A detailed use case of a fictional security incident in the energy sector, designed to illustrate how the Critical Entities Resilience (CER) Directive applies in practice:
NorthGrid Power Station, a large EU-based operator of gas-fired power plants, is classified as a critical entity under the CER Directive. It supplies electricity to over 2 million residents and several hospitals, data centers, and municipal services in its region.
As required by the CER Directive, NorthGrid maintains a Business Continuity Plan (BCP), performs regular risk assessments, and has upgraded its physical and logical access controls. However, third-party contractors are still granted access to certain plant areas using RFID-based key cards administered through a legacy system.
An external contractor employed by NorthGrid’s HVAC subcontractor has his credentials cloned after leaving his RFID keycard unattended in a public co-working space. The attacker, an eco-extremist posing as a technician, uses the cloned keycard and contractor uniform to gain unauthorized physical access to a critical control room.
The attacker manually overrides cooling systems, causing a turbine to shut down. The plant is forced to go offline for six hours, resulting in regional brownouts and emergency generator activation at two hospitals.
Incident Notification: Within 24 hours, NorthGrid is legally required to notify the national CER authority (e.g., the Ministry of Energy or designated regulator), including the nature, impact, and mitigation steps.
Internal Investigation: NorthGrid must perform a root cause analysis and provide a full report within 72 hours.
Public Transparency: Because of the impact on healthcare facilities, NorthGrid is expected to communicate clearly with the public and authorities to mitigate reputational and regulatory damage.
Inadequate Supplier Vetting: NorthGrid had not conducted updated resilience assessments on its subcontractor in the past 18 months.
Legacy Key System: The access control system used by the contractor did not comply with the CER’s expectations for traceable and revocable credentials.
No Role-Based Access: The HVAC technician’s card allowed access to areas beyond his operational requirement — a violation of the principle of least privilege.
Regulatory Fine: The regulator imposes a €400,000 fine for failure to mitigate foreseeable access risks.
Civil Lawsuits: Families of patients affected during the hospital outages file civil claims for damages.
Board Scrutiny: Senior management is summoned before a national inquiry to explain failure of governance under CER obligations.
Upgraded Access Controls: NorthGrid replaces the legacy RFID system with time-limited, encrypted digital keys integrated with Microsoft Entra ID.
Supplier Re-qualification: A full resilience audit of all subcontractors is conducted. Those failing to meet CER standards are terminated or placed under probation.
Executive-Level Oversight: A Chief Resilience Officer (CRO) is appointed to report directly to the board.
This incident demonstrates how even a single weak link — such as a contractor’s outdated access method — can create systemic risk in a critical entity. Under the CER Directive, organizations must treat third-party risk, physical security, and accountability as interconnected priorities. Failure to do so has legal, financial, and human consequences.