CER | Instructor-led Training

Note: For the Critical Entities Resilience Directive Trained Professional (CERDTPro) online training, exam, and certificate of completion:

You may visit: https://www.critical-entities-resilience-directive.com/Critical_Entities_Resilience_Directive_Trained_Professional_(CERDTPro).html

---

Instructor-Led Training

Possible modules of the tailor-made training program

The European Union (EU) - key institutions, the EU legislative process, the roles.
- The European System of Financial Supervision.
- The major changes after the Lisbon Treaty.
- Delegated acts - supplementing or amending certain non-essential elements of a basic act.
- Implementing acts.
- Regulatory technical standards (RTS), Implementing technical standards (ITS).
- The Committee of European Auditing Oversight Bodies (CEAOB).
- The European External Action Service, Common Foreign and Security Policy (CFSP), Common Security and Defence Policy (CSDP), European Cyber Defence Policy Framework (CDPF).

Before the CER Directive.
- The European Programme for Critical Infrastructure Protection (‘EPCIP’) and the European Critical Infrastructures (‘ECIs’).
- The evaluation of Directive 2008/114/EC.

The Critical Entities Resilience Directive (CER), important Articles.

- Before discussing Article 1 of the CER Directive.
- The Annex, and NACE Rev. 2.

CHAPTER I, GENERAL PROVISIONS
- Article 1, Subject matter and scope, CER Directive.
- Article 2, Definitions, CER Directive.
- Article 3, Minimum harmonisation, CER Directive.

CHAPTER II, NATIONAL FRAMEWORKS ON THE RESILIENCE OF CRITICAL ENTITIES
- Article 4, Strategy on the resilience of critical entities, CER Directive.
- Article 5, Risk assessment by Member States, CER Directive.
- Article 6, Identification of critical entities, CER Directive.
- Article 7, Significant disruptive effect, CER Directive.
- Article 8, Critical entities in the banking, financial market infrastructure and digital infrastructure sectors, CER Directive.
- Article 9, Competent authorities and single point of contact, CER Directive.
- Article 10, Member States’ support to critical entities, CER Directive.
- Article 11, Cooperation between Member States, CER Directive.

CHAPTER III, RESILIENCE OF CRITICAL ENTITIES
- Article 12, Risk assessment by critical entities, CER Directive.
- Article 13, Resilience measures of critical entities, CER Directive.
- Article 14, Background checks, CER Directive.
- Article 15, Incident notification, CER Directive.
- Article 16, Standards, CER Directive.

CHAPTER IV, CRITICAL ENTITIES OF PARTICULAR EUROPEAN SIGNIFICANCE
- Article 17, Identification of critical entities of particular European significance, CER Directive.
- Article 18, Advisory missions, CER Directive.

CHAPTER V, COOPERATION AND REPORTING
- Article 19, Critical Entities Resilience Group, CER Directive.
- Article 20, Commission support to competent authorities and critical entities, CER Directive.

CHAPTER VI, SUPERVISION AND ENFORCEMENT
- Article 21, Supervision and enforcement, CER Directive.
- Article 22, Penalties, CER Directive.

CHAPTER VII, DELEGATED AND IMPLEMENTING ACTS
- Article 23, Exercise of the delegation, CER Directive.
- Article 24, Committee procedure, CER Directive.

CHAPTER VIII, FINAL PROVISIONS
- Article 25, Reporting and review, CER Directive.
- Article 26, Transposition, CER Directive.
- Article 27, Repeal of Directive 2008/114/EC, CER Directive.
- Article 28, Entry into force, CER Directive.
- Article 29, Addressees, CER Directive.

Understanding the CER Directive.
- NIS 2 and the resilience of critical entities.
- Sector-specific Union legal acts and the resilience of critical entities.
- National security, defence, law and order, and the resilience of critical entities.
- Entities that are jointly established.
- Employees / contractors of critical entities.
- Requests for background checks.
- So many deadlines … Mark your calendar.
- Important national options and discretions.

