The CER Directive establishes obligations for EU Member States and critical entities to enhance the physical resilience of essential services across 11 sectors.
Focus: Critical infrastructure resilience, risk assessment, physical security, incident reporting, essential services
Article 1 — Subject Matter and Scope
Article 2 — Definitions
Article 4 — National Strategy
Article 5 — National Risk Assessment
Article 6 — Identification of Critical Entities
Article 8 — Critical Entities of Particular European Significance
Article 12 — Risk Assessment by Critical Entities
Article 13 — Resilience Measures
Article 15 — Incident Notification
Article 21 — Supervisory Powers
GET /v1/frameworks/cer/articles → 200 OK · structured JSON · official source
The Critical Entities Resilience Directive (EU) 2022/2557 replaces the 2008 European Critical Infrastructure Directive (ECI). It establishes a comprehensive framework to strengthen the resilience of critical entities that provide essential services in the EU against non-cyber threats including natural hazards, terrorist attacks, insider threats, and sabotage. It covers 11 sectors and complements the NIS2 Directive, which addresses cybersecurity. Member States had to transpose it into national law by 17 October 2024.
The CER Directive applies to critical entities identified by Member States across 11 sectors: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, public administration, space, and food. Member States identify critical entities based on national risk assessments. Entities of particular European significance — those providing essential services to six or more Member States — face additional obligations and coordinated advisory missions.
Critical entities must carry out risk assessments within nine months of notification, take appropriate technical, security, and organisational measures to ensure resilience, and notify incidents that significantly disrupt essential services within 24 hours. Member States must adopt a national strategy, conduct a national risk assessment by 17 January 2026, and identify critical entities by 17 July 2026. The Commission will adopt a list of essential services and conduct peer reviews of national strategies.
Law4Devs provides the full CER Directive text as structured JSON via API. Query by sector, obligation type, or entity classification. Access provisions on risk assessment requirements, resilience measures, incident notification rules, and supervisory powers. Cross-reference with the NIS2 Directive for a combined cyber and physical resilience compliance picture across your critical infrastructure obligations.