Critical Entities Resilience Directive Trained Professional (CERDTPro) program
Overview
With which Directive do we have to comply? The Critical Entities Resilience Directive (CER), the NIS 2 Directive, or another legal act?
The NIS 2 Directive (2022/2555) addresses cybersecurity challenges. Cybersecurity is addressed sufficiently in the NIS 2 Directive, so the matters covered by the NIS 2 Directive are excluded from the scope of the Critical Entities Resilience Directive (CER). To make it as clear as possible, for cybersecurity challenges the NIS 2 Directive applies, given that the requirements laid down in the NIS 2 Directive are at least equivalent to the corresponding obligations laid down in the Critical Entities Resilience Directive (CER).
Where provisions of sector-specific Union legal acts require critical entities to take measures to enhance their resilience, and where those requirements are recognised by Member States as at least equivalent to the corresponding obligations laid down in the Critical Entities Resilience Directive (CER), the relevant provisions of the Critical Entities Resilience Directive (CER) should not apply. The relevant provisions of sector-specific legal acts should apply.
What about challenges that affect both, the physical security and cybersecurity of critical entities? NIS 2 and CER will both be implemented in a coordinated manner, according to article 1.2 of the Critical Entities Resilience Directive (CER).
CER covers a wide range or risks, not just cybersecurity risks. According to Article 13 of CER, (Resilience measures of critical entities), critical entities must take technical, security and organisational measures to ensure their resilience, including measures necessary to:
(a) prevent incidents from occurring, duly considering disaster risk reduction and climate adaptation measures;
(b) ensure adequate physical protection of their premises and critical infrastructure, duly considering, for example, fencing, barriers, perimeter monitoring tools and routines, detection equipment and access controls;
(c) respond to, resist and mitigate the consequences of incidents, duly considering the implementation of risk and crisis management procedures and protocols and alert routines;
(d) recover from incidents, duly considering business continuity measures and the identification of alternative supply chains, in order to resume the provision of the essential service;
(e) ensure adequate employee security management, duly considering measures such as setting out categories of personnel who exercise critical functions, establishing access rights to premises, critical infrastructure and sensitive information, setting up procedures for background checks in accordance with Article 14 and designating the categories of persons who are required to undergo such background checks, and laying down appropriate training requirements and qualifications;
(f) raise awareness about the measures referred to in points (a) to (e) among relevant personnel, duly considering training courses, information materials and exercises.
Objectives
The program has been designed to provide with the skills needed to understand and support compliance with the Critical Entities Resilience Directive (CER).
It also provides with the skills needed to pass the Critical Entities Resilience Directive Trained Professional (CERDTPro) exam, and to receive the Certificate of Completion, that provides independent evidence to firms and organizations that you have a quantifiable understanding of the subject matter.
Target Audience
The program is beneficial to risk and compliance managers and professionals, auditors, consultants, suppliers and service providers that work for companies and organizations that have to comply with the Critical Entities Resilience Directive (CER).
Who must comply with the Critical Entities Resilience Directive (CER)?
According to Article 2 (Definitions) of the Critical Entities Resilience Directive (CER), ‘critical entity’ means a public or private entity which has been identified by a Member State as belonging to one of the categories:
1. Energy.
a. Electricity.
— Electricity undertakings.
— Distribution system operators.
— Transmission system operators.
— Producers.
— Nominated electricity market operators.
— Market participants.
b. District heating and cooling.
— Operators of district heating or district cooling.
c. Oil.
— Operators of oil transmission pipelines.
— Operators of oil production, refining and treatment facilities, storage and transmission.
— Central stockholding entities.
d. Gas.
— Supply undertakings.
— Distribution system operators.
— Transmission system operators.
— Storage system operators.
— LNG system operators.
— Natural gas undertakings.
— Operators of natural gas refining and treatment facilities.
e. Hydrogen.
— Operators of hydrogen production, storage and transmission.
2. Transport.
a. Air.
— Air carriers used for commercial purposes.
— Airport managing bodies, airports, including the core airports and entities operating ancillary installations contained within airports.
— Traffic management control operators providing air traffic control (ATC) services.
b. Rail.
— Infrastructure managers.
— Railway undertakings, including operators of service facilities.
c. Water.
