Alongside the widely discussed NIS2 Directive there is a second EU rulebook that has attracted little attention in the German mid-market: the CER Directive (Critical Entities Resilience Directive). While NIS2 addresses cyber resilience, CER targets physical and operational resilience of critical entities — natural hazards, sabotage, power outages, supply-chain disruption, hybrid threats.
This article explains who is in scope, what needs to be implemented and how CER relates to NIS2 — soberly, without made-up fine figures.
What is the CER Directive?
EU Directive 2022/2557 on the resilience of critical entities (CER for short) was adopted on 14 December 2022 and is part of a package together with NIS2. It replaces the old EPSKI Directive (European Critical Infrastructures) from 2008 and considerably expands its scope.
Core idea: Certain entities are so important for the functioning of the internal market and society that they must be kept actively resilient — against all kinds of threats, not just cyber.
Transposition in Germany: The CER Transposition Act (CER-UmsG) is still in the legislative process as of 2026. The federal interior minister has postponed transposition several times; commencement is expected in the course of 2026. Anyone in scope should actively track the legislative status — best via official communications from BMI and BSI.
Scope: which sectors?
The CER Directive names eleven sectors with critical entities:
- Energy (electricity, gas, oil, district heating, hydrogen)
- Transport (air, rail, water, road)
- Banking
- Financial market infrastructures
- Health (hospitals, medical-device manufacturers, pharma)
- Drinking water
- Waste water
- Digital infrastructure (internet exchange points, DNS, TLD registries, cloud providers, data centres, CDNs, trust service providers)
- Public administration
- Space (ground infrastructure for space operations)
- Food (production, processing, distribution)
Compared to the old EPSKI Directive (only energy and transport), this is a significant expansion — particularly the addition of drinking water, waste water, public administration and food.
Thresholds: who counts as a “critical entity”?
Unlike NIS2, CER does not apply flat size thresholds (e.g. “more than 50 employees”). Instead, each member state identifies critical entities individually based on:
- Importance of the services provided to maintaining critical functions
- Dependency of other sectors on the entity
- Geographical reach of the services provided
- Impact of an outage on society and economy
- Availability of alternative providers
In concrete terms: a mid-sized water utility can be CER-relevant if it has no regional alternative. A food manufacturer of similar size can equally fall into scope if it represents a relevant share of a supply chain.
Authorities notify the designation. Identification happens through the responsible national authority — companies receive a notification of their classification as a critical entity. Unlike NIS2, this is not pure self-assessment; but anyone operating in one of the eleven sectors and not entirely small should expect a designation.
Delineation from NIS2
The most frequent confusion in the market:
| Aspect | NIS2 | CER |
|---|---|---|
| Focus | Cybersecurity | Physical and operational resilience |
| Threat type | IT security incidents | All threats (natural hazards, sabotage, hybrid attacks, technical failures) |
| Identification | Self-assessment with thresholds | Authority notification |
| Sectors | 18 (Annexes I + II) | 11 |
| Transposition law DE | NIS2UmsuCG | CER-UmsG (in process) |
| Authority | BSI | BBK (Federal Office of Civil Protection and Disaster Assistance), in coordination with BSI |
Important: Many critical entities will fall under both NIS2 and CER — a hospital is both an essential entity under NIS2 and a critical entity under CER. The obligations are complementary; duplicated reporting paths are mitigated in practice by coordinated authority communication, but the risk assessment must cover both dimensions.
Obligations for critical entities
The CER Directive obliges critical entities to:
1. Risk assessment
A systematic assessment of all relevant risks that can impair the delivery of critical services. This explicitly includes:
- Natural hazards (flood, storm, heat, earthquake — region-dependent)
- Technical failures (power outage, supply-chain disruption)
- Deliberate acts (sabotage, terrorism, cyber attacks with physical effects)
- Hybrid threats (combination of cyber + physical + disinformation)
- Pandemic situations
The risk assessment must be updated at least every four years — more often in case of material changes.
2. Resilience plan / measures
Based on the risk assessment, entities must take appropriate and proportionate measures to:
- Prevent incidents
- Ensure protection of premises and critical equipment
- Respond to incidents and recover from them
- Minimise consequences for the public
- Train staff
The directive is deliberately technology-neutral here — it does not prescribe specific tools, but takes a risk-based approach with state-of-the-art measures.
3. Personnel security checks
Entities may request background checks for security-relevant positions. What counts as “security-relevant” is defined by the member state. In Germany this is expected to build on existing security-clearance structures.
