news

CER compliance calendar for newly appointed critical entities

Geschreven door Key2XS | Feb 15, 2026 8:22:00 AM

CER compliance calendar for newly appointed critical entities

It assumes formal appointment on 17 July 2026 and notification on the latest possible date 17 August 2026. If your authority notifies earlier, pull all dependent dates forward.

 

Anchor dates

    • Formal appointment. 17 July 2026
    • Latest authority notification (1 month). 17 August 2026
    • Risk assessment due (9 months after notification). 17 May 2027
    • Chapter III obligations effective (10 months after notification). 17 June 2027

 

Board level timeline and deliverables

Date

Milestone

Owner

Output you must be able to show

17 Jul 2026

Appointment as critical entity

CEO. General Counsel

Appointment record. Scope statement. Internal comms.

17 Jul to 31 Jul 2026

Kick off compliance program

COO. CISO. Head of Facilities

Program charter. Budget line. RACI. Reporting cadence.

By 17 Aug 2026

Formal notification received from authority

General Counsel

Notification letter filed. Confirm competent authority. Confirm scope and any carve outs.

Aug to Sep 2026

Gap assessment and baseline controls

CISO. Facilities. BCM lead

Current state assessment. Evidence inventory. Risk register v0.

Sep to Nov 2026

Define critical services and dependencies

COO. Enterprise Architect. Procurement

Critical services map. Dependency map. Single points of failure. Supplier tiering.

Nov 2026

Governance hardening

CEO. CRO. General Counsel

Policy set. Management review process. Audit readiness framework.

Dec 2026

Resilience roadmap approved

Board. CEO

Prioritised roadmap. Capex and opex plan. Delivery milestones.

Jan 2027

Incident reporting operating model ready

CISO. Legal. Comms

24 hour notification runbook. Escalation tree. Templates. On call rota.

Feb 2027

Physical protection uplift plan locked

Head of Facilities. Security lead

Site hardening plan. Access governance model. Visitor management. Monitoring plan.

Mar 2027

Business continuity and recovery exercised

BCM lead. Ops

BCP and DR plans. Table top and at least one exercise. Lessons learned log.

By 17 May 2027

Critical entity risk assessment due

CRO. CISO. Facilities

Signed risk assessment. Scenario set. Impact analysis. Control selection rationale.

May to Jun 2027

Close high risk gaps. Evidence pack build

PMO. Control owners

Control implementation proof. Procedures. Logs. Training records. Supplier attestations.

By 17 Jun 2027

Chapter III obligations effective

CEO. Control owners

Compliance position statement. Evidence ready for inspection or audit.

From 17 Jun 2027 onward

Ongoing supervision and inspections

CEO. Legal. CISO

Inspection response playbook. Continuous improvement cadence. Annual management review.

Minimum operating requirements by 17 June 2027

Governance

    • Board oversight and reporting KPI set.
    • Clear accountability per control domain.

Risk

    • Approved critical entity risk assessment. Kept current.
    • Dependency and supplier risk management in production.

Protection

    • Physical protection baseline for critical sites. Access rights governed and reviewable.
    • Security and resilience measures documented, implemented, and testable.

Response

    • Significant disruption triage criteria.
    • 24 hour notification capability. Evidence that it has been rehearsed.

Recovery

    • BCP and recovery plans exercised. Measurable recovery objectives.

 

Quick adjustment rule

If you receive the notification on a different date, recalculate:

    • Risk assessment due. Notification date plus 9 months.
    • Chapter III effective. Notification date plus 10 months.

 
Volledig bericht weergeven