Prepare for the CER Directive
The Critical Entities Resilience (CER) Directive will come into force across all European Union member states in July 2026. Member countries are also passing their own regulations, and a more holistic approach to the physical security ecosystem is being sought. An article by Andreas Beerbaum, VP of Sales, Physical Security – International, Hexagon’s Safety, Infrastructure & Geospatial Division.
Reminders of the importance of safeguarding national critical infrastructure can be found in global headlines each day, whether it’s a fire at an electrical substation, an attack on a nuclear power plant or water utility.
The impact of such incidents is rarely localized and the extended effects can, in some instances, be felt nationally and beyond. In an attempt to shore up defenses, a wave of new domestic and international regulations and directives has recently been introduced with the common objective of strengthening the resilience of critical infrastructure.
One of the most significant pieces of new regulations introduced in recent years is the Critical Entities Resilience (CER) Directive, which will come into force across all European Union member states in July 2026. The new rules will govern organizations operating in the energy, water, transport, banking and health sectors. The regulation aims to ensure the necessary resilience-enhancing measures are in place to improve the prevention, response and mitigation of incidents (such as natural hazards, terrorist attacks, insider threats and sabotage) that could disrupt essential services. The directive runs alongside the Network and Information Systems Directive II (NIS2), which came into force in October 2024 to shore up the cyber defenses of 18 critical sectors across the region.
Local Variations
In addition to EU regulations, member countries are passing their own regulations. In Germany, the KRITIS umbrella law is helping to create a blueprint for CER compliance. This landmark regulation also became law in October 2024 and requires operators of critical facilities to conduct risk assessments and implement measures to bridge any gaps.
This includes deploying the necessary technical, security-related and organizational measures to ensure resilience. KRITIS does not detail specific requirements, so those that must comply with the regulation have invested heavily in new technologies.
These are organizations that already place a premium on physical security and have vast safety and security infrastructure CCTV and associated technologies, such as video analytics and thermal cameras, access control, perimeter protection (increasingly including the use of 3D LiDAR detection), sensors and alarms, etc. Therefore, the challenge is not necessarily the physical security infrastructure, but how it works as an ecosystem.
System Integration
Often, these component pieces operate in silos, but true situational awareness requires a joining of the dots. This does not mean that every system must be interconnected, as some systems will simply not talk to each other. It is, however, possible to add an integrating layer that provides operators the data feeds needed to make the right decisions at the right time when handling the incident, as well as recording what took place.
Given the emphasis the regulation (specifically, KRITIS) places on incident recording and reporting and the fact that organizations have been given guidelines to deploy suitable measures, it is clear that what is being sought is a more holistic approach to the physical security ecosystem.
That is why these organizations are studying approaches adopted by other heavily regulated industries such as airports, specifically, their use of video management systems (VMS) for more camera-centric operations, and physical security incident management (PSIM) systems. Both of these systems provide the integration and workflows that enable incidents to be handled quickly and efficiently, but also provide the recording, reporting, reconstruction and reply that will aid compliance.
Learning From the Experience of Other Regulated Industries
For example, a large international airport’s operations center is using a PSIM solution installed on stations where operators live monitor the airport’s fire alarms, access control system and surveillance camera network. When an alert is raised, the operator must follow a strict set of procedures for managing that specific incident in accordance with policy and best practice.
The operator does not need to log into multiple systems to access information, as everything they need is presented to them on the screen at their station. As a result, the operations center has been able to reduce its incident response times and how quickly it responds to other stakeholders.
The airport is required to accurately log every occurrence and the subsequent action, a process that was previously done manually. Today, the PSIM system automatically populates and logs the required information, saving operators time whilst ensuring every report is of a consistently high standard.
It has opened up possibilities to integrate systems, solve problems and make improvements, without needing to make further investments in standalone solutions. The system also gives complete situational awareness regarding when and how an event transpired, who responded, how, and the result. This insight improves decision-making and feeds a continual cycle of improvement.
Physical security resilience regulation, whether at an international or national level, provides much-needed clarity and guidance. However, it is also the case that the legislation is often slow to adapt to what can often be a rapidly evolving physical and digital threat landscape. Operators of critical infrastructure need to be on the front foot in their resilience provision to keep the lights on, pipelines flowing and to safeguard commercial, national and international interests.
