EU CER Directive 2026: Strengthening Critical Infrastructure Resilience in Energy, Water, Transport and Health Sectors

Strengthening Europe’s Critical Infrastructure

Reminders of the importance of safeguarding national critical infrastructure can be found in global headlines each day, whether it’s a fire at an electrical substation, an attack on a nuclear power plant or water utility. 

The impact of such incidents is rarely localized and the extended effects can, in some instances, be felt nationally and beyond. In an attempt to shore up defenses, a wave of new domestic and international regulations and directives has recently been introduced with the common objective of strengthening the resilience of critical infrastructure.

One of the most significant pieces of new regulations introduced in recent years is the Critical Entities Resilience (CER) Directive, which will come into force across all European Union member states in July 2026. The new rules will govern organizations operating in the energy, water, transport, banking and health sectors. The regulation aims to ensure the necessary resilience-enhancing measures are in place to improve the prevention, response and mitigation of incidents (such as natural hazards, terrorist attacks, insider threats and sabotage) that could disrupt essential services. The directive runs alongside the Network and Information Systems Directive II (NIS2), which came into force in October 2024 to shore up the cyber defenses of 18 critical sectors across the region.