Other new EU Directives and Regulations.
- The NIS 2 Directive.
- The Digital Operational Resilience Act (DORA).
- The Artificial Intelligence Act.
- The European Data Act.
- The European Data Governance Act (DGA).
- The European Cyber Resilience Act (CRA).
- The Digital Services Act (DSA).
- The Digital Markets Act (DMA).
- The European Chips Act.
- The Artificial Intelligence Liability Directive.
- The Framework for Artificial Intelligence Cybersecurity Practices (FAICP).
- The EU Cyber Solidarity Act.
- The Digital Networks Act (DNA).
- The European ePrivacy Regulation.
- The European Digital Identity Regulation.
- The European Media Freedom Act (EMFA).
- The Corporate Sustainability Due Diligence Directive (CSDDD).
- The Systemic Cyber Incident Coordination Framework (EU-SCICF).
- The European Health Data Space (EHDS).
- The European Financial Data Space (EFDS).
- The Financial Data Access (FiDA) Regulation.
- The Payment Services Directive 3 (PSD3), Payment Services Regulation (PSR).
- Internal Market Emergency and Resilience Act (IMERA).
- The European Space Law (EUSL).

Instructor

Our instructors are professionals with extensive, real-world experience in their respective fields. They are equipped to deliver full-time, part-time, or short-form programs, all customized to suit your specific requirements. Beyond teaching, our instructors provide hands-on guidance, offering real-world insights that help bridge the gap between theory and practice. You will always be informed ahead of time about the instructor leading your program.

Terms and conditions.

You may visit: https://www.cyber-risk-gmbh.com/Terms.html

---

With which Directive do we have to comply? The Critical Entities Resilience Directive (CER), the NIS 2 Directive, or a sector-specific legal act?

The NIS 2 Directive (2022/2555) addresses cybersecurity challenges. Cybersecurity is addressed sufficiently in the NIS 2 Directive, so the matters covered by the NIS 2 Directive are excluded from the scope of the Critical Entities Resilience Directive (CER). To make it as clear as possible, for cybersecurity challenges the NIS 2 Directive applies, given that the requirements laid down in the NIS 2 Directive are at least equivalent to the corresponding obligations laid down in the Critical Entities Resilience Directive (CER).

Where provisions of sector-specific Union legal acts require critical entities to take measures to enhance their resilience, and where those requirements are recognised by Member States as at least equivalent to the corresponding obligations laid down in the Critical Entities Resilience Directive (CER), the relevant provisions of the Critical Entities Resilience Directive (CER) should not apply. The relevant provisions of sector-specific legal acts should apply.

What about challenges that affect both, the physical security and cybersecurity of critical entities? NIS 2 and CER will both be implemented in a coordinated manner, according to article 1.2 of the Critical Entities Resilience Directive (CER).

CER covers a wide range or risks, not just cybersecurity risks. According to Article 13 of CER, (Resilience measures of critical entities), critical entities must take technical, security and organisational measures to ensure their resilience, including measures necessary to:

(a) prevent incidents from occurring, duly considering disaster risk reduction and climate adaptation measures;

(b) ensure adequate physical protection of their premises and critical infrastructure, duly considering, for example, fencing, barriers, perimeter monitoring tools and routines, detection equipment and access controls;

(c) respond to, resist and mitigate the consequences of incidents, duly considering the implementation of risk and crisis management procedures and protocols and alert routines;

(d) recover from incidents, duly considering business continuity measures and the identification of alternative supply chains, in order to resume the provision of the essential service;

(e) ensure adequate employee security management, duly considering measures such as setting out categories of personnel who exercise critical functions, establishing access rights to premises, critical infrastructure and sensitive information, setting up procedures for background checks in accordance with Article 14 and designating the categories of persons who are required to undergo such background checks, and laying down appropriate training requirements and qualifications;

(f) raise awareness about the measures referred to in points (a) to (e) among relevant personnel, duly considering training courses, information materials and exercises.

Certain critical entities carry out activities in the areas of national security, public security, defence or law enforcement, including the investigation, detection and prosecution of criminal offences, or provide services exclusively to public administration entities that carry out activities predominantly in those areas. Member States are responsible for safeguarding national security and defence, and Member States may decide that the obligations on critical entities laid down in the Critical Entities Resilience Directive (CER) do not apply, in whole or in part.

The ‘Member State risk assessment’.

EU Member States must identify and ensure the resilience of critical entities. They must focus on the entities most relevant for the performance of vital societal functions or economic activities. Each Member State will carry out an assessment of the relevant natural and man-made risks, including those of a cross-sectoral or cross-border nature, that could affect the provision of essential services, including accidents, natural disasters, public health emergencies such as pandemics and hybrid threats or other antagonistic threats, including terrorist offences, criminal infiltration and sabotage.

