Transposition of the Critical Entities Resilience Directive (CER)
What is transposition into national law?
Transposition is the process which each EU Member State adopts in order to achieve the goals and requirements of an EU Directive, and to align national legislation with EU legislation.
Fighting regulatory arbitrage in the EU
Arbitrage is the simultaneous buying and selling of securities, currencies, commodities etc., in different markets, in order to take advantage of different prices for the same asset.
For example, Sam Bankman-Fried, founder and former CEO of the cryptocurrency exchange FTX (that failed having unacceptable corporate governance practices), exploited arbitrage opportunities in crypto. While Bitcoin was priced at around $10,000 in the US, it was traded for $15,000 on Korean exchanges. This was because of a huge demand for Bitcoin in Korea.
Unfortunately, there is regulatory arbitrage too. There are differences and inconsistencies in the application of law in the EU member states, and important regulatory differences.
All EU countries must transpose the directives into national law. Some countries proceed with a stricter implementation (and increase the cost for compliance), and some other countries proceed with a less strict implementation (and minimise the cost for compliance). International companies often do “regulatory shopping” and establish their presence in the EU in countries where compliance is less expensive. This can lead to a competitive disadvantage for the countries that do a more proper implementation, that costs more.
Countries that do less, and even do not meet the objectives of a directive, can have advantages, and offer a higher return of equity for firms, just because the cost for compliance is lower. Cyber Risk GmbH does not support these practices in any way, as the increased impact and likelihood of risks, especially after the recent war in Europe, can not justify any plan for regulatory arbitrage. We are pleased to see that year after year the EU introduces more regulations where it is possible, directly applicable to all EU Member States, instead of directives that must be transposed into national law (with national options and discretions).
Understanding the CER Directive transposition in every EU country
Article 26, Transposition
"1. By 17 October 2024, Member States shall adopt and publish the measures necessary to comply with this Directive. They shall immediately inform the Commission thereof.
They shall apply those measures from 18 October 2024.
2. When Member States adopt the measures referred to in paragraph 1, they shall contain a reference to this Directive or be accompanied by such reference on the occasion of their official publication. The methods of making such reference shall be laid down by Member States."
We will cover in the section that follows the information about the transposition of the CER Directive in every EU country, based on information provided by each Member State.
Austria, transposition of the CER Directive
Belgium, transposition of the CER Directive
Bulgaria, transposition of the CER Directive
Croatia, transposition of the CER Directive
Cyprus, transposition of the CER Directive
Czechia, transposition of the CER Directive
Denmark, transposition of the CER Directive
Estonia, transposition of the CER Directive
Finland, transposition of the CER Directive
France, transposition of the CER Directive
Germany, transposition of the CER Directive
Greece, transposition of the CER Directive
Hungary, transposition of the CER Directive
Ireland, transposition of the CER Directive
Italy, transposition of the CER Directive
Latvia, transposition of the CER Directive
Lithuania, transposition of the CER Directive
Luxembourg, transposition of the CER Directive
Malta, transposition of the CER Directive
Netherlands, transposition of the CER Directive
Poland, transposition of the CER Directive
Portugal, transposition of the CER Directive
Romania, transposition of the CER Directive
Slovakia, transposition of the CER Directive
Slovenia, transposition of the CER Directive
Spain, transposition of the CER Directive
Sweden, transposition of the CER Directive
Contact us
Cyber Risk GmbH
Dammstrasse 16
8810 Horgen
Tel: +41 79 505 89 60
Email: george.lekatis@cyber-risk-gmbh.com
Web: https://www.cyber-risk-gmbh.com
We process and store data in compliance with both, the Swiss Federal Act on Data Protection (FADP) and the EU General Data Protection Regulation (GDPR). The service provider is Hostpoint. The servers are located in the Interxion data center in Zürich, the data is saved exclusively in Switzerland, and the support, development and administration activities are also based entirely in Switzerland.
Understanding Cybersecurity in the European Union.
2. The European Cyber Resilience Act
3. The Digital Operational Resilience Act (DORA)
4. The Critical Entities Resilience Directive (CER)
5. The Digital Services Act (DSA)
6. The Digital Markets Act (DMA)
7. The European Health Data Space (EHDS)
10. European Data Governance Act (DGA)
11. The Artificial Intelligence Act
12. The European ePrivacy Regulation
13. The European Cyber Defence Policy