The EU Critical Entities Resilience Directive, CER, is no longer a future compliance topic. It is now an execution issue. The Directive entered into force in January 2023, Member States had to transpose it by 17 October 2024, and national authorities must identify critical entities by 17 July 2026. For designated organisations, the real compliance clock starts after formal notification, with a limited implementation window to demonstrate actual resilience, not just policy intent.
The picture across Europe is still uneven. Some Member States have adopted implementing legislation. Others are still in proposal or consultation phases. Bird & Bird’s CER implementation tracker shows adoption in countries including Austria, Belgium, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Portugal, Romania, Slovakia and Slovenia, while France and the Netherlands were still listed at proposal stage, and Bulgaria and Poland at consultation stage.
That fragmentation matters. Critical infrastructure does not stop at national borders. Energy grids, transport corridors, digital infrastructure, water supply, ports, public services and telecom networks are deeply interconnected. A weak link in one Member State can become a systemic risk for the wider European economy.
The Dutch implementation is a useful indicator of where the market is going. The Dutch Critical Entities Resilience Act, Wet weerbaarheid kritieke entiteiten, was adopted by the House of Representatives on 15 April 2026. It introduces obligations for organisations in vital sectors such as energy, transport, healthcare, water, digital infrastructure and public services. The Dutch model makes clear that CER will not apply automatically to every organisation. Formal designation by the responsible ministry is the trigger. Once designated, the organisation must perform risk assessments, implement resilience measures and comply with incident reporting duties.
The Dutch government’s public guidance is also explicit about the scope. CER is focused on physical resilience against risks such as terrorism, sabotage and natural disasters. It covers sectors including energy, drinking water, transport, digital infrastructure, food, healthcare, financial market infrastructure, wastewater, government services, banking and space. Designated entities must carry out their own risk assessments, take proportionate measures, report significant incidents within 24 hours and prepare business continuity, crisis management and incident response capabilities.
This is the operational core of CER: risk ownership moves from abstract governance to demonstrable control over sites, systems, people, suppliers and access.
The current threat landscape justifies the regulatory pressure. ENISA’s 2025 Threat Landscape analysed 4,875 incidents between 1 July 2024 and 30 June 2025. DDoS represented 77% of reported incidents, ransomware was identified as the most impactful threat, phishing accounted for about 60% of observed initial access cases, and state-aligned actors intensified operations against EU organisations. ENISA also highlights convergence between hacktivists, cybercriminals and state-aligned actors, including “faketivism”, where state-linked operations use hacktivist characteristics to obscure attribution.
That is only the digital side. CER forces organisations to look at the full attack surface. Physical sabotage, insider misuse, contractor access, unattended cabinets, unmanned sites, substations, pumping stations, data centres, rail assets, ports and telecom nodes are all in scope when they support essential services.
The strategic risk is clear: attackers no longer need to choose between cyber and physical access. They can combine both. A phishing attack can create credentials. A stolen badge or unmanaged key can create site access. A compromised supplier account can create a maintenance window. A lost mechanical key can remain a permanent vulnerability. This is where many resilience programmes still fail.
CER implementation is not solved by a policy document. Critical entities need evidence-based controls. The following measures should now move into execution:
1. Sector and entity-level risk assessments
Authorities must perform sectoral risk assessments, and designated entities must run their own operational risk assessments. These assessments must cover natural and man-made risks, including sabotage, terrorism, criminal interference, cyber-physical disruption, supplier dependency and loss of essential services.
2. Critical asset identification
Organisations need a live inventory of critical sites, rooms, cabinets, substations, traffic systems, water installations, telecom nodes, server racks, distribution assets and operational control points. Without asset-level visibility, resilience remains theoretical.
3. Access governance for physical infrastructure
Access to critical assets must be role-based, time-bound, auditable and revocable. Mechanical key registers, spreadsheets and locally managed locking plans are no longer defensible in a CER context.
4. Incident reporting readiness
CER introduces reporting obligations for incidents that significantly disrupt, or may significantly disrupt, essential services. In the Dutch guidance, this includes a 24-hour reporting duty. That requires reliable logging, clear escalation paths and evidence capture before an incident occurs, not after.
5. Business continuity and crisis protocols
Critical entities must have tested continuity plans, crisis management procedures and incident response playbooks. These must include cyber-physical scenarios: loss of access systems, contractor misuse, sabotage at remote sites, simultaneous IT and OT disruption, and supplier failure.
