Skip to content
Safety & Security Ecosystem
Critical communications
We make devices and networks that perform exceptionally in the harshest conditions, so you can stay connected and communicate clearly.
Command center
We unify voice, video and data feeds into the command center, providing perspective to help make decisions with focus, accuracy and speed.
Video security
We design video security systems powered by responsibly-built AI analytics, so you can understand risks and act with certainty.
Managed & support services
We provide managed and support services for keeping your technology secure and up-to-date, so you can be confident in performance.
Customer success stories
Discover how customers are tapping into our technology ecosystem to stay safer.
Government grants
Explore the different grant assistance programs to help you during the grant application process.

Is your critical infrastructure ready for the EU CER Directive?

CER_hero_v2

It’s 2 a.m. at a remote substation. A perimeter alarm sounds, triggering an urgent question: is it a stray dog, inclement weather or a malicious saboteur? For critical infrastructure companies, how and the speed at which they answer this question have changed.

False alarms used to be merely annoying. But now, under the EU’s Critical Entities Resilience (CER) Directive, a failure to verify and rapidly report a genuine incident could lead to a serious compliance penalty.

This article will guide organizations through the critical steps to align their security posture and technology stack with the CER Directive's requirements.

What is the EU CER Directive?

Introduced on January 16, 2023, the CER Directive is an EU-wide Directive that requires member states to adopt national legislation to ensure that essential services run reliably, no matter what happens.

The Directive’s objective is to strengthen the resilience of critical entities against a variety of threats, including insider threats, sabotage, terrorism, natural disasters and public health emergencies. This ensures that essential services uphold key societal functions, support the economy, protect public health and safety and preserve the environment.

The CER Directive creates an overarching framework for critical entities and was introduced alongside the NIS2 Directive, which focuses on cybersecurity.

While much of the industry's attention is fixed on the NIS2 Directive, CER is critical in its own right, addressing physical and operational resilience against all threats. The CER Directive is not demanding more technology, but proof of continuity of operations and a fast, auditable incident reporting process.

With governments racing toward the July 2026 deadline to identify entities, and organizations given only nine months to comply once notified, the time to prepare for this physical resilience mandate is now.

What critical infrastructure services are affected?

The European Commission has outlined a non-exhaustive list of services that includes 11 sectors and subsectors affected by the Directive:

  • Energy: Includes services such as the production and storage of energy.
  • Transport: Includes services related to air, rail, water and road transport, covering the management, operations and maintenance of critical infrastructure such as airports, railways, seaports and traffic control systems.
  • Banking: Covers services related to taking deposits and lending.
  • Financial market infrastructure: Covers services such as the operation of trading venues and clearing systems.
  • Health: Includes the distribution, manufacturing and provision of healthcare and medical services.
  • Water: Relates to drinking water supply and distribution.
  • Wastewater: Covers the collection, treatment and disposal of wastewater.
  • Digital infrastructure: Includes the provision and operation of internet exchange point services, domain name systems, top-level domains, cloud computing and data centers.
  • Public administration: Covers services related to areas of national security, public security, defence and law enforcement.
  • Space: Includes ground-based infrastructure services.
  • Production, processing and distribution of food: Relates to food production and processing, supply chain and distribution services.

What is the timeline for compliance with the CER Directive?

At the moment, there are three key deadlines for EU member states and critical entities. This includes the deadline for member states to identify critical entities, the deadline for implementation and the date for when member states discover their compliance status.

Identify critical entities deadline: July 17, 2026

By July 17, 2026, member states must identify the critical entities in the sectors listed by the EU CER Directive and perform risk assessments. These entities will be notified within a month of the deadline.

Entity implementation deadline: May 2027

Once the critical entities have been notified, they will need to ensure they comply within nine months. This puts the latest possible deadline at May 2027.

After nine months, the CER requirements will be applied. To verify compliance, onsite inspections and audits will take place, with penalties issued for non-compliance.

Member states' compliance status check: July 2027

In July 2027, the EU Commission will submit to the European Parliament a report outlining the extent to which each member state has taken the necessary measures to comply with the Directive.

As of May 2026, member state adoption rates vary. For example, Ireland and Greece have already enacted the CER Directive as of October 2024 and October 2025, with Ireland outlining penalties of up to €500,000 on non-compliant entities within its jurisdiction and Greece’s penalties climbing up to €10 million. Several other countries have enacted the Directive, with others at the proposal and consultation stages and a few states showing no progress.

Key steps for compliance with the CER Directive

Rather than being just a regulatory obligation, the CER Directive offers a chance to future-proof operations, show strategic leadership and build trust among stakeholders. To help critical entities navigate this effectively, the following key steps must be taken.

1. Conduct risk assessments

To have a comprehensive understanding of the potential physical and operational threats to which critical entities are exposed, organizations must conduct risk assessments. This helps to assess all relevant threats that could disrupt their essential operations, including natural disasters, power outages, sabotage and more.

