If you are a CISO at a critical-infrastructure organization in Bulgaria, France, Luxembourg, the Netherlands, Poland, Spain, or Sweden, your Critical Entities Resilience (CER) Directive enforcement clock just shortened. On May 7th, 2026, the European Commission referred all seven Member States to the Court of Justice of the European Union for failing to transpose the CER directive more than eighteen months after the deadline. The Commission also asked the Court to impose lump sums and daily penalty payments on each state. That pressure cascades fast. To limit their financial exposure, the seven Member States will accelerate transposition and tighten the political mandate on their national supervisors. Those supervisors will translate that mandate into faster designations, harder enforcement priorities, and shorter grace periods. Designated entities will pass the new obligations down to their suppliers through contract clauses.
Three Things Make This Referral DifferentDo not wait for the Court to rule before you act. The seven Member States will now transpose under combined financial and political pressure, and the supervisors who follow will arrive with a mandate. CER applies across 11 sectors: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, public administration, space, and food. The substantive obligations are the same; the operational reality is not. In most organizations’, cyber, physical security, and BCM sit in separate reporting lines. CER directive does not care. Consider a regional water utility two months after designation. The supervisor expects a documented risk assessment, a board-approved business continuity plan, a tested 24-hour incident notification channel, and demonstrable governance. Designations can begin within weeks of entry into force. Consider that:
The Commission is asking for sanctions at the first hearing. Article 260(3) of the Treaty on the Functioning of the European Union lets the Commission propose lump sums and daily penalty payments alongside the first referral, instead of waiting for a second non-compliance judgment. The Commission has stated it will use Article 260(3) as a matter of principle for late transpositions. For CISOs, expect national supervisors to enforce harder and earlier than they did under the GDPR.
Seven Member States missed the same deadline. The list does not contain the usual rule-of-law outliers. It contains France, Sweden, the Netherlands, Spain, and Luxembourg, all of which usually post strong transposition records. When that group misses the same date together, the cause is structural: cross-ministerial scope, overlap with existing national regimes, and definitions deliberately left open at the EU level. For CISOs, assume the resulting national laws will diverge causing scope, timing, and supervisory authority to differ country by country.
The directive itself is a ProtectEU instrument. The CER directive is the EU’s all-hazards resilience law, covering terror, sabotage, cyber, and natural disaster. The Commission tied the referral directly to its ProtectEU European Internal Security Strategy. The framing matters. This referral is part of a hardened enforcement posture on hybrid threats, not a routine transposition complaint. For CISOs, CER conversations will increasingly involve interior and defense ministries, not just your usual privacy and IT supervisors.
What CISOs Should Do Now
Stop assuming your NIS2 program covers CER. The two directives overlap on supplier due diligence and BCM scope, but they diverge on operational matters. The NIS2 directive mandates harmonized 24-hour and 72-hour notification windows, while CER is less harmonized on incident notification, with timing and channels varying by Member State. However, the NIS2 directive focuses on cybersecurity; CER is all-hazards. Treat NIS2 directive work as a useful baseline, not a proxy for compliance.
Run CER, NIS2, DORA, and the CRA on one operating model. Four parallel compliance programs will produce four parallel governance boards, four sets of risk assessments, and four sets of supplier questionnaires. Build one integrated risk taxonomy, one incident response framework, one supplier inventory, and one board-level reporting line. Map the directive-specific obligations on top.
Run the gap analysis now, against the directive itself. Use the CER Directive’s annex on sectors and subsectors to identify which business units fall in scope. Run a business impact analysis (BIA) against essential service delivery. Score current controls against the duty-of-care obligations in the directive. Ten months from designation is too short a window to start from scratch.
Bring third-party and supplier obligations forward into the next contract cycle. Critical entities will pass CER obligations down through contractual cascade: incident notification SLAs, audit rights, sub-processor restrictions, attestations on physical and personnel security. Start with your top ten material vendors in CER-relevant processes — that scope is manageable inside one contract cycle. Contract renewal cycles for material vendors run 6 to 9 months. Procurement and legal need to be drafting clauses now if you want them in force by designation.
Run cyber and physical scenarios together — and own the seam. CER’s all-hazards scope is the main thing that distinguishes it from the NIS2 directive. Most security organizations run mature cyber tabletop exercises and weak physical exercises. Joint scenarios belong on the calendar this quarter: substation sabotage that takes systems offline, insider physical access to a data center, drone interference with logistics, supply chain disruption combined with a coordinated phishing campaign. Before this becomes a tabletop question, it is an organizational design question. Your CER supervisor will expect you to demonstrate an integrated risk posture.
If Your Customers Are Designated Entities, You Are AffectedCER will reach you through customer questionnaires, contract clauses, and SLA changes — even if your organization is not designated. A SaaS vendor to a water utility, a logistics partner to a hospital, or a managed service provider to a bank will face the same expectations through their customers’ contractual obligations, often with less time and less leverage than the designated entities themselves.
Map your CER-exposed customer base now. Identify which of your customers operate in the 11 CER sectors and prioritize the top quartile by revenue. Those are the contracts where the new clauses will land first, often before formal designation arrives.
Raise the budget conversation before procurement does. New incident notification SLAs, audit rights, sub-processor restrictions, and physical and personnel attestations require investment. If you wait, you will pay twice — once for the controls, once for the rushed delivery. And you will personally pay in trust and goodwill if finance and/or the board first hears about the CER directive through a contract renegotiation in distress.
Build a reusable attestation pack, not a per-questionnaire response. Controls evidence, sub-processor inventory, incident playbook, physical security posture, business continuity testing — package once, share with every customer. Vendors who pre-empt these requests command better commercial terms; vendors who answer them ad-hoc renegotiate under pressure.
Connect With UsForrester clients with questions about CER, NIS2, DORA, or building an integrated resilience operating model can schedule an inquiry or guidance session with me.
-1024x683.jpg "Strait Outta Hormuz: Getting the Iran Oil Story Straight")
