The Critical Entities Resilience (CER) Directive and the Belgian transposition

The Critical Entities Resilience (CER) Directive (EU) 2022/2557 represents a significant step forward in strengthening the resilience of essential services across the European Union. Recognizing the growing impact of natural hazards, cyber incidents, supply chain disruptions, geopolitical tensions, and other emerging threats, the Directive aims to ensure that organizations providing critical services can prevent, withstand, respond to, and recover from disruptive events.

The Directive introduces a harmonized framework designed to enhance the resilience of organizations whose services are essential to society, the economy, public health, public safety, and the environment.

Belgium has transposed the CER Directive through the Law of 19 December 2025, establishing the national framework for the identification, supervision, and resilience of critical entities.

The legislation formalizes a risk-based and all-hazards approach to resilience, requiring organizations to consider a broad range of threats, including natural, technological, malicious, and hybrid risks. It also introduces specific obligations for entities designated as critical by the competent authorities.

The National Crisis Center (NCCN) acts as the national coordinator, while sectoral authorities are responsible for identifying and supervising critical entities within their respective sectors.

The CER Directive applies to entities operating in sectors considered essential to the functioning of society and the economy, including:

• Energy
• Transport
• Banking and financial market infrastructures
• Health
• Drinking water and wastewater
• Digital infrastructure
• Public administration
• Space

Organizations operating within these sectors should closely monitor developments from the competent authorities and assess whether they may fall within the scope of the Belgian framework.

Once designated, organizations will be required to establish and maintain a comprehensive resilience framework aimed at ensuring the continuity of essential services.

Key obligations include:

• Performing all-hazards risk assessments
• Establishing governance and accountability mechanisms
• Appointing a dedicated point of contact for competent authorities
• Developing and maintaining an Entity Resilience Plan
• Implementing incident notification procedures
• Conducting testing, exercises, and continuous improvement activities
• Cooperating with competent authorities and providing requested information

The Belgian transposition creates important synergies between resilience and cybersecurity requirements.

Entities designated as critical under the CER framework will automatically be considered essential entities under the Belgian NIS2 framework. As a result, organizations should seek to align resilience, cybersecurity, operational risk management, and crisis management initiatives to create a consistent and efficient compliance approach while avoiding duplication of effort.

Organizations operating in potentially in-scope sectors should start preparing before formal designation. Early preparation can significantly reduce implementation efforts and help organizations build resilience capabilities in a structured and sustainable manner.

Key preparation activities include:

• Identifying critical services and supporting assets
• Mapping internal and external dependencies, including third-party providers and supply chains
• Reviewing crisis management, business continuity, and emergency response arrangements
• Assessing governance structures, accountability, and escalation mechanisms
• Evaluating existing risk management and resilience capabilities against CER requirements
• Developing a structured roadmap for CER compliance and resilience enhancement
• Identifying opportunities to align CER requirements with existing NIS2, DORA, and operational resilience initiatives

Beyond compliance, these activities can help organizations strengthen operational resilience, improve crisis preparedness, enhance stakeholder confidence, and increase their ability to respond effectively to an evolving threat landscape.

KPMG supports organizations throughout the CER compliance journey, from initial readiness assessments to the implementation and testing of resilience capabilities.

Our services include:

• CER applicability and readiness assessments
• All-hazards risk assessments and resilience gap analyses
• Governance, accountability, and operating model design
• Development of resilience plans (WPE/PRE) and supporting procedures
• Incident management, escalation, and notification frameworks
• Crisis management and business continuity enhancement
• Tabletop exercises, simulations, and resilience testing
• Third-party and supply chain resilience assessments
• Integration of CER, NIS2, DORA, and broader operational resilience requirements into a coherent and efficient compliance framework

By combining regulatory expertise, resilience capabilities, and sector-specific experience, KPMG helps organizations move beyond compliance and build sustainable resilience in an increasingly complex and interconnected environment.