CER implementation across the EU. Status as of 8 February 2026

The European Union’s Critical Entities Resilience Directive (Directive (EU) 2022/2557) is past its legal “paper deadlines” and is now in the messy delivery phase. The directive is in force, but implementation is uneven across Member States. Some have enacted dedicated CER laws and are building supervisory capacity. Others have not even notified transposition measures. The result is fragmented readiness right when the timetable starts to bite.

1. The timetable.What should already be done?

Transposition into national law was due 17 October 2024.

National resilience strategy was due 17 January 2026.

Member State risk assessment was due 17 January 2026.

Identification of critical entities must happen by 17 July 2026.

After identification, the operational obligations switch on fast:

• Member States must notify entities within one month of identification.
• Chapter III applies 10 months after notification.
• Critical entities must complete their own risk assessment within nine months of notification.

So February 2026 is the pivot point. Strategies and national risk assessments are already due, and the July 2026 designation deadline is close enough that slow movers are now in schedule debt.

2. Transposition reality. EU-wide implementation is patchy

The cleanest EU-wide signal is the EUR-Lex register of national transposition measures (NIM) for Directive 2022/2557. It is updated weekly and shows what Member States have formally communicated as transposition.
As of early February 2026, the NIM register still shows zero notified measures for several major Member States. Examples visible in the register include:

• Netherlands: 0 measures.
• Germany: 0 measures.
• Spain: 0 measures.
• France: 0 measures.
• Poland: 0 measures.
• Bulgaria: 0 measures.
• Sweden: 0 measures.

That does not prove “nothing is happening” domestically. It does prove that, from an EU compliance and enforcement perspective, notification is still not complete in a non-trivial set of countries.

At the other end, several Member States have clearly moved to formal adoption. Concrete examples:

• Ireland has transposed CER via statutory instrument (S.I. No. 559/2024).
• Italy implemented via Legislative Decree No. 134 (published September 2024).
• Belgium shows a dedicated CER law dated December 2025 with publication in January 2026.
• Portugal shows a transposing decree-law (March 2025).

Bottom line: the EU is operating in a two-speed model. A first group is already building operating models, competent authorities, and supervisory tooling. A second group is still closing the legal gap, and that gap now collides with the January 2026 strategy and risk assessment deliverables.

3. Enforcement signal: The Commission has been pushing since 2024

The European Commission has already used infringement steps to pressure non-notification of CER transposition measures after the October 2024 deadline. Public reporting on the November 2024 infringement package states that the Commission opened procedures by sending letters of formal notice for failure to notify CER transposition.
This matters operationally because late legal adoption usually implies late governance setup. Without competent authorities, a single point of contact, inspection powers, and enforcement processes, “implementation” becomes a slide deck, not a control regime.

4. What “implementation” really means in 2026

Even in countries that have transposed, the hard part is execution. CER implementation is not a single project. It is a national operating model with recurring cycles. By design, it links policy, risk, supervision, and cross-border cooperation.

By February 2026, mature Member States are typically doing five things in parallel:

1. Publishing a national resilience strategy that sets governance, objectives, and support measures.
2. Completing a Member State risk assessment across sectors, including cross-border and cross-sector dependencies.
3. Defining the designation methodology and thresholds to identify critical entities by July 2026.
4. Building supervisory capacity (who inspects, how audits work, how confidential information is handled).
5. Aligning CER with NIS2 and sectoral regimes to avoid duplication and conflicts in reporting and controls.

The Commission has also supported implementation by defining an EU list of essential services that Member States can use in risk assessments and identification work.

5. Why so many delays? The recurring bottlenecks.

Across the EU, the same blockers keep showing up:

• Scope complexity. CER covers 11 sectors and depends on national interpretation of essential services, criticality, and “significant disruptive effects”.
• Governance friction. CER requires competent authorities, a single point of contact, and coordination with cybersecurity authorities. Many countries are re-cutting responsibilities across ministries and regulators.
• NIS2 overlap. Many critical entities are also NIS2 entities. Governments are trying to converge control frameworks, reporting channels, and supervision, but the legal architectures differ and sector regulators already exist.
• Interdependency mapping. CER forces explicit modelling of dependencies between sectors and across borders. That is politically sensitive and technically hard.
• Market readiness. Operators need budget, suppliers, and tested standards for physical and operational resilience improvements. Many countries have not yet translated CER into clear, sector-specific minimum baselines.

6. What happens next? The EU delivery sprint to July 2026

Between now and 17 July 2026, the key output is the designation of critical entities per sector.  Once entities are notified, the compliance clock starts:

• Ten months to the start of Chapter III obligations.
• Nine months to complete the entity risk assessment.

This means late designation compresses the window for real controls. If a country designates late in 2026, many entities will be implementing into 2027 under time pressure. That is where audit quality drops and “checkbox resilience” appears.

7. Practical takeaways for operators

If you run an essential service in the EU, do not wait for your country to finish its legislative process.

• Assume you will be designated. Prepare the evidence trail: risk assessment, resilience measures, incident handling, supply chain controls, and executive accountability.
• Build an integrated CER plus NIS2 control set. Separate programs create duplicate reporting, duplicate audits, and misaligned priorities.
• Track your Member State’s NIM status and national publications. If your country still shows “0 measures” in EUR-Lex, plan for accelerated timelines and shifting guidance.

Bottom line: CER is not delayed everywhere, but EU-wide implementation is not synchronized. February 2026 is the moment where legal transposition gaps start turning into operational risk, because the strategy and risk assessment milestones are already due and the July 2026 designation deadline is approaching fast.