The Critical Entities Resilience (CER) Directive, adopted by the European Union in 2022, introduces a powerful legal and operational framework to safeguard Europe’s essential services. From energy and water to transport and digital infrastructure, operators deemed “critical” now face a heightened level of accountability — not only in operational terms but also in legal exposure.
As the directive is transposed into national legislation across EU member states, organizations must understand the new liabilities it imposes on executives, board members, and operational leaders. Compliance is no longer a technical checkbox; it is a matter of legal responsibility.
Prior to the CER Directive, many resilience activities — such as risk assessments or continuity planning — were considered best practices rather than enforceable requirements. The CER changes this by introducing mandatory risk management measures tailored to each critical entity’s threat landscape.
Failure to implement these measures, or to report disruptions and incidents as required, may now lead to administrative penalties, civil liability, or even criminal sanctions, depending on national transposition.
The directive emphasizes that responsibility for compliance lies at the top level of management:
Named Accountability: Executives must formally designate a responsible officer for resilience and security, and ensure regular reporting to national authorities.
Personal Consequences: In case of non-compliance, negligence, or failure to act on known risks, individual board members and directors may be held personally liable, particularly if harm to the public, the economy, or national security can be traced to organizational failure.
Duty of Care Expansion: The CER effectively expands the traditional “duty of care” to include threats such as cyberattacks, insider sabotage, and even climate-related disruptions — all of which must now be addressed in internal controls.
The CER Directive requires entities to assess and mitigate risks not just internally, but across their entire value chain, including contractors, third-party suppliers, and service providers.
Shared Liability: If a critical disruption stems from a third-party supplier, the critical entity may still be held liablefor failing to ensure proper controls, oversight, and continuity provisions were in place.
Due Diligence Obligations: Entities must actively audit and monitor their suppliers’ compliance with CER-related policies — failure to do so may result in joint or vicarious liability.
Entities must report any incident that significantly disrupts critical operations within strict timelines. These obligations resemble those under GDPR, and failure to report can lead to:
Fines and Administrative Sanctions
Civil Liability if customers or citizens suffer harm
Reputational Damage, which can affect licensing, investor confidence, and public trust
To avoid legal pitfalls and demonstrate compliance:
Update Governance Frameworks: Assign formal CER roles and reporting lines.
Conduct Legal Risk Assessments: Map out exposure under national and EU law.
Establish Compliance Audits: Ensure technical and procedural CER measures are documented and verifiable.
Review Contracts and SLAs: Incorporate CER obligations into supplier agreements and ensure clear liability clauses are included.
Train Executives and Supervisory Boards: Legal awareness is now a top-level priority.
The CER Directive is a wake-up call for Europe’s critical sectors: resilience is now a legal obligation, not a recommendation. Organizations must act swiftly to close governance gaps, upgrade their legal preparedness, and embed accountability into their core strategy. In the age of hybrid threats and systemic interdependencies, resilience isn’t just operational — it’s a matter of legal survival.