— Inland, sea and coastal passenger and freight water transport companies.
— Managing bodies of ports, including their port facilities, and entities operating works and equipment contained within ports.
— Operators of vessel traffic services (VTS).
d. Road.
— Road authorities responsible for traffic management control, excluding public entities for which traffic management or the operation of intelligent transport systems is a non-essential part of their general activity.
— Operators of Intelligent Transport Systems.
3. Banking.
— Credit institutions.
4. Financial market infrastructures.
— Operators of trading venues.
— Central counterparties (CCPs).
5. Health.
— Healthcare providers.
— EU reference laboratories.
— Entities carrying out research and development activities of medicinal products.
— Entities manufacturing basic pharmaceutical products and pharmaceutical preparations.
— Entities manufacturing medical devices considered to be critical during a public health emergency (public health emergency critical devices list).
6. Drinking water.
— Suppliers and distributors of water intended for human consumption, excluding distributors for which distribution of water for human consumption is a non-essential part of their general activity of distributing other commodities and goods.
7. Waste water.
— Undertakings collecting, disposing of or treating urban waste water, domestic waste water or industrial waste water, excluding undertakings for which collecting, disposing of or treating urban waste water, domestic waste water or industrial waste water is a non-essential part of their general activity.
8. Digital infrastructure.
— Internet Exchange Point providers.
— DNS service providers, excluding operators of root name servers.
— TLD name registries.
— Cloud computing service providers.
— Data centre service providers.
— Content delivery network providers.
— Trust service providers.
— Providers of public electronic communications networks.
— Providers of publicly available electronic communications services.
9. ICT service management (business-to-business).
— Managed service providers.
— Managed security service providers.
10. Public administration.
— Public administration entities of central governments as defined by a Member State in accordance with national law.
— Public administration entities at regional level as defined by a Member State in accordance with national law.
11. Space.
Operators of ground-based infrastructure, owned, managed and operated by Member States or by private parties, that support the provision of space-based services, excluding providers of public electronic communications networks.
Important note: This is an overview, not a detailed list of activities. Depending on their products or services, and where their products or services belong in NACE (the statistical classification of economic activities in the European Union), entities must carefully consider if they must comply with the Directive or not.
Course Synopsis
The European Union (EU) - key institutions, the EU legislative process, the roles.
- The European System of Financial Supervision.
- The major changes after the Lisbon Treaty.
- Delegated acts - supplementing or amending certain non-essential elements of a basic act.
- Implementing acts.
- Regulatory technical standards (RTS), Implementing technical standards (ITS).
- The Committee of European Auditing Oversight Bodies (CEAOB).
- The European External Action Service, Common Foreign and Security Policy (CFSP), Common Security and Defence Policy (CSDP), European Cyber Defence Policy Framework (CDPF).
Before the CER Directive.
- The European Programme for Critical Infrastructure Protection (‘EPCIP’) and the European Critical Infrastructures (‘ECIs’).
- The evaluation of Directive 2008/114/EC.
The Critical Entities Resilience Directive (CER), important Articles.
- Before discussing Article 1 of the CER Directive.
- We must start with the Annex, and NACE Rev. 2.
- Subject matter and scope.
- Definitions.
- Strategy on the resilience of critical entities.
- Risk assessment by Member States.
- Identification of critical entities.
- Significant disruptive effect.
- Critical entities in the banking, financial market infrastructure and digital infrastructure sectors.
- Competent authorities and single point of contact.
- Member States’ support to critical entities.
- Cooperation between Member States.
- Risk assessment by critical entities.
- Resilience measures of critical entities.
- Background checks.
- Incident notification.
- Identification of critical entities of particular European significance.
- Advisory missions.
- Critical Entities Resilience Group.
- Commission support to competent authorities and critical entities.
- Supervision and enforcement.
- Penalties.
- Exercise of the delegation.
- Committee procedure.
- Reporting and review.
- Transposition.
- Repeal of Directive 2008/114/EC.
- Entry into force.
Understanding better the CER Directive.
- NIS 2 and the resilience of critical entities.
- Sector-specific Union legal acts and the resilience of critical entities.
- National security, defence, law and order, and the resilience of critical entities.
- Entities that are jointly established.
