{"id":78963,"date":"2026-05-10T05:48:16","date_gmt":"2026-05-10T05:48:16","guid":{"rendered":"https:\/\/www.europesays.com\/dk\/78963\/"},"modified":"2026-05-10T05:48:16","modified_gmt":"2026-05-10T05:48:16","slug":"brussels-takes-seven-member-states-to-court-over-cer-and-the-consequences-land-on-you","status":"publish","type":"post","link":"https:\/\/www.europesays.com\/dk\/78963\/","title":{"rendered":"Brussels Takes Seven Member States\u00a0To\u00a0Court Over CER, And The Consequences Land On You"},"content":{"rendered":"<p>If you are a CISO at a critical-infrastructure\u00a0organization\u00a0in Bulgaria, France, Luxembourg, the Netherlands, Poland, Spain, or Sweden, your\u00a0<a href=\"https:\/\/eur-lex.europa.eu\/eli\/dir\/2022\/2557\/oj\" rel=\"nofollow noopener\" target=\"_blank\">Critical Entities Resilience (CER) Directive<\/a> enforcement clock just shortened. On May 7, 2026, the European Commission referred all seven member states to the Court of Justice of the European Union for failing to transpose the CER Directive more than 18 months after the deadline. The commission also asked the court to impose lump sums and daily penalty payments on each state. That pressure cascades fast. To limit their financial exposure, the seven member states will accelerate transposition and tighten the political mandate on their national supervisors. Those supervisors will translate that mandate into faster designations, harder enforcement priorities, and shorter grace periods. Designated entities will pass the new obligations down to their suppliers through contract clauses.<\/p>\n<p>Three Things Make This Referral Different<\/p>\n<p aria-level=\"2\">Do not wait for the court to rule before you act. The seven member states will now transpose under combined financial and political pressure, and the supervisors who follow will arrive with a mandate. CER applies across 11 sectors: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, public administration, space, and food. The substantive obligations are the same; the operational reality is not. In most organizations, cyber, physical security, and business continuity management (BCM) sit in separate reporting lines. The CER Directive does not care. Consider a regional water utility two months after designation: The supervisor expects a documented risk assessment, a board-approved business continuity plan, a tested 24-hour incident notification channel, and demonstrable governance. Designations can begin within weeks of entry into force. Consider that:<\/p>\n<p>The commission is asking for sanctions at the first hearing.\u00a0<a href=\"https:\/\/www.legislation.gov.uk\/eut\/teec\/article\/260\" rel=\"nofollow noopener\" target=\"_blank\">Article 260.3 of the Treaty on the Functioning of the European Union<\/a> lets the European Commission propose lump sums and daily penalty payments alongside the first referral, instead of waiting for a second noncompliance judgment. The commission has stated it will use Article 260.3 as a matter of principle for late transpositions. For CISOs, expect national supervisors to enforce harder and earlier than they did under the GDPR.<br \/>\nSeven member states missed the same deadline. The list does not contain the usual rule-of-law outliers. It contains France, Luxembourg, the Netherlands, Spain, and Sweden, all of which usually post strong transposition records. When that group misses the same date together, the cause is structural: cross-ministerial scope, overlap with existing national regimes, and definitions deliberately left open at the EU level. For CISOs, assume that the resulting national laws will diverge, causing scope, timing, and supervisory authority to differ country by country.<br \/>\nThe directive itself is a\u00a0ProtectEU\u00a0instrument. The CER Directive is the EU\u2019s all-hazards resilience law, covering terror, sabotage, cyber, and natural disaster. The commission tied the referral directly to its <a href=\"https:\/\/ec.europa.eu\/commission\/presscorner\/detail\/en\/ip_25_920\" rel=\"nofollow noopener\" target=\"_blank\">ProtectEU European Internal Security Strategy<\/a>. The framing matters.\u00a0This\u00a0referral is part of a hardened enforcement posture on hybrid threats, not a routine transposition complaint.\u00a0For CISOs,\u00a0CER conversations will increasingly involve interior and\u00a0defense\u00a0ministries, not just your usual privacy and IT supervisors.<\/p>\n<p>What CISOs Should Do Now<\/p>\n<p>Stop assuming that your NIS 2 program covers CER. The two directives overlap on supplier due diligence and BCM scope, but they diverge on operational matters. The NIS 2 <a href=\"https:\/\/www.forrester.com\/report\/eu-nis-2-directive-requirements-and-compliance-worksheet\/RES181022\" rel=\"nofollow noopener\" target=\"_blank\">Directive<\/a> mandates harmonized 24-hour and 72-hour notification windows, while CER is less harmonized on incident notification, with timing and channels varying by member state. The\u00a0NIS 2 Directive focuses on cybersecurity, however, while CER is all-hazards. Treat\u00a0NIS 2\u00a0directive\u00a0work\u00a0as a useful baseline, not a proxy for compliance.<br \/>\nRun CER, NIS 2, DORA, and the CRA on one operating model.\u00a0Four parallel compliance programs will produce four parallel governance boards, four sets of risk assessments, and four sets of supplier questionnaires. Build one integrated\u00a0<a href=\"https:\/\/www.forrester.com\/report\/no-more-blurred-lines-introducing-continuous-risk-management\/RES181738\" rel=\"nofollow noopener\" target=\"_blank\">risk taxonomy<\/a>, one\u00a0<a href=\"https:\/\/www.forrester.com\/report\/best-practices-for-mdr-to-ir-handoffs\/RES192720\" rel=\"nofollow noopener\" target=\"_blank\">incident response framework<\/a>, one supplier inventory, and one board-level reporting line.\u00a0Map the directive-specific obligations on top.