Enhanced preparedness
and cybersecurity
What your business needs to know about
CER and NIS2 directives
This article contains
Released December 2024
Introduction to CER & NIS2
NIS2 (Network and Information Security Directive) and CER (Critical Entities Resilience) are two EU directives designed to strengthen security in the EU. NIS2 focuses on cybersecurity, while CER addresses physical and operational resilience. Both directives require critical businesses and their suppliers to strengthen their preparedness and security, but with different focus areas and requirements.
70% of Danish companies only comply with the requirements of the NIS2 directive to a lesser extent or not at all.
What is the CER Directive?
The CER Directive is about physical and operational resilience. It requires companies in critical sectors to ensure preparedness against physical threats such as natural disasters, terrorism and supply chain disruptions.
Highlights of the NIS2 Directive
Expansion of sectors and companies: NIS2 now applies to more sectors, covering both critical (energy, health, finance) and important sectors (e.g. food and digital services).
Increased cybersecurity requirements: NIS2 requires organizations to put in place robust cybersecurity measures that are management-led, such as risk management, technical security and monitoring. There must also be a risk-based approach so that security efforts are targeted at the highest risks.
Mandatory incident reporting: NIS2 companies must report security incidents quickly (within 24 hours) to a national authority to ensure rapid response and coordination.
Cooperation between countries: NIS2 promotes cooperation between EU countries through joint cybersecurity networks and Computer Security Incident Response Teams (CSIRTs).
The NIS2 Directive includes requirements for management governance and anchoring, risk management and related security measures as well as notification obligations and requirements for enforcement, supervision and related sanctions for non-compliance.
" Management is given greater responsibility for cybersecurity and can be held personally liable for gross negligence."
Requirements for subcontractors
NIS2 requires companies to ensure that their subcontractors also comply with cybersecurity standards.
- Due Diligence: Companies must evaluate the security of their subcontractors.
- Contractual requirements: Security requirements can become part of the contract with suppliers.
- Continuous evaluation: Companies must continuously monitor subcontractors for compliance with cybersecurity standards.
Monitoring and responsibility
Companies under NIS2 and CER must keep logs and monitor digital and physical systems.
This helps detect suspicious activity quickly and protect your business. HR plays an important role in balancing security obligations with employee rights, especially under GDPR.
Importance for HR and management
Both directives support a “know your employee” approach. Background checks, access control and regular training will be important to minimize insider threats.
- Background checks: Directive requirements can make background checks necessary for key employees.
- Employee training: For NIS2, this involves cybersecurity training; for CER, it can be physical security training.
- Tight access control: Access to critical systems and areas should be monitored and regulated.
Overall rating
NIS2 and CER provide a broad security commitment, addressing both digital and physical threats. Both directives focus on risk management and resilience, which requires good collaboration between HR, IT and security departments.
These measures ensure that the company is well equipped to withstand both cyber and physical threats.
Curious for more?
If you are unsure whether your company is covered by the new requirements of the NIS2 directive, you can use this tool from Secure Digital. It guides you through a series of questions and gives you a quick overview.