Complete guide to the Critical Entities Resilience Directive — protecting essential services from physical and natural threats.
The Critical Entities Resilience Directive (EU) 2022/2557 replaces the 2008 European Critical Infrastructure Directive. It establishes a comprehensive framework to strengthen the resilience of critical entities that provide essential services in the EU against non-cyber threats including natural hazards, terrorist attacks, insider threats, and sabotage. It covers 11 sectors and complements the NIS2 Directive, which addresses cybersecurity. Member States had to transpose it into national law by 17 October 2024.
Critical entities identified by Member States across 11 sectors: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, public administration, space, and food.
Article 1
Article 2
Article 4
Article 5
Article 6
Article 8
Article 12
Article 13
Article 15
Article 21
Transposition deadline
17 Oct 2024Member States had to transpose the CER Directive into national law.
National risk assessment
17 Jan 2026Member States must complete their national risk assessment.
Entity identification
17 Jul 2026Member States must identify critical entities under the new framework.
Determined by Member States as part of transposition. Must be effective, proportionate, and dissuasive.
Identified critical entities must take specific measures to ensure the resilience of their essential services.
Law4Devs provides the full CER Directive as structured JSON. Query by sector, obligation type, or entity classification. Cross-reference with NIS2 for combined cyber and physical resilience.
GET /v1/frameworks/cer/articles → 200 OK · structured JSON · official EUR-Lex source
The Critical Entities Resilience Directive (EU) 2022/2557 replaces the 2008 European Critical Infrastructure Directive (ECI). It establishes a comprehensive framework to strengthen the resilience of critical entities that provide essential services in the EU against non-cyber threats including natural hazards, terrorist attacks, insider threats, and sabotage. It covers 11 sectors and complements the NIS2 Directive, which addresses cybersecurity. Member States had to transpose it into national law by 17 October 2024.
The CER Directive applies to critical entities identified by Member States across 11 sectors: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, public administration, space, and food. Member States identify critical entities based on national risk assessments. Entities of particular European significance — those providing essential services to six or more Member States — face additional obligations and coordinated advisory missions.
Critical entities must carry out risk assessments within nine months of notification, take appropriate technical, security, and organisational measures to ensure resilience, and notify incidents that significantly disrupt essential services within 24 hours. Member States must adopt a national strategy, conduct a national risk assessment by 17 January 2026, and identify critical entities by 17 July 2026. The Commission will adopt a list of essential services and conduct peer reviews of national strategies.
Law4Devs provides the full CER Directive text as structured JSON via API. Query by sector, obligation type, or entity classification. Access provisions on risk assessment requirements, resilience measures, incident notification rules, and supervisory powers. Cross-reference with the NIS2 Directive for a combined cyber and physical resilience compliance picture across your critical infrastructure obligations.
All articles, recitals, and amendments — queryable, filterable, and always up to date.