CER compliance calendar for newly appointed critical entities
It assumes formal appointment on 17 July 2026 and notification on the latest possible date 17 August 2026. If your authority notifies earlier, pull all dependent dates forward.
Anchor dates
- Formal appointment. 17 July 2026
- Latest authority notification (1 month). 17 August 2026
- Risk assessment due (9 months after notification). 17 May 2027
- Chapter III obligations effective (10 months after notification). 17 June 2027
Board level timeline and deliverables
|
Date |
Milestone |
Owner |
Output you must be able to show |
|
17 Jul 2026 |
Appointment as critical entity |
CEO. General Counsel |
Appointment record. Scope statement. Internal comms. |
|
17 Jul to 31 Jul 2026 |
Kick off compliance program |
COO. CISO. Head of Facilities |
Program charter. Budget line. RACI. Reporting cadence. |
|
By 17 Aug 2026 |
Formal notification received from authority |
General Counsel |
Notification letter filed. Confirm competent authority. Confirm scope and any carve outs. |
|
Aug to Sep 2026 |
Gap assessment and baseline controls |
CISO. Facilities. BCM lead |
Current state assessment. Evidence inventory. Risk register v0. |
|
Sep to Nov 2026 |
Define critical services and dependencies |
COO. Enterprise Architect. Procurement |
Critical services map. Dependency map. Single points of failure. Supplier tiering. |
|
Nov 2026 |
Governance hardening |
CEO. CRO. General Counsel |
Policy set. Management review process. Audit readiness framework. |
|
Dec 2026 |
Resilience roadmap approved |
Board. CEO |
Prioritised roadmap. Capex and opex plan. Delivery milestones. |
|
Jan 2027 |
Incident reporting operating model ready |
CISO. Legal. Comms |
24 hour notification runbook. Escalation tree. Templates. On call rota. |
|
Feb 2027 |
Physical protection uplift plan locked |
Head of Facilities. Security lead |
Site hardening plan. Access governance model. Visitor management. Monitoring plan. |
|
Mar 2027 |
Business continuity and recovery exercised |
BCM lead. Ops |
BCP and DR plans. Table top and at least one exercise. Lessons learned log. |
|
By 17 May 2027 |
Critical entity risk assessment due |
CRO. CISO. Facilities |
Signed risk assessment. Scenario set. Impact analysis. Control selection rationale. |
|
May to Jun 2027 |
Close high risk gaps. Evidence pack build |
PMO. Control owners |
Control implementation proof. Procedures. Logs. Training records. Supplier attestations. |
|
By 17 Jun 2027 |
Chapter III obligations effective |
CEO. Control owners |
Compliance position statement. Evidence ready for inspection or audit. |
|
From 17 Jun 2027 onward |
Ongoing supervision and inspections |
CEO. Legal. CISO |
Inspection response playbook. Continuous improvement cadence. Annual management review. |
Minimum operating requirements by 17 June 2027
Governance
- Board oversight and reporting KPI set.
- Clear accountability per control domain.
Risk
- Approved critical entity risk assessment. Kept current.
- Dependency and supplier risk management in production.
Protection
- Physical protection baseline for critical sites. Access rights governed and reviewable.
- Security and resilience measures documented, implemented, and testable.
Response
- Significant disruption triage criteria.
- 24 hour notification capability. Evidence that it has been rehearsed.
Recovery
- BCP and recovery plans exercised. Measurable recovery objectives.
Quick adjustment rule
If you receive the notification on a different date, recalculate:
- Risk assessment due. Notification date plus 9 months.
- Chapter III effective. Notification date plus 10 months.