- Employees / contractors of critical entities.
- Requests for background checks.
- So many deadlines … Mark your calendar.
- Important national options and discretions.
Other new EU Directives and Regulations.
- 1. The European Cyber Resilience Act.
- 2. The NIS 2 Directive.
- 3. The Digital Operational Resilience Act (DORA).
- 4. The Digital Services Act (DSA).
- 5. The Digital Markets Act (DMA).
- 6. The European Health Data Space (EHDS).
- 7. The European Chips Act.
- 8. The European Data Act.
- 9. The European Data Governance Act (DGA).
- 10. The Artificial Intelligence Act.
- 11. The European ePrivacy Regulation.
- Closing remarks
Become a Critical Entities Resilience Directive Trained Professional (CERDTPro)
This is a Distance Learning with Certificate of Completion program, provided by Cyber Risk GmbH. The General Terms and Conditions for all legal transactions made through the Cyber Risk GmbH websites (hereinafter “GTC”) can be found at: https://www.cyber-risk-gmbh.com/Impressum.html
Each Distance Learning with Certificate of Completion program (hereinafter referred to as “distance learning program”) is provided at a fixed price, that includes VAT. There is no additional cost, now or in the future, for any reason.
We will send the distance learning program via email up to 24 hours after the payment (working days). Please remember to check the spam folder of your email client too, as emails with attachments are often landed in the spam folder.
You have the option to ask for a full refund up to 60 days after the payment. If you do not want one of our distance learning programs for any reason, all you must do is to send us an email, and we will refund the payment, no questions asked.
Your payment will be received by Cyber Risk GmbH (Dammstrasse 16, 8810 Horgen, Switzerland, Handelsregister des Kantons Zürich, Firmennummer: CHE-244.099.341). Cyber Risk GmbH will also send the certificates of completion to all persons that will pass the exam.
The all-inclusive cost is 297 USD (US Dollars).
First option: You can purchase the Critical Entities Resilience Directive Trained Professional (CERDTPro) program with VISA, MASTERCARD, AMEX, Apple Pay, Google Pay etc.
Purchase the CERDTPro program here (VISA, MASTERCARD, AMEX, Apple Pay, Google Pay etc.)
Second option: QR code payment.
i. Open the camera app or the QR app on your phone.
ii. Scan the QR code and possibly wait for a few seconds.
iii. Click on the link that appears, open your browser, and make the payment.
Third option: You can purchase the Critical Entities Resilience Directive Trained Professional (CERDTPro) program with PayPal
When you click "PayPal" below, you will be redirected to the PayPal web site. If you prefer to pay with a card, you can click "Debit or Credit Card" that is also powered by PayPal.
What is included in the cost of the distance learning program:
A. The official presentations (656 slides).
The presentations are effective and appropriate to study online or offline. Busy professionals have full control over their own learning and are able to study at their own speed. They are able to move faster through areas of the course they feel comfortable with, but slower through those that they need a little more time on.
B. Up to 3 online exam attempts per year.
Candidates must pass only one exam. If they fail, they must study the official presentations and retake the exam. Candidates are entitled to 3 exam attempts every year.
If candidates do not achieve a passing score on the exam the first time, they can retake the exam a second time.
If they do not achieve a passing score the second time, they can retake the exam a third time.
If candidates do not achieve a passing score the third time, they must wait at least one year before retaking the exam. There is no additional cost for additional exam attempts.
To learn more, you may visit:
C. The certificate of completion, with a scannable QR code for verification.
We will send it via email in Adobe Acrobat format (pdf). You will receive it up to 7 working days after you pass the exam.
D. Cyber Risk GmbH will develop a web page dedicated to each certified professional (https://www.cyber-risk-gmbh.com/Your_Name.htm).
When third parties scan the QR code on your certificate, they will visit this web page (https://www.cyber-risk-gmbh.com/Your_Name.htm), and they will be able to verify that you are a certified professional, and your certificates are valid and legitimate.
In this web page we will have your name, all the certificates you have received from us, and pictures of your certificates.
