CER Directive 2026: Identity Rules for Critical Entities

The EU Critical Entities Resilience Directive requires Member States to designate critical entities across 11 sectors by 17 July 2026. Once designated, entities have ten months to implement Article 13 resilience measures — including personnel security, access rights, and Article 14 background checks. External service providers' personnel are explicitly in scope. Identity-proofing that crosses borders is the operational gap.

Directive (EU) 2022/2557 — the CER Directive — entered into force on 16 January 2023, with national transposition due by 17 October 2024 (Directive (EU) 2022/2557 — EUR-Lex). Two 2026 dates now matter. By 17 January 2026, each Member State must have adopted a national resilience strategy. By 17 July 2026, Member States must identify and designate the critical entities operating within their territories. The clock then runs per-entity: once designated, a critical entity is notified within one month and has ten months from notification to implement the Chapter III resilience measures — including the personnel-security obligations under Article 13(e) and the background-check framework under Article 14.

For the essential and important entities already in NIS2 scope, CER adds a physical-and-personnel-resilience layer on top of the cybersecurity-focused NIS2 layer. The two regimes are intentionally complementary: NIS2 covers network and information systems; CER covers the physical and organisational resilience that makes those systems survivable. Many entities will be in scope of both. The personnel-identity question — who is this person, and can you prove it before they hold a sensitive role — is where the two meet.

The CER Directive 17 July 2026 Designation Deadline

The CER designation process is sequential. Member States first adopt the national resilience strategy; then they identify the critical entities across the eleven CER sectors; then they notify each designated entity. The entity then has ten months to operationalise the resilience measures.

By the time you read this, the strategy deadline has already passed. Most Member States met the 17 January 2026 strategy deadline with published documents; a handful — particularly those that also missed NIS2 transposition deadlines — are still working through the strategy formally. The critical-entity designation decisions themselves are expected across the first half of 2026, with a concentrated wave leading up to the 17 July 2026 deadline. An entity that receives notification on 1 July 2026 must be fully compliant with Chapter III by 1 May 2027.

For a sector-specific view, the sectoral competent authority (energy regulator, transport ministry, central bank, health ministry, etc.) typically conducts the designation analysis. The criteria in Article 7 of the Directive — on the significance of the disruptive effect, the extent of coverage of essential services, dependencies on other critical entities, and geographic scope — determine who gets picked. For large incumbents in energy, transport, banking, and public administration, designation is effectively a foregone conclusion; for mid-size sector participants, the analysis is more specific.

The 11 Sectors in Scope

The CER Directive widens the scope beyond the 2008 predecessor — which only covered energy and transport — to eleven sectors. A single critical entity may sit in multiple sectors simultaneously (EUR-Lex summary — making critical entities more resilient, Deloitte — Navigating the EU CER Directive):

• Energy — electricity, district heating, oil, gas, hydrogen.
• Transport — air, rail, water, road.
• Banking — credit institutions.
• Financial market infrastructure — trading venues, central counterparties.
• Health — healthcare providers, EU reference labs, entities carrying out R&D on medicinal products, pharmaceutical manufacturing and distribution.
• Drinking water — suppliers and distributors of water intended for human consumption.
• Waste water — undertakings collecting, disposing of, or treating urban or industrial waste water.
• Digital infrastructure — internet exchange points, DNS service providers, TLDs, cloud-computing service providers, data-centre service providers, content-delivery networks, trust service providers, public electronic communications networks, and publicly available electronic communications services.
• Public administration — central-government public administration entities.
• Space — operators of ground-based infrastructure used to support space-based services (narrower scope than the full space value chain).
• Food — businesses engaged in logistics and wholesale distribution + large-scale industrial production and processing.

The absence of a separate "defence" sector label is deliberate. Defence-adjacent critical functions are captured through public administration (central-government defence departments and agencies), digital infrastructure (sovereign cloud and defence IT), and transport (military mobility corridors). For prime contractors and defence SMEs, the signature requirements for EU defence tenders are the procurement-side story; CER sits on the other side — the personnel and physical-resilience resilience that the contracting authority itself must maintain.

What Article 13 Requires — Personnel Security

Chapter III of the CER Directive sets out the resilience obligations. Article 13 enumerates the specific resilience measures, and paragraph (e) is the personnel-security clause.

