Site Search Site Search

Menu

Services

Menu

Audit & assurance

Menu

Cyber, Privacy & Resilience

Menu

SAP

Menu

Small, medium or family businesses

Menu

Sustainability & climate change

Menu

Tax & legal

Featured

Managed Services

People Related Services

Loading Results

Cyber, privacy & resilience

Critical Entities Resilience Directive
CERD

Introduced alongside the NIS 2 Directive, the Critical Entities Resilience Directive (CER Directive) aims to enhance resilience to threats and risks which could impact the provision of essential services. To this end, it takes an all-hazards approach, addressing threats irrespective of their nature. Depending on the designation by competent authorities, entities under NIS 2 could also be subject to the wider resilience obligations set out by the CER Directive. The primary objective of it is to reduce vulnerabilities and strengthen the physical resilience of the entities that are crucial for vital societal functions, economic activities, public health & safety, and the environment. 

Cybersecurity en privacy

Who is affected? 

States have to use a risk-based approach to designate critical entities. To this end, the focus will be on the organisations most relevant for critical economic or societal functions across 11 sectors:

  • Energy;
  • Transport;
  • Banking;
  • Financial market infrastructure;
  • Health;
  • Production, processing and distribution of food;
  • Space;
  • Public administration;
  • Digital infrastructure;
  • Waste water;
  • Drinking water.

Entities in scope must assess the risks that could interfere with their delivery of essential services and implement appropriate resilience strategies. Such strategies will have to encompass resilience plans as well as strict procedures for incident reporting.

Timeline

The deadline for transposition of the Directive into national law was already October 2024. Now EU Member States have until July 2026 to identify these 'critical entities', which have to be notified of the decision within 1 month. The entities in scope must adopt stringent measures, including risk assessments within 9 months of their notification, business continuity and crisis management plans, and robust incident notification processes in order to increase overall resilience.

The roadmap to compliance

Embark on your journey to privacy maturity with [our tailored] roadmap, guiding you through the essential steps to achieve data protection compliance. Whether you need the full journey or just select steps, our approach adapts to your specific needs, empowering your business to build trust, enhance your brand, and drive growth through robust privacy strategies.

Gap assessment

Entities designated as critical under the scope of the CER Directive will need to ensure compliance with a new set of security and resilience requirements. Our teams can support your company to assess your existing controls and security measures, and identify any remaining gaps which would have to be covered to achieve compliance.

Implementation roadmap

As a follow-up activity, we can develop a strategic plan to address the gaps identified in the previous step, and provide a detailed roadmap outlining actions, timelines and responsibilities to achieve compliance.

Risk assessment

  • Done on the basis of Member State risk assessment and other relevant sources of information. 

  • Meant to assess all relevant risks that could disrupt the provision of an organisation’s essential services.

Physical security 

  • Hands-on comprehensive evaluations to identify vulnerabilities and develop customised physical security strategies.

  • Continuous security and compliance monitoring and emergency preparedness training.

Business continuity and crisis management

  • Comprehensive assessment;

  • Governance structure development;

  • Assess/build business continuity plans, crisis management and communications capabilities; and perform exercises.

Incident prevention and response management

  • End-to-end approach to incident management:

    • Prepare

    • Detect

    • Handle 

    • Investigate

Internal culture change

To achieve lasting change, a structured approach to change management is critical. This involves expertly guiding transitions, actively engaging leaders and staff, and fostering collective ownership of the process. Our experts collaborate with you to understand the unique needs and challenges of your organisation and develop a comprehensive strategy to transform your culture. Read more about this here.

Staff security training and awareness

  • Security awareness trainings focused on threat awareness, incident handling and crisis and business continuity management. 

 

Ongoing support

Our team can support further in order to ensure ongoing compliance through regular risk assessments, updates to policies and procedures, and continuous monitoring and training, as well as knowledge transfer.

Related Content

Connect with PwC Belgium

Required fields are marked with an asterisk(*)

By submitting your email address, you acknowledge that you have read the Privacy Statement and that you consent to our processing data in accordance with the Privacy Statement (including international transfers). If you change your mind at any time about wishing to receive the information from us, you can send us an email message using the Contact Us page.

Contact us

Pascal Tops

Pascal Tops

Partner Risk, Compliance & Cybersecurity, PwC Belgium

Tel: +32 473 91 03 68

Linkedin Follow Email
Roy Coppieters

Roy Coppieters

Director, PwC Belgium

Tel: +32 477 81 49 11

Email
Hide
Careers Industries Media centre Offices Services Contact us

© 2016 - 2025 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.