This is an example:
https://www.cyber-risk-gmbh.com/Monika_Meier.html
You can print your certificate that you will receive in Adobe Acrobat format (pdf). With the scannable QR code, all third parties can verify the authenticity of each certificate in a matter of seconds. Professional certificates are some of the most frequently falsified documents. Employers and third parties need an easy, effective, and efficient way to check the authenticity of each certificate. QR code verification is a good response to this demand.
Frequently Asked Questions for the distance learning programs.
1. I want to know more about Cyber Risk GmbH.
“Cyber Risk GmbH” is a company incorporated in Switzerland.
Registered company name: Cyber Risk GmbH.
Registered address: Dammstrasse 16, 8810 Horgen, Switzerland.
Company number: CHE-244.099.341.
Cantonal Register of Commerce: Canton of Zürich.
Swiss VAT number: CHE-244.099.341 MWST.
EU VAT number: EU276036462. Cyber Risk GmbH is registered for EU VAT purposes in Germany (Bundeszentralamt für Steuern, Dienstsitz Saarlouis, Referat St III 4, One-Stop-Shop, Ludwig-Karl-Balzer-Allee 2, 66740 Saarlouis - Verfahren One-Stop-Shop, Nicht EU-Regelung) for the sale of services in the EU. The VAT One Stop Shop (OSS) simplifies VAT obligations for non-EU businesses selling goods and services cross border to final consumers in the EU. Cyber Risk GmbH declares and pays EU VAT in a single electronic quarterly return submitted to Germany, and the German Bundeszentralamt für Steuern forwards the EU VAT due to each member State of the EU.
“Cyber Risk GmbH Training Programs” are training programs developed, updated and provided by Cyber Risk GmbH, and include:
a) In-House Instructor-Led Training programs,
b) Online Live Training programs,
c) Video-Recorded Training programs,
d) Distance Learning with Certificate of Completion programs.
“Cyber Risk GmbH websites” are all websites that belong to Cyber Risk GmbH, and include the following:
a. Sectors and Industries.
2. Social Engineering Training
12. Transport Cybersecurity Toolkit
14. Sanctions Risk
15. Travel Security
b. Understanding Cybersecurity.
4. What is Synthetic Identity Fraud?
c. Understanding Cybersecurity in the European Union.
2. The European Cyber Resilience Act
3. The Digital Operational Resilience Act (DORA)
4. The Critical Entities Resilience Directive (CER)
5. The Digital Services Act (DSA)
6. The Digital Markets Act (DMA)
7. The European Health Data Space (EHDS)
10. The European Data Governance Act (DGA)
11. The EU Cyber Solidarity Act
12. The Artificial Intelligence Act
13. The Artificial Intelligence Liability Directive
14. The Framework for Artificial Intelligence Cybersecurity Practices (FAICP)
15. The European ePrivacy Regulation
16. The European Digital Identity Regulation
17. The European Cyber Defence Policy
18. The Strategic Compass of the European Union
19. The EU Cyber Diplomacy Toolbox
2. Are your training and certification programs vendor neutral?
Yes. We do not promote any products or services, and we are 100% independent.
3. I want to learn more about the exam.
You can take the exam online from your home or office, in all countries.
It is an open book exam. Risk and compliance management is something you must understand and learn, not memorize. You must acquire knowledge and skills, not commit something to memory.
You will be given 90 minutes to complete a 35-question exam. You must score 70% or higher.
The exam contains only questions that have been clearly answered in the official presentations.
All exam questions are multiple-choice, composed of two parts:
a. A stem (a question asked, or an incomplete statement to be completed).
b. Four possible responses.
In multiple-choice questions, you must not look for a correct answer, you must look for the best answer. Cross out all the answers you know are incorrect, then focus on the remaining ones. Which is the best answer? With this approach, you save time, and you greatly increase the likelihood of selecting the correct answer.
TIME LIMIT - This exam has a 90-minute time limit. You must complete this exam within this time limit, otherwise the result will be marked as an unsuccessful attempt.
BACK BUTTON - When taking this exam you are NOT permitted to move backwards to review/change prior answers. Your browser back button will refresh the current page instead of moving backward.
RESTART/RESUME – You CANNOT stop and then resume the exam. If you stop taking this exam by closing your browser, your answers will be lost, and the result will be marked as an unsuccessful attempt.
SKIP - You CANNOT skip answering questions while taking this exam. You must answer all the questions in the order the questions are presented.
