It’s 2 a.m. at a remote substation. A perimeter alarm sounds, triggering an urgent question: is it a stray dog, inclement weather or a malicious saboteur? For critical infrastructure companies, how and the speed at which they answer this question have changed.
False alarms used to be merely annoying. But now, under the EU’s Critical Entities Resilience (CER) Directive, a failure to verify and rapidly report a genuine incident could lead to a serious compliance penalty.
This article will guide organizations through the critical steps to align their security posture and technology stack with the CER Directive's requirements.
Introduced on January 16, 2023, the CER Directive is an EU-wide Directive that requires member states to adopt national legislation to ensure that essential services run reliably, no matter what happens.
The Directive’s objective is to strengthen the resilience of critical entities against a variety of threats, including insider threats, sabotage, terrorism, natural disasters and public health emergencies. This ensures that essential services uphold key societal functions, support the economy, protect public health and safety and preserve the environment.
The CER Directive creates an overarching framework for critical entities and was introduced alongside the NIS2 Directive, which focuses on cybersecurity.
While much of the industry's attention is fixed on the NIS2 Directive, CER is critical in its own right, addressing physical and operational resilience against all threats. The CER Directive is not demanding more technology, but proof of continuity of operations and a fast, auditable incident reporting process.
With governments racing toward the July 2026 deadline to identify entities, and organizations given only nine months to comply once notified, the time to prepare for this physical resilience mandate is now.
The European Commission has outlined a non-exhaustive list of services that includes 11 sectors and subsectors affected by the Directive:
At the moment, there are three key deadlines for EU member states and critical entities. This includes the deadline for member states to identify critical entities, the deadline for implementation and the date for when member states discover their compliance status.
By July 17, 2026, member states must identify the critical entities in the sectors listed by the EU CER Directive and perform risk assessments. These entities will be notified within a month of the deadline.
Once the critical entities have been notified, they will need to ensure they comply within nine months. This puts the latest possible deadline at May 2027.
After nine months, the CER requirements will be applied. To verify compliance, onsite inspections and audits will take place, with penalties issued for non-compliance.
In July 2027, the EU Commission will submit to the European Parliament a report outlining the extent to which each member state has taken the necessary measures to comply with the Directive.
As of May 2026, member state adoption rates vary. For example, Ireland and Greece have already enacted the CER Directive as of October 2024 and October 2025, with Ireland outlining penalties of up to €500,000 on non-compliant entities within its jurisdiction and Greece’s penalties climbing up to €10 million. Several other countries have enacted the Directive, with others at the proposal and consultation stages and a few states showing no progress.
Rather than being just a regulatory obligation, the CER Directive offers a chance to future-proof operations, show strategic leadership and build trust among stakeholders. To help critical entities navigate this effectively, the following key steps must be taken.
To have a comprehensive understanding of the potential physical and operational threats to which critical entities are exposed, organizations must conduct risk assessments. This helps to assess all relevant threats that could disrupt their essential operations, including natural disasters, power outages, sabotage and more.
When carrying out these assessments, critical entities must identify and evaluate their most important assets, locations and physical security systems, as well as third-party organizations they work with that directly impact service delivery.
Once risks and threats are identified, entities can begin resilience planning, documenting how they will prevent, respond and recover from service delivery disruptions. These plans must be ready to be shared with regulators, demonstrating how the critical entity is protecting its operations.
Crucial at this stage is the integration of physical and cyber resilience strategies, ensuring alignment with NIS2. By doing so, organizations can protect assets, maintain operational continuity and secure environments where IT and OT infrastructures intersect.
To support this critical stage, organizations should dedicate key staff members to address the expected requirements from the CER Directive and oversee the process to completion.
Critical entities can now implement their resilience measures, controls and reporting systems, ranging from video security to emergency planning. Key elements of the implementation should include:
Once the resilience measures have been implemented, key stakeholders and employees will need to understand the new procedures and how to operate relevant systems. By holding formal training sessions, employees can learn to operate systems and carry out protocols effectively.
Furthermore, critical entities should also review and adjust their processes for handling threats and disruptions when additional risks are identified and if incidents occur.
It is also recommended that organizations engage proactively with their national authorities to stay ahead of developing guidelines, participate in information-sharing and be prepared for reporting activities.
The CER Directive emphasizes the need for systems that can help critical entities prevent, respond to and recover from service disruptions. Achieving this requires a comprehensive, integrated security ecosystem that extends beyond traditional perimeter defenses.
The first step in prevention is ensuring security teams can focus on genuine threats, not false alarms. By deploying AI-powered video security, teams can:
When an incident occurs, a fast, coordinated response is required for CER compliance. Systems that focus on interoperability and workflow automation to share real-time alerts via radio communications for greater situational awareness and swift mobilization of ground teams are essential.
Physical security is the core of operational resilience. This involves a layered defense that includes:
To meet the 24-hour reporting protocol required by the CER Directive, you need robust evidence management systems. These systems ensure that all relevant data and footage are captured and easily accessed for post-incident analysis and notification to authorities.
These capabilities help ensure that critical entities can move swiftly from detection to resolution, as seen in these real-world scenarios:
The timeline for EU member states and critical entities to implement the CER Directive is ambitious. Organizations that are or may be affected should promptly begin assessing the Directive's specific consequences, identifying necessary resources and determining the best path toward compliance.
The protection of Europe's critical infrastructure is now reliant on every component within the chain, ranging from local subcontractors to extensive data centers. Contact our team of experts to find out how Motorola Solutions can improve operational resilience to help ensure reliable service delivery.