4. Reporting obligation for significant incidents
Significant incidents impairing the delivery of critical services must be reported without delay to the responsible authority. The exact deadlines result from the CER-UmsG; the model is expected to mirror NIS2 deadlines (early warning within 24h, notification within 72h, final report within 1 month).
5. Cross-sectoral information sharing
Critical entities are expected to participate in voluntary or mandatory information-sharing networks — both nationally and cross-border for particularly critical entities.
What this means for the mid-market
Three scenarios we know from DATAZONE customer conversations:
Scenario 1: Mid-sized water utility (250 staff, 80,000 inhabitants in supply area)
- Sector: drinking water — clearly CER-relevant
- Also NIS2-obliged (essential entity in the water sector)
- Measures: risk assessment for plants (SCADA, pump stations), contingency plans for power outage (diesel UPS, island operation), redundant drinking-water treatment, sabotage protection of physical plants, cyber resilience of control technology
Scenario 2: Hospital (450 beds)
- Sector: health — CER-relevant
- Also NIS2-obliged
- Measures: backup power > 72h, water storage, supply-chain redundancy for medication, IT resilience including hospital information system, staff training for hybrid crisis situations
Scenario 3: Food manufacturer, regional market leader (180 staff)
- Sector: food — CER classification possible but depends on official assessment
- Measure preparation worthwhile even without classification: cold-chain resilience, energy supply, supply-chain risk assessment, IT security of production controls
Concrete measures — a pragmatic starting point
If you expect CER classification as a mid-market company, you should do the homework before the CER-UmsG takes effect. Recommended order:
- Sectoral self-assessment. Are we in one of the eleven sectors? If yes: how important are we in the region / in the market?
- Risk assessment. All-hazards approach: not just cyber, but also power, water, staff, supply chain, regional natural hazards. Methodologically helpful: BSI standard 200-3 as a framework.
- Inventory of resilience measures. What do we have? Backup power (for how long?), redundant sites, deputy rules, cyber security (see NIS2 obligations, Linux server hardening).
- Gap analysis. What is missing? Priority by risk score x probability.
- Document the resilience plan. In writing, with responsibilities, escalation tiers, update rhythm.
- Exercises. At least an annual tabletop exercise (crisis scenario discussed in a meeting room), every two years a real staff or full exercise.
- Supply-chain resilience. Identify single-source dependencies and mitigate them (alternative suppliers, buffer stocks, contracts with escalation clauses).
Most of these steps make sense independently of formal CER classification. If you have them, you are also in a markedly better position for NIS2, ISO 27001 and insurance audits.
What about fines?
The CER Directive leaves sanction levels to the member states. The German draft of the CER-UmsG provides for graduated fines. Concrete amounts are still in flux during the ongoing legislative process and may change before adoption.
We deliberately avoid concrete figures in this article — anyone wanting to check final fine ranges should consult the finalised act and the explanatory memorandum from BMI. The order of magnitude is expected to align with NIS2 (significant sums for mid-market balance sheets).
DATAZONE recommendation
CER is not a pure cyber discussion — it is a resilience discussion. If you have already addressed NIS2, part of the homework is done (cybersecurity is one of the addressed risks), but the physical-operational dimension comes on top.
Pragmatic path for mid-market companies in CER sectors:
- Commission an all-hazards risk assessment (internally or with consulting)
- Review backup-power and emergency-water concepts
- Identify supply-chain single sources
- Bring cyber resilience (NIS2 measures) to the level CER will also cover
- Practise crisis communication and staff organisation
- Maintain documentation — audits will come
At DATAZONE we support the technical resilience layer (backup strategies, redundant IT infrastructure, disaster recovery planning, compliance reports) and work with specialised compliance consultants for the organisational side as needed.
Sources and further reading
More articles
Linux Server Hardening: 15-Minute Checklist
Ten concrete hardening steps for a freshly installed Debian, Ubuntu or Rocky Linux server — SSH, updates, firewall, auditing, sudo, limits, services, NTP, logging, kernel sysctl. With commands, doable in a quarter of an hour.
Cyber Insurance 2026: What Insurers Demand from SMBs
Insurers in 2026 demand increasingly detailed minimum standards — MFA everywhere, documented patch management, EDR, immutable backups, training, incident response plan, segmentation. What is on the pre-contract questionnaire and what gets checked in a claim.
Backup Encryption: Key Management Done Right
Encrypted backups are useless if key management is sloppy. Symmetric vs. asymmetric, vault options, rotation, recovery scenarios and the tool-level practice for PBS, Restic and TrueNAS.