We do not send sample questions or past exams. If you study the presentations, you can score 100%.
When you are ready to take the exam, you must follow the steps described at "Question h. I am ready for the exam. What must I do?", at:
4. How comprehensive are the presentations? Are they just bullet points?
The presentations are not bullet points. They are effective and appropriate to study online or offline.
5. Do I need to buy books to pass the exam?
No. If you study the presentations, you can pass the exam. All the exam questions are clearly answered in the presentations. If you fail the first time, you must study more. Print the presentations and use Post-it to attach notes, to know where to find the answer to a question.
6. Is it an open book exam? Why?
Yes, it is an open book exam. Risk and compliance management is something you must understand and learn, not memorize. You must acquire knowledge and skills, not commit something to memory.
7. Do I have to take the exam soon after receiving the presentations?
No. You can take the exam any time. Your account never expires.
8. I want to receive a printed certificate. Can you send me one?
The cost of your certificate with a scannable QR code for verification is included in the cost of the program. We will send it via email in Adobe Acrobat format (pdf). You will receive it up to 7 working days after you pass the exam.
The cost of each printed certificate sent to your mail address is $75. It includes the administration, processing, and posting via registered mail with tracking number. Printed certificates are usually dispatched every 12 weeks. We accept payments with cards, QR, and PayPal.
You do not need to order a printed certificate. You can simply print your certificate that you will receive in Adobe Acrobat format (pdf). With the scannable QR code, all third parties can verify the authenticity of each certificate in a matter of seconds.
9. Why should I purchase this program?
Firms and organizations hire and promote “fit and proper” professionals who can provide evidence that they are qualified. Employers need assurance that employees have the knowledge and skills needed to mitigate risks and accept responsibility. Supervisors and auditors ask for independent evidence that the process owners are qualified, and that the controls can operate as designed, because the persons responsible for these controls have the necessary knowledge and experience.
There are many new Directives and Regulations in the EU, and our target audience is overwhelmed and has little time to spare. Cyber Risk GmbH has developed a program that can assist them in understanding the new requirements, and in providing evidence that they are qualified, as they must pass an exam to receive their certificate of completion.
The all-inclusive cost of our distance learning programs is very low. There is no additional cost for each program, now or in the future, for any reason.
There are 3 exam attempts per year that are included in the cost of each program, so you do not have to spend money again if you fail.
You have a 100 USD discount for your second and each additional program from Cyber Risk GmbH (the all-inclusive cost is 197 USD).
For example, you may consider:
1. The NIS 2 Directive Trained Professional (NIS2DTP) program at: https://www.nis-2-directive.com/NIS_2_Directive_Trained_Professional_(NIS2DTP).html.
2. The Digital Operational Resilience Act Trained Professional (DORATPro) program at: https://www.digital-operational-resilience-act.com/Digital_Operational_Resilience_Act_Trained_Professional_(DORATPro).html.
3. The Digital Services Act Trained Professional (DiSeActTPro) program at: https://www.eu-digital-services-act.com/DiSeActTPro_Training.html.
4. The Digital Markets Act Trained Professional (DiMaActTPro) program at: https://www.eu-digital-markets-act.com/DiMaActTPro_Training.html.
5. The Data Governance Act Trained Professional (DatGovActTP) program at: https://www.european-data-governance-act.com/DatGovActTP_Training.html.
If you have already purchased one of our programs, please send us an email, to give you the URL for the discounted cost.
George Lekatis, a well-known expert in risk management and compliance, oversaw the development of this program. He has more than 20,000 hours experience as a seminar leader, and has provided training and executive coaching in information security and risk management to many leading global organizations, in 36 countries.
Contact us
Cyber Risk GmbH
Dammstrasse 16
8810 Horgen
Tel: +41 79 505 89 60
Email: george.lekatis@cyber-risk-gmbh.com
Web: https://www.cyber-risk-gmbh.com
We process and store data in compliance with both, the Swiss Federal Act on Data Protection (FADP) and the EU General Data Protection Regulation (GDPR). The service provider is Hostpoint. The servers are located in the Interxion data center in Zürich, the data is saved exclusively in Switzerland, and the support, development and administration activities are also based entirely in Switzerland.