Adapting to the CER Directive: Organizational Changes in Facility Management and ICT

Adapting to the CER Directive: Organizational Changes in Facility Management and ICT
(Part 2 of our CER Series)

With the enforcement of the Critical Entities Resilience (CER) Directive across the European Union, critical infrastructure operators are facing not just a compliance challenge, but a strategic shift in how their organizations are structured and managed — particularly within Facility Management and Information & Communication Technology (ICT) departments.

The CER Directive, which aims to ensure the resilience of critical entities against a broad spectrum of risks, requires far-reaching changes that affect operational protocols, governance models, and internal collaboration frameworks.

1. Facility Management: From Maintenance to Mission-Critical Security

Historically viewed as operational support, Facility Management (FM) is now elevated to a frontline security role under CER:

Access Control Becomes Strategic: FM must now manage access systems in accordance with risk-based criteria. This includes implementing electronic access control, auditable key management, and integration with identity systems.
Redefinition of Critical Zones: Facilities must be zoned based on risk profiles. FM departments are responsible for conducting risk assessments, labeling high-risk areas, and ensuring that access to these areas is monitored and controlled.
Emergency Preparedness Planning: CER mandates robust continuity planning. FM must now play a key role in scenario planning, managing evacuation protocols, physical redundancies, and emergency communication infrastructure.
Collaboration with Security and ICT: FM teams must now work closely with ICT and security departments to unify physical and digital safeguards — a departure from siloed facility operations.

2. ICT: From Support System to Integrated Risk Engine

The CER Directive expands the role of ICT beyond traditional cybersecurity, placing it at the heart of resilience planning and real-time risk management:

Convergence of Physical and Logical Access: ICT must integrate facility access controls (e.g., smart locks, badge systems) with digital identity platforms like Microsoft Entra ID or SailPoint to enforce role-based access policies that span both physical and digital realms.
Compliance and Reporting Architecture: ICT is now responsible for ensuring that systems generate compliant audit logs, access reports, and anomaly alerts — data that is essential for CER audits and incident response.
Resilience by Design: Infrastructure must be re-engineered for fault tolerance and disaster recovery. This includes redundant network paths, cloud failovers, and secure remote access solutions for key staff.
Cyber-Physical Risk Models: ICT departments are required to participate in joint risk assessments with FM, modeling hybrid threat scenarios where cyber-attacks have physical consequences (e.g., disabling HVAC in a data center).

3. Cross-Functional Governance and New Roles

The CER Directive fosters a convergence of responsibilities, requiring organizations to rethink governance structures:

Creation of a Chief Resilience Officer (CRO): Many organizations are introducing this new role to bridge the gap between security, operations, FM, and ICT.
Resilience Committees: Cross-functional committees including FM, ICT, HR, legal, and security are being formed to monitor compliance and guide policy.
Training & Awareness: Both FM and ICT staff require upskilling in risk analysis, regulatory frameworks, and incident coordination.

Conclusion

The CER Directive is more than a compliance requirement — it is a transformation trigger. Facility Management and ICT are no longer peripheral services; they are now central to an organization’s resilience posture. For critical entities, the challenge lies not only in updating systems, but in aligning people, processes, and technology around a shared mission: the protection of Europe’s most vital infrastructure.