Summary
- Member states were required to identify critical entities by 17 July 2026 following national risk assessments.
- The regime covers 11 sectors and requires designated organisations to assess risks, implement resilience measures, and report serious disruption.
- Public evidence remains incomplete on whether national designation exercises have been completed consistently across the EU.
European Union governments have reached the deadline for identifying organisations that will be subject to the Critical Entities Resilience Directive, moving the regime from national preparation towards direct operational duties.
Member states were required to designate critical entities by 17 July 2026 after completing national risk assessments. The regime covers energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, public administration, space, and food production and distribution.
Once designated, organisations must conduct their own risk assessments, adopt technical, security, and organisational measures, and notify serious incidents that disrupt essential services. The framework covers cyberattacks alongside sabotage, terrorism, insider threats, natural hazards, public-health emergencies, and other causes of operational failure.
The European Commission issued implementation guidance shortly before the deadline. It addresses cross-border and cross-sector dependencies, employee security, physical protection, drones, hybrid threats, accidents, and recovery arrangements.
Although the guidance is not binding, it gives national authorities and operators a common reference point for judging whether measures are proportionate to the service at risk. It also reflects the directive’s broader definition of resilience, covering prevention, resistance, absorption, response, and recovery.
Designation establishes formal responsibility
The deadline does not create a single public EU register, because national authorities decide which organisations meet the thresholds and some designations may remain confidential. Publishing a complete list of critical operators and facilities could create its own security exposure.
Implementation is therefore difficult to assess from public information alone. There is no comprehensive source confirming that every member state completed the exercise by the deadline or applied the designation criteria in the same way. Cross-border operators may also receive decisions at different times and face differing supervisory expectations.
Formal designation establishes who carries the legal responsibility for maintaining resilience. Organisations that have treated the directive as a legislative-monitoring exercise will need operational evidence covering essential services, dependencies, recovery resources, critical personnel, and escalation arrangements.
Those assessments will expose the distance between a legal entity and the service it provides. A critical operator may depend on a cloud provider, managed service provider, datacentre operator, software supplier, telecommunications carrier, facilities contractor, or specialised maintenance company that it does not directly control.
Risk analysis must therefore extend beyond the operator’s internal estate. It needs to identify suppliers that cannot be replaced quickly, services whose loss would halt delivery, and concentration points shared across several functions or sectors.
CER sits alongside NIS2 and DORA
The Critical Entities Resilience Directive operates beside the Network and Information Security Directive, which focuses more directly on cybersecurity and incident management, and the Digital Operational Resilience Act for financial services. Many organisations and technology providers will contribute evidence under more than one regime.
Overlapping obligations can support a fuller view of resilience where authorities use compatible definitions, tests, and incident information. They can also create duplicated assessments and inconsistent priorities when cyber, physical security, operational risk, and regulatory teams maintain separate control frameworks.
Service continuity provides a more useful organising principle than the production of several versions of the same evidence. Regulators will need to recognise work conducted under neighbouring regimes where it addresses the same underlying dependency or recovery capability.
Cross-border infrastructure adds another layer of complexity. An energy, transport, or health operator in one country may rely on communications, cloud infrastructure, specialist labour, or maintenance services based elsewhere in the Union. A plan confined to one legal entity or national border will not reflect how the service is delivered.
National authorities must now notify designated entities and begin supervision, while operators move towards organisation-level assessments and documented resilience measures. Consistency will depend on how designation decisions, regulatory expectations, and cross-border cooperation develop after the deadline.




