The CER-directive (Critical Entities Resilience) concerns critical infrastructure and organisations that provide critical services to society.
The directive focuses on improving resilience related to natural disasters, sabotage, supply chain disruptions and other incidents that can affect critical services and infrastructure. The purpose is to help organisations prevent, withstand and respond to crises while maintaining critical services and functions.
CER covers sectors including energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, public administration, aerospace and food.
DBI can assist organisations with:
- Risk analysis and assessment
- Emergency management plans
- Development of recovery plans
- Crisis and emergency management exercises
- Supplier management
- Background check
- Physical security review
When does the CER-directive come into effect?
Minimum CER-directive requirements for your organisation
- Risk assessment:
Companies must regularly conduct and update a comprehensive risk assessment, to identify threats to and vulnerabilities of vital societal services. - Risk management:
Risk assessment as well as, implementation of appropriate and proportionate technical and organisational measures to manage identified risks. This includes prevention, protection and emergency management planning. - Incident reporting:
Establish procedures for the rapid identification and reporting of significant incidents to relevant national authorities, often within tight timeframes. - Security audits:
Conduct regular security audits to assess the effectiveness of measures and ensure compliance with requirements. - Information sharing:
Promote the sharing of information about threats, vulnerabilities, and incidents with other critical entities and relevant authorities to strengthen societal security and resilience. - Supplier management:
Ensure that suppliers and partners also meet strict security standards to protect the supply chain from potential threats. - Awareness and training:
Implement training programs to increase employee and stakeholder awareness and level of training in security measures. - Cross-sector collaboration:
Establish contact with national contact points for critical infrastructure to ensure coordination and support for directive implementation and compliance. - National contact points:
Participate in cross-sector and cross-national cooperation to promote the exchange of best practices and strengthen resilience across borders and sectors. - Background checks:
The purpose of background checks is to verify an individual or company's background so that you can make informed decisions. Do you know who you are hiring? Integrate background checks as a central part of your CER compliance plan. Background checks help uncover hidden risks and ensure that your team meets the directive's standards.
We can help you protect people, operations and assets
Karin works with a dedicated team of safety and security specialists to help organisations strengthen resilience, manage disruptions and support continuity across critical operations.
Karin Castro
Head of Security
Related news
New research: 5 things SMEs should know about resilience
Many small and medium-sized enterprises (SMEs) say they do not work with resilience. But new research shows that SMEs focus more on resilience than they realize – and also highlights which approaches and resources make a difference. Here are 5 insights from a new PhD thesis by Thuva Kandasamy from DBI – the Danish Institute of Fire and Security Technology.
We should protect ourselves against serious cyber threats
As a digital frontrunner, Denmark is extremely vulnerable to the growing cyber threats that we see examples of every day. A new report maps specific threats and presents recommendations based on experiences from both Denmark and Ukraine.
CER: Control employee access and check their background
Employees should only have access to areas and systems relevant to their work. And trusted employees should also undergo background checks. Here, DBI shares useful advice on managing employees and performing background checks. What does employee management mean under the CER Act?
CER: Handle incidents effectively with a contingency plan
The core requirement of the CER Directive regarding incident management is to conduct a risk assessment and develop a contingency plan. DBI’s security advisors offer useful guidance.
5 things your business can learn from the power outage in Spain
The power outage in Spain and Portugal in April lasted up to 18 hours. How long – and how well – can your business operate without electricity? DBI’s resilience expert, Jesper Florin, offers valuable advice on emergency planning and strategies for maintaining operations during a power outage.
CER: Find and close the gaps to limit access to your business
The CER Directive on the Resilience of Critical Entities requires that companies within critical infrastructure have adequate physical security. However, the directive doesn’t specify how to implement it. Jesper Florin, head of DBI’s Security and Resilience Department, provides the answers.
CER directive: Timely diligence reduces risks
Companies within critical infrastructure must prevent incidents, as prescribed by the EU CER directive. Andreas Norstedt, a security advisor at DBI – the Danish Institute of Fire and Security Technology, provides guidance on how to approach this.
NIS2: How to Maintain Operations if a Crisis Strikes
By 2025, companies must comply with the requirements of the EU NIS2 directive. Here, DBI (Danish Institute of Fire and Security Technology) explains how to meet these requirements and what Business Continuity Management (BCM) involves.
CER Directive to strengthen critical infrastructure in the EU
An EU directive aims to improve companies in selected sectors in preventing, managing and recovering from hybrid attacks, natural disasters, terrorist threats and public health crises. The requirements may also include subcontractors.
New EU directive tightens cyber security requirements
The EU’s new NIS2 Directive has come into force. It tightens the requirements for cyber and information security, and requires a holistic, risk-based approach for companies. Many more companies will now be considered to constitute critical infrastructure due to their role as subcontractors.
Terms of use of the DBI website
Copyright © All material on DBI's website is protected by copyright law. If you are in any doubt about how to use our material, feel free to contact us at dbi@dbigroup.dk.
Copyright © All material on DBI's website is protected by copyright law. If you are in any doubt about how to use our material, feel free to contact us at dbi@dbigroup.dk.