6. Supplier and contractor control
Many critical entities depend on contractors for field work, maintenance, inspection and emergency repairs. Under CER, supplier access becomes a resilience risk. Organisations must know who has access, why, when, to which assets, under whose approval and with what audit trail.
7. Alternative supply chains and fallback procedures
The Dutch guidance explicitly advises organisations to identify alternative supply chains. This is not limited to materials. It also applies to access processes, emergency response, key issuing, field authorisation and continuity of maintenance operations.
8. Awareness and organisational accountability
CER requires resilience to become a board-level operating model. Awareness is not a poster campaign. It means every operational team understands that access, keys, contractors and field procedures are part of critical infrastructure security.
Most critical entities have invested heavily in cyber security, IAM, SOC operations, SIEM tooling and network segmentation. That is necessary. It is not sufficient. The weak spots are typically found at the boundary between digital identity and physical access:
Mechanical keys are still widely used for critical locations. They cannot be revoked. They are copied, lost, shared and stored without reliable governance.
Electronic key systems often remain disconnected from IAM and IGA. The result is a gap between someone’s digital role and their physical access rights.
Contractor access is too often handled outside corporate identity governance. Temporary access becomes permanent by default.
Audit trails are incomplete. Organisations can often prove who logged into a system, but not who physically opened a cabinet, gate, technical room or substation.
Access reviews are manual. Spreadsheets, local administrators and historic key plans do not create real-time resilience.
Incident reconstruction is weak. During a crisis, the organisation must know who had access, who used access, which keys were active, and which assets were exposed.
This is the hard truth: many organisations are trying to comply with CER using processes designed for a lower threat environment.
The legal deadlines are already behind the market. The operational deadline is now. Critical entities should act on the following priorities immediately:
1. Build one inventory of critical assets and access points
Start with the assets that matter most: substations, water sites, telecom rooms, control cabinets, data centres, rail and transport infrastructure, energy distribution points, pumping stations and public safety assets.
2. Connect physical access to digital identity
Physical access rights must follow the same governance logic as IT access: joiner, mover, leaver, role change, approval, recertification and revocation.
3. Replace permanent access with time-bound access
Access should be issued for a role, task, location and time window. Permanent access should be treated as an exception requiring explicit business justification.
4. Make revocation real
Lost keys, terminated employees, expired contractor assignments and changed roles must result in immediate access revocation. If revocation depends on manual processes, the control is not mature enough.
5. Create audit-ready evidence
CER supervision will require proof. Organisations need reporting that shows who approved access, who received access, when it was used, which asset was accessed, and whether the access was compliant with policy.
6. Integrate with SOC and incident response
Physical access events should not live in isolation. High-risk access, unusual access patterns, repeated failed attempts, emergency overrides and access outside normal operating windows should be visible to security operations.
7. Treat contractors as identities, not exceptions
Every contractor should be governed through identity, role, assignment, approval and expiry date. “Known person with a key” is not a control model.
8. Run cyber-physical exercises
Test realistic scenarios: stolen key, compromised contractor, sabotage attempt, emergency maintenance during cyber outage, access system failure, simultaneous disruption across multiple sites.
CER creates a direct requirement for better governance over physical access to critical infrastructure. That is exactly where the market gap sits. IAM and IGA platforms govern digital access. Electronic locking systems control physical access. But in many organisations, these two worlds remain disconnected. Key2XS closes that gap by linking physical keys and cylinders to digital identity, roles, approvals and audit trails.
For critical entities, this means:
Physical access becomes part of identity governance.
Key rights can be created, changed and revoked based on IAM data.
Approval flows can be aligned with existing governance processes.
Audit evidence becomes available for compliance, incident reconstruction and supervision.
Multiple lock and IAM ecosystems can be governed through one workflow.
CER will not be won by writing more policies. It will be won by proving operational control over critical assets. That includes the physical keys, locks, cabinets, sites and people that still form the first and last line of defence.
The EU has moved from critical infrastructure protection as a national security concept to critical entity resilience as a legal and operational obligation. Implementation is uneven, but the direction is fixed. The threat landscape is getting worse, not better. Attackers are blending cyber, physical, criminal and state-aligned methods. Regulators are responding accordingly.
For critical entities, the message is simple: waiting for formal designation is a bad strategy. The organisations that act now will be ready when supervision starts. The organisations that delay will discover that CER compliance cannot be built in the last ten months.
The must-do-now is clear: identify critical assets, govern physical access through identity, make revocation real, create audit-ready evidence and integrate physical access into resilience operations.
In the CER era, unmanaged physical access is no longer an operational inconvenience. It is a board-level resilience risk.