The ‘critical entity risk assessment’.

Critical entities must have a comprehensive understanding of the relevant risks to which they are exposed, and a duty to analyse those risks. They should carry out risk assessments in view of their particular circumstances and the evolution of those risks and, at least every four years, in order to assess all relevant risks that could disrupt the provision of their essential services.

Competent authority will declare that an existing risk assessment carried out by a critical entity that addresses the relevant risks and the relevant extent of dependence is compliant, in whole or in part, with the obligations laid down in this Directive.

According to the CER Directive, critical entities should take technical, security and organisational measures that are appropriate and proportionate to the risks they face so as to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident. While critical entities should take those measures in accordance with this Directive, the details and extent of such measures should reflect the different risks that each critical entity has identified as part of its critical entity risk assessment and the specificities of such entity in an appropriate and proportionate way.

Who must comply with the Critical Entities Resilience Directive (CER)?

According to Article 2 (Definitions) of the Critical Entities Resilience Directive (CER), ‘critical entity’ means a public or private entity which has been identified by a Member State as belonging to one of the categories:

1. Energy.

a. Electricity.
— Electricity undertakings.
— Distribution system operators.
— Transmission system operators.
— Producers.
— Nominated electricity market operators.
— Market participants.

b. District heating and cooling.
— Operators of district heating or district cooling.

c. Oil.
— Operators of oil transmission pipelines.
— Operators of oil production, refining and treatment facilities, storage and transmission.
— Central stockholding entities.

d. Gas.
— Supply undertakings.
— Distribution system operators.
— Transmission system operators.
— Storage system operators.
— LNG system operators.
— Natural gas undertakings.
— Operators of natural gas refining and treatment facilities.

e. Hydrogen.
— Operators of hydrogen production, storage and transmission.

2. Transport.

a. Air.
— Air carriers used for commercial purposes.
— Airport managing bodies, airports, including the core airports and entities operating ancillary installations contained within airports.
— Traffic management control operators providing air traffic control (ATC) services.

b. Rail.
— Infrastructure managers.
— Railway undertakings, including operators of service facilities.

c. Water.
— Inland, sea and coastal passenger and freight water transport companies.
— Managing bodies of ports, including their port facilities, and entities operating works and equipment contained within ports.
— Operators of vessel traffic services (VTS).

d. Road.
— Road authorities responsible for traffic management control, excluding public entities for which traffic management or the operation of intelligent transport systems is a non-essential part of their general activity.
— Operators of Intelligent Transport Systems.

3. Banking.
— Credit institutions.

4. Financial market infrastructures.
— Operators of trading venues.
— Central counterparties (CCPs).

5. Health.
— Healthcare providers.
— EU reference laboratories.
— Entities carrying out research and development activities of medicinal products.
— Entities manufacturing basic pharmaceutical products and pharmaceutical preparations.
— Entities manufacturing medical devices considered to be critical during a public health emergency (public health emergency critical devices list).

6. Drinking water.
— Suppliers and distributors of water intended for human consumption, excluding distributors for which distribution of water for human consumption is a non-essential part of their general activity of distributing other commodities and goods.

7. Waste water.
— Undertakings collecting, disposing of or treating urban waste water, domestic waste water or industrial waste water, excluding undertakings for which collecting, disposing of or treating urban waste water, domestic waste water or industrial waste water is a non-essential part of their general activity.

8. Digital infrastructure.
— Internet Exchange Point providers.
— DNS service providers, excluding operators of root name servers.
— TLD name registries.
— Cloud computing service providers.
— Data centre service providers.
— Content delivery network providers.
— Trust service providers.
— Providers of public electronic communications networks.
— Providers of publicly available electronic communications services.

9. ICT service management (business-to-business).
— Managed service providers.
— Managed security service providers.

10. Public administration.
— Public administration entities of central governments as defined by a Member State in accordance with national law.
— Public administration entities at regional level as defined by a Member State in accordance with national law.

11. Space.
Operators of ground-based infrastructure, owned, managed and operated by Member States or by private parties, that support the provision of space-based services, excluding providers of public electronic communications networks.

Important note: This is an overview, not a detailed list of activities. Depending on their products or services, and where their products or services belong in NACE (the statistical classification of economic activities in the European Union), entities must carefully consider if they must comply with the Directive or not.

---