Article 13(e) requires critical entities to ensure adequate employee security management, which includes, as a non-exhaustive list:

• Setting out categories of personnel who exercise critical functions.
• Establishing access rights to premises, critical infrastructure, and sensitive information.
• Setting up procedures for background checks in accordance with Article 14 and designating the categories of persons required to undergo such background checks.
• Laying down appropriate training requirements and qualifications.

The operational substance is in the first two items. Critical entities must be able to enumerate the categories of personnel whose role is critical — typically control-room operators, cybersecurity personnel, privileged-access administrators, physical-security personnel, personnel with access to sensitive engineering design, and personnel responsible for supply chain or vendor relationships. They must be able to say — per category — which premises, systems, and information those personnel can reach. The access-rights register is the Article 13(e) artefact auditors will ask for first.

Two elements of Article 13 sharpen the scope. First, Article 13(e) explicitly requires that Member States shall ensure that critical entities take into account the personnel of external service providers when setting out categories of personnel who exercise critical functions. The contract cleaner with out-of-hours access to a substation, the OEM field engineer with privileged SCADA credentials, the outsourced SOC analyst with read access to security events — all are in scope. Second, Article 13 applies in full regardless of entity size within the designated category; there is no SME exemption at the critical-entity level.

What Article 14 Requires — Background Checks

Article 14 is the procedural layer under Article 13(e)'s background-check reference. It specifies when critical entities can request background checks and on whom (CER Directive Article 14 — CER-Directive.com; Snellman — CER Chapter III). Member States "shall specify the conditions" under which a critical entity can submit a request for a background check on persons who:

• (a) hold sensitive roles in or for the benefit of the critical entity, in particular in relation to the resilience of the critical entity;
• (b) are authorised to directly or remotely access the entity's premises, information, or control systems, including in connection with the security of the critical entity;
• (c) are under consideration for recruitment to positions that fall under (a) or (b).

Item (c) is the one that operationally matters most. The background check happens before the candidate is hired into a sensitive role or given access. Running a background check on a candidate who is already in post — and who has already had sensitive access for months — is operationally too late.

Article 14 also specifies that background checks must be:

• Assessed within a reasonable timeframe.
• Processed in accordance with national law and procedures and relevant applicable Union law, including the GDPR.
• Limited in scope to what is strictly necessary for the purpose of the check.

The cross-border dimension of Article 14 is handled through ECRIS (European Criminal Records Information System), the decentralised exchange mechanism that allows national criminal registers to share conviction information on request. ECRIS operates between the 27 Member States' central authorities; it does not reach non-EU jurisdictions. For a candidate who has lived or worked outside the EU in the preceding five or ten years, the critical entity and its screening service rely on the candidate's home country or previous-country processes — with all the variance that introduces.

External Service Providers and Cross-Border Personnel

The Article 13(e) extension to external service providers' personnel, combined with the Article 14 background-check machinery, creates a specific operational problem for critical entities that source specialist support from outside the EU.

Consider the following typical case. A designated critical entity in the energy sector operates a SCADA environment maintained by an EU-headquartered OEM. The OEM's field-service organisation is distributed across the EU and beyond; the specialist who shows up to calibrate a turbine control unit may be a Polish citizen working out of Düsseldorf, a Turkish citizen working out of Istanbul, or an Indian citizen working on a contract through the OEM's Bangalore delivery centre. All three can be legitimately dispatched by the OEM. All three will, during the visit, hold Article 13(e) "access rights to premises, critical infrastructure, and sensitive information". All three fall within the Article 14(a) and (b) target groups for background checks.

The critical entity's legal obligation is to ensure adequate employee security management for all three cases — which in practice means a documented identity-verification step, a documented background-check step appropriate to the jurisdiction and the role, and a documented authorisation step tying the specific individual to the specific access. For the Polish citizen, ECRIS and the national criminal register framework cover it. For the Turkish citizen, the critical entity typically obtains a home-country police certificate plus a supplementary check in the OEM's home jurisdiction. For the Indian citizen, the same logic applies with the Indian police-verification process.

The one step common to all three cases is identity verification of the individual. Before any background check can be run against the right person, that person's identity must be established against a document the critical entity can verify. For the cross-border workforce, the biometric passport is the document that does this consistently across ICAO 9303 countries. It is the same physical-identity layer that shows up beneath the NIS2 supplier identity register, beneath the OT remote access three-framework convergence, and beneath the EUDI Wallet's limits for non-EU counterparties.

What This Means for Critical Entities in the Designation Window

Whether an entity has been designated, is expecting designation, or is working to confirm that it is not in scope, the practical work for 2026 is a readiness programme that a ten-month clock will not give time to build from zero.

