Brussels Takes Seven Member States To Court Over CER, And The Consequences Land On You

The EU’s ProtectEU strategy has turned the Critical Entities Resilience (CER) Directive into a high‑stakes enforcement tool. By invoking Article 260.3, the European Commission is demanding penalties at the very first hearing, a departure from the usual two‑step process. This signals a broader shift toward pre‑emptive sanctions for late transposition, echoing the EU’s tougher stance on hybrid threats such as cyber‑attacks, sabotage and terrorism. For businesses, the message is clear: compliance timelines are no longer negotiable, and the financial stakes are rising.

Member states that missed the deadline—France, Luxembourg, the Netherlands, Spain, Sweden, plus Bulgaria and Poland—face a compressed schedule to adopt national CER laws. Because the directive leaves key definitions open, each country is likely to craft its own nuances, resulting in a patchwork of obligations that vary in scope, reporting windows and supervisory authority. CISOs must therefore treat CER as a distinct regime, not a simple extension of NIS‑2. Building a unified risk taxonomy that maps CER, NIS‑2, DORA and the Cyber Resilience Act onto a single governance framework will reduce duplication and help organizations respond to divergent national requirements.

Practically, the referral forces immediate action on supplier contracts and incident‑response planning. Critical entities will embed CER clauses—such as incident‑notification SLAs, audit rights and physical‑security attestations—into upcoming procurement cycles, and downstream vendors must be ready to comply. Companies should prioritize their top‑tier customers in the 11 CER‑covered sectors, develop reusable attestation packs, and run joint cyber‑physical tabletop exercises to demonstrate an integrated risk posture. Early budgeting for these controls will avoid the double‑pay scenario of rushed remediation and protect both commercial relationships and regulatory standing.