<br \/>\nRun the gap analysis now, against the directive itself.\u00a0Use the CER Directive\u2019s annex on sectors and subsectors to\u00a0identify\u00a0which business units fall in scope. Run\u00a0a\u00a0<a href=\"https:\/\/www.forrester.com\/report\/the-business-continuity-management-software-landscape-q1-2026\/RES191042\" rel=\"nofollow noopener\" target=\"_blank\">business impact analysis<\/a>\u00a0against essential service delivery. Score current controls against the duty-of-care obligations in the directive. Ten months from designation is too\u00a0short\u00a0a window to\u00a0start from scratch.<br \/>\nBring third-party and supplier obligations forward into the next contract cycle. Critical entities will pass CER obligations down through contractual cascade: incident notification SLAs, audit rights, subprocessor restrictions, and attestations on physical and personnel security. Start with your top 10 material vendors in CER-relevant processes \u2014 that scope is manageable inside one contract cycle. <a href=\"https:\/\/www.forrester.com\/report\/forresters-essential-research-to-manage-your-it-spend\/RES183033\" rel=\"nofollow noopener\" target=\"_blank\">Contract renewal cycles<\/a> for material vendors run six to nine months. Procurement and legal need to be drafting clauses now if you want them in force by designation.<br \/>\nRun cyber and physical scenarios together \u2014 and own the seam.\u00a0CER\u2019s all-hazards scope is the main thing that distinguishes it from\u00a0the NIS 2\u00a0directive. Most security organizations run mature cyber <a href=\"https:\/\/www.forrester.com\/blogs\/mastering-an-effective-executive-tabletop-exercise-deriving-maximum-value-and-impact\/\" rel=\"nofollow noopener\" target=\"_blank\">tabletop exercises<\/a>\u00a0and weak\u00a0<a href=\"https:\/\/www.forrester.com\/blogs\/asis-gsx-2023-physical-security-insights-from-deep-in-the-heart-of-texas\/\" rel=\"nofollow noopener\" target=\"_blank\">physical exercises<\/a>. Joint scenarios belong on the calendar this quarter: substation sabotage that takes systems offline, insider physical access to a data center, drone interference with logistics, or supply chain disruption combined with a coordinated phishing campaign. Before this becomes a tabletop question, it is an organizational design question. Your CER supervisor will expect you to demonstrate an integrated risk posture.<\/p>\n<p>If Your Customers Are Designated Entities, You Are Affected<\/p>\n<p aria-level=\"2\">CER will reach you through customer questionnaires, contract clauses, and SLA changes \u2014 even if your organization is not\u00a0designated. A SaaS vendor to a water utility,\u00a0a logistics\u00a0partner to a hospital, or a managed service provider to a bank will face the same expectations through their customers\u2019 contractual\u00a0obligations, often with less time and less leverage than the designated entities themselves.<\/p>\n<p>Map your CER-exposed customer base now.\u00a0Identify\u00a0which of your customers\u00a0operate\u00a0in the 11 CER sectors and prioritize the top quartile by revenue. Those are the contracts where the new clauses will land first, often before formal designation arrives.<br \/>\nRaise the budget conversation before procurement\u00a0does. New incident notification SLAs, audit rights, subprocessor restrictions, and physical and personnel attestations require investment. If you wait, you will pay twice \u2014 once for the controls, once for the rushed delivery. And you will personally pay in trust and goodwill if finance and\/or the board first hears about the CER Directive through a contract renegotiation in distress.<br \/>\nBuild a reusable attestation pack, not a per-questionnaire response. For controls evidence, subprocessor inventory, incident playbook, physical security posture, and business continuity testing: Package once, and share with every customer. Vendors that preempt these requests command better commercial terms; vendors that answer them ad hoc renegotiate under pressure.<\/p>\n<p>Connect With Us<\/p>\n<p aria-level=\"2\">Forrester clients with questions about CER, NIS 2, DORA, or building an integrated resilience operating model can\u00a0<a href=\"https:\/\/www.forrester.com\/inquiry\" rel=\"nofollow noopener\" target=\"_blank\">schedule an inquiry or guidance session<\/a> with me.<\/p>\n","protected":false},"excerpt":{"rendered":"If you are a CISO at a critical-infrastructure\u00a0organization\u00a0in Bulgaria, France, Luxembourg, the Netherlands, Poland, Spain, or Sweden, your\u00a0Critical&hellip;\n","protected":false},"author":2,"featured_media":78964,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[104],"tags":[211,210],"class_list":{"0":"post-78963","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-brussels","8":"tag-belgium","9":"tag-brussels"},"share_on_mastodon":{"url":"https:\/\/pubeurope.com\/@dk\/116548711370657233","error":""},"_links":{"self":[{"href":"https:\/\/www.europesays.com\/dk\/wp-json\/wp\/v2\/posts\/78963","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.europesays.com\/dk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.europesays.com\/dk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/dk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/dk\/wp-json\/wp\/v2\/comments?post=78963"}],"version-history":[{"count":0,"href":"https:\/\/www.europesays.com\/dk\/wp-json\/wp\/v2\/posts\/78963\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/dk\/wp-json\/wp\/v2\/media\/78964"}],"wp:attachment":[{"href":"https:\/\/www.europesays.com\/dk\/wp-json\/wp\/v2\/media?parent=78963"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.europesays.com\/dk\/wp-json\/wp\/v2\/categories?post=78963"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.europesays.com\/dk\/wp-json\/wp\/v2\/tags?post=78963"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}