• Map your critical functions and personnel categories now. Article 13(e) asks for a categorisation that many entities have in pieces — an access-rights list here, a role description there, a privilege-elevation matrix somewhere else. Consolidate into a single personnel-security register. This is the artefact auditors will walk first.
• Extend the register to external service providers. The OEM field engineers, the contracted SOC analysts, the outsourced facilities-management teams — their personnel are in scope for Article 13(e). Your register must list their categories with the same granularity as for internal staff.
• Design an identity-verification step that runs before any background check. Without a documented, verifiable identity, the background-check record does not bind to a specific person. Biometric-passport-based identity verification handles this for internal staff on EU passports and for the cross-border workforce on non-EU passports equally.
• Build the background-check procedure around Article 14(a)-(c). The scope is sensitive-role holders, people with access, and people under consideration for recruitment to those positions. Catching pre-hire check processes is the highest-leverage operational change; retrofitting post-hire checks for already-privileged personnel is much more expensive.
• Produce and sign authorisation records with AdES. Each sensitive-role authorisation, each access grant, each periodic re-attestation should carry an advanced electronic signature under eIDAS bound to the verified identity of the approver. The audit chain must survive walk-back by a national competent authority.

The analogy to recent adjacent regimes is close enough to be useful. DORA's Register of Information put a first-round deadline on the financial sector in March 2026 and exposed data-quality problems that were masked by the pre-deadline excitement. The CER designation wave in July 2026 will do the same for the broader critical-entities landscape, and the entities that treat the ten-month post-notification clock as a planning runway — not a reporting window — will be in measurably better shape when the first audits land.

FAQ

When must Member States designate critical entities under CER? By 17 July 2026. Member States had to adopt a national resilience strategy by 17 January 2026 first. Once an entity is designated, Member States notify it within one month, and the entity has ten months from notification to comply with Chapter III resilience measures.

How many sectors does CER cover? Eleven: energy; transport; banking; financial market infrastructure; health; drinking water; waste water; digital infrastructure; public administration at central government level; space (ground-based operators); food (logistics/wholesale distribution + large-scale industrial production).

Does CER apply to external service providers' personnel? Yes, for the purpose of Article 13(e) personnel security. Critical entities must take into account the personnel of external service providers when setting out the categories of personnel who exercise critical functions. The background-check framework under Article 14 also reaches these individuals when they fall within the sensitive-role, access-rights, or recruitment-consideration categories.

Who can request a background check under Article 14, and on whom? The critical entity can submit background-check requests through the Member State's designated process. Target groups are (a) persons in sensitive roles, (b) persons authorised to access premises, information, or control systems, and (c) persons under consideration for recruitment to positions under (a) or (b).

How does CER relate to NIS2? CER and NIS2 are complementary. NIS2 (Directive (EU) 2022/2555) covers network and information systems cybersecurity; CER (Directive (EU) 2022/2557) covers the physical and organisational resilience of critical entities. Many entities are in scope of both. NIS2 essential-entity status does not automatically make an entity a CER critical entity, but the overlap is extensive — particularly in energy, transport, banking, health, digital infrastructure, and public administration.

How are criminal records checked for EU cross-border personnel? Through ECRIS (European Criminal Records Information System), the decentralised exchange mechanism between Member State central authorities. ECRIS does not reach non-EU jurisdictions. For personnel with non-EU residence or work history, the critical entity and its screening provider rely on home-country police certificates and analogous processes, usually via an international background-screening service.

Sources

CER Directive primary texts

• Directive (EU) 2022/2557 on the resilience of critical entities — EUR-Lex
• Directive (EU) 2022/2557 — full PDF — EUR-Lex
• EUR-Lex summary — Making critical entities more resilient

CER Articles 13 and 14

• CER Directive Article 13 — CER-Directive.com
• CER Directive Article 14 — CER-Directive.com
• Chapter III Resilience of critical entities — Snellman Digital Compliance Tracker

Implementation and practitioner guidance

• Navigating the EU Critical Entities Resilience Directive — Deloitte
• EU Critical Entities Resilience Directive — Osborne Clarke
• The CER Directive — general and sectoral implementation — EU-CIP
• The CER Directive — physical security requirements — Bull

About the author

Gustav Poola is co-founder of IdentiGate. He focuses on the technical architecture of passport-chip identity verification, advanced electronic signature production under eIDAS, and the engineering of identity flows that survive regulator and auditor walk-back.