CRO vs. CISO: Distinct but Complementary Roles Under the CER Directive (Part 8 of our CER Series)
As the CER Directive reshapes the resilience landscape for critical infrastructure across Europe, organizations are redefining internal roles to meet both operational and regulatory demands. Two of the most vital—but often confused—functions are those of the Chief Resilience Officer (CRO) and the Chief Information Security Officer (CISO).
While their responsibilities may overlap, their scope, authority, and priorities are fundamentally different.
1. Mandate & Scope
|
Role
|
CRO
|
CISO
|
|
Primary Focus
|
Enterprise-wide resilience: physical, cyber, operational, supply chain
|
Cybersecurity: data, networks, IT infrastructure
|
|
CER Responsibility
|
Full compliance leadership: risk assessments, continuity plans, physical + digital integration
|
Contributes to CER’s cyber resilience aspects (e.g. threat detection, system hardening)
|
|
Authority Scope
|
Cross-domain (ICT, facilities, suppliers, crisis management)
|
Primarily ICT and cybersecurity domains
|
2. Strategic vs. Technical Orientation
- CRO: Operates at board level, aligning organizational resilience with business continuity, legal risk, and national reporting obligations.
- CISO: Delivers technical defenses (firewalls, encryption, monitoring), often reporting to the CIO or CRO depending on structure.
3. Role in a CER Incident
In a sabotage or outage event:
- The CRO leads the incident response, crisis communications, and compliance reporting to regulators (e.g. the 24h reporting rule under Article 13 CER).
- The CISO investigates the technical breach, contains malware, restores secure systems, and provides forensic evidence.
4. Relationship Between the Two
|
CRO
|
CISO
|
|
Sets resilience policy across departments
|
Implements cyber protections within IT and OT systems
|
|
Leads multi-disciplinary incident response
|
Handles technical incident response and mitigation
|
|
Interfaces with regulators and national authorities
|
Provides cyber insights and threat intelligence
|
|
Owns third-party continuity policies
|
Ensures secure access to third-party digital services
|
Best practice: The CISO should report into or coordinate directly with the CRO to ensure alignment between technical cybersecurity and broader organizational resilience strategies.
5. Why Both Roles Are Essential Under CER
The CER Directive is not solely about cybersecurity — it’s about keeping critical services running under all circumstances. That includes:
- Physical sabotage
- Natural disasters
- Insider threats
- Digital attacks
- Supply chain failures
This breadth requires both operational coordination (CRO) and technical cybersecurity expertise (CISO). One without the other creates blind spots.
Conclusion
Under the CER Directive, the CRO is the architect of resilience — designing and governing the full framework — while the CISO is the engineer ensuring digital security holds firm. They are partners in safeguarding society’s most vital infrastructure.
Failing to define and coordinate these roles clearly isn’t just an internal risk — it’s a compliance vulnerability.
