CER is a directive from the EU in the area of digital resilience, where critical entities are given greater responsibility to protect themselves against events in IT systems that have negative consequences for society. CER (2022/2557) is implemented into local legislation in all EU member states.
The CER directive also regulates physical security and personnel security requirements, including requirements for training relevant personnel in security matters. The requirements also include background checks for personnel.
Each member state shall decide on the sanctions applicable for violations of the requirements in CER, where the directive indicates that the sanctions should be proportionate enough to be preventative.
The local legislation for the CER directive must be in place by October 17, 2024, and take effect by October 18, 2024.
Unlike the NIS2 directive (2022/2555), it is the responsibility of the state to assess whether an entity falls under the requirements of CER and thereby inform the entity of this assessment. The initial assessment of which entities fall under CER must be completed by July 17, 2026.
No later than one month after an entity has been assessed to be subject to the CER directive, it must be informed of this, and the information must also include the requirements imposed on the entity.
Following this, ongoing identification of critical entities must be conducted, and at least every four years, if an entity is no longer considered critical, it must be informed of this.
Within nine months from the time an entity has been informed, a comprehensive risk assessment must be conducted, considering all physical and logical risks related to the functions subject to the requirements of the CER directive.
Based on the entity's risk analysis and, if necessary, the state's risk analysis, measures must be taken to address risks that are deemed unacceptable.
Cegal's consultants in information and cybersecurity have experience in establishing information security management systems for regulatory compliance for both NIS and other regulatory frameworks.
Additionally, Cegal's cybersecurity experts can guide and help you navigate through this complex technical area. We can help you stay ahead in securing your IT infrastructure with deep knowledge of operational technology (OT), cloud infrastructure and platforms, hybrid solutions, and multi-cloud infrastructure. Our dedicated delivery areas offer a range of security solutions to protect and monitor critical functions and ensure business continuity.