been performed under another legal framework, such as NIS2, it may be used to meet the CER requirements. The supervisory authority must confirm whether the assessment fully or partly meets the CER criteria.
-
Duty of care: Organisations must take appropriate and proportionate technical, security and organisational measures to ensure resilience. To comply with the duty of care, the following measures must be implemented at a minimum:
1. Preventing incidents: Organisations must consider all relevant threats that could disrupt services and take necessary measures to reduce risks from disasters and climate impacts. Implementing an Incident Response Plan (IRP), for example, enables rapid and structured responses to security incidents.
2. Adequate physical protection of buildings and critical infrastructure: For example, installing perimeter fencing, physical barriers, surveillance tools and routines, detection equipment and access controls.
3. Containing and mitigating incidents: Through risk and crisis management procedures, protocols and alert routines, incidents can be neutralised.
4. Recovery after incidents: Business continuity measures must ensure that essential services can be resumed.
5. Adequate personnel security management: Examples include identifying staff in critical roles, implementing background screening policies, setting appropriate training and qualification requirements, and preventing unauthorised access by defining access levels for buildings, critical infrastructure and sensitive information.
6. Staff awareness: Relevant personnel must be made aware of all measures through training, information materials and exercises.
-
Incident notification: Any incident that has, or could have, significant consequences for service continuity must be reported to the competent authority within 24 hours. The purpose of the reporting duty is to inform authorities in time so that they can support the affected organisation where necessary. A notification must include a full overview of the impact, nature, cause and potential consequences of the incident. A detailed report must be submitted no later than one month after the incident has been resolved. This report supplements the initial notification to provide a complete picture.
-
Supervision: Organisations are subject to oversight by national authorities to ensure compliance with the Wwke. The ministries appoint supervisors who monitor whether critical entities meet their obligations. Under the Wwke, supervisors may take enforcement action if obligations are not met. They may, for example, require an audit or specific corrective measures, or impose administrative enforcement orders or fines.
Entry into force of the Wwke
Transposition of the CER Directive into the Wwke has been delayed. Until the Wwke enters into force, organisations have no binding obligations under the CER Directive, but the risks already exist. Organisations are therefore advised not to wait. By conducting a risk assessment, taking measures to mitigate risks and establishing procedures for efficient incident response, organisations can ensure that they will meet the Wwke obligations in time and safeguard the security and continuity of their vital services.
Would you like to play a key role in strengthening your organisation’s cyber resilience and bridge the gap between regulation and practical implementation? Register for our Certified Cybersecurity Compliance Officer (CCCO®) programme.