When carrying out these assessments, critical entities must identify and evaluate their most important assets, locations and physical security systems, as well as third-party organizations they work with that directly impact service delivery.

2. Plan resilience measures

Once risks and threats are identified, entities can begin resilience planning, documenting how they will prevent, respond and recover from service delivery disruptions. These plans must be ready to be shared with regulators, demonstrating how the critical entity is protecting its operations.

Crucial at this stage is the integration of physical and cyber resilience strategies, ensuring alignment with NIS2. By doing so, organizations can protect assets, maintain operational continuity and secure environments where IT and OT infrastructures intersect.

To support this critical stage, organizations should dedicate key staff members to address the expected requirements from the CER Directive and oversee the process to completion.

3. Implement resilience measures

Critical entities can now implement their resilience measures, controls and reporting systems, ranging from video security to emergency planning. Key elements of the implementation should include:

  • Prevention and protection measures, such as AI-enabled video security and access control
  • Response controls, including radio communications and alarm systems
  • Business continuity measures
  • Employee management, covering access permissions and background checks
  • Incident reporting systems, including protocols for notifying authorities within 24 hours of service disruption

Complete technology ecosystem

Our AI-driven technology ecosystem reduces alarm fatigue, enabling rapid and proactive threat response.
  • Unify video, radio and access systems
  • Reduce false alarms with AI analytics
  • Connected workflows for faster responses
CER-Directive_UVP

4. Carry out training and regularly audit processes

Once the resilience measures have been implemented, key stakeholders and employees will need to understand the new procedures and how to operate relevant systems. By holding formal training sessions, employees can learn to operate systems and carry out protocols effectively.

Furthermore, critical entities should also review and adjust their processes for handling threats and disruptions when additional risks are identified and if incidents occur.

It is also recommended that organizations engage proactively with their national authorities to stay ahead of developing guidelines, participate in information-sharing and be prepared for reporting activities.

Preventing critical infrastructure threats with physical security solutions

The CER Directive emphasizes the need for systems that can help critical entities prevent, respond to and recover from service disruptions. Achieving this requires a comprehensive, integrated security ecosystem that extends beyond traditional perimeter defenses.

Reducing risk and alarm fatigue

The first step in prevention is ensuring security teams can focus on genuine threats, not false alarms. By deploying AI-powered video security, teams can:

  • Rely on AI analytics to eliminate false alarms and focus only on genuine threats
  • Identify potential risks before they enter a site, using ANPR and appearance search technology
  • Guarantee compliance with safety and security regulations

Swift, informed responses

When an incident occurs, a fast, coordinated response is required for CER compliance. Systems that focus on interoperability and workflow automation to share real-time alerts via radio communications for greater situational awareness and swift mobilization of ground teams are essential.

Comprehensive protection

Physical security is the core of operational resilience. This involves a layered defense that includes:

  • Video security: Deploying AI-powered video security solutions, including ruggedized cameras capable of withstanding harsh elements and providing visibility in harsh conditions, and AI analytics to proactively flag unusual motion, loitering and trespassing.
  • Access control: Implementing role-based access control to maintain strict entry policies, helping keep intruders out while seamlessly providing access to authorized personnel.

Incident notification

To meet the 24-hour reporting protocol required by the CER Directive, you need robust evidence management systems. These systems ensure that all relevant data and footage are captured and easily accessed for post-incident analysis and notification to authorities.

These capabilities help ensure that critical entities can move swiftly from detection to resolution, as seen in these real-world scenarios:

  • Unauthorized vehicle at a remote substation: An unauthorized vehicle is detected driving toward a remote substation. ANPR cameras identify the license plate against a watchlist, allowing the operations team to mobilize ground teams via radio communication before the vehicle reaches the perimeter.
  • Insider risk at a data center: An ex-employee attempts to gain unauthorized access to the site. AI video analytics notifications and access control alerts for forced door access inform the Security Operations Center of the threat, prompting them to initiate a response to intercept the individual.
  • Industrial accident at a freight terminal: An accident occurs in a busy freight terminal where a worker breaches a heavy forklift's proximity zone, causing a crash. AI-powered cameras automatically detect the incident, with real-time alerts sent to the safety crew and supervisor. The team resolves the situation, minimizing downtime and helping to ensure business continuity.

Improve operational resilience

Don’t delay! Help ensure reliable service delivery for your critical infrastructure.

Start evaluating your physical security setup today

The timeline for EU member states and critical entities to implement the CER Directive is ambitious. Organizations that are or may be affected should promptly begin assessing the Directive's specific consequences, identifying necessary resources and determining the best path toward compliance.

The protection of Europe's critical infrastructure is now reliant on every component within the chain, ranging from local subcontractors to extensive data centers. Contact our team of experts to find out how Motorola Solutions can improve operational resilience to help ensure reliable service delivery.

 

Related articles