The EU directive establishing a comprehensive resilience framework for critical entities across 11 sectors, complementing NIS2 with physical and cyber security requirements including certificate-based access control.
The CER Directive (2022/2557) replaces the European Critical Infrastructure Directive and establishes comprehensive obligations for critical entities to enhance their resilience against a wide range of threats, including cyber attacks, natural disasters, terrorism, and pandemics.
The directive covers 11 critical sectors: energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration, space, food production, processing and distribution, and manufacturing of critical products. Organizations identified as critical entities within these sectors must implement robust resilience measures.
Certificate-based access control and encrypted communications are key security measures for the physical-cyber convergence that the CER Directive demands. As operational technology (OT) and information technology (IT) systems become increasingly interconnected in critical infrastructure, PKI serves as the trust foundation for securing both physical and digital access.
Member states must identify critical entities across 11 sectors using risk-based criteria, including dependency mapping and cross-border impact assessment.
Critical entities must perform comprehensive risk assessments covering all relevant natural, man-made, and cyber threats to their essential services.
Entities must implement technical, security, and organizational measures to prevent, protect against, respond to, resist, mitigate, absorb, and recover from incidents.
Critical entities must implement certificate-based access control and strong authentication for both physical and digital systems protecting essential services.
Critical entities must notify competent authorities of significant incidents within 24 hours, with detailed follow-up reports on impact and remediation measures.
Critical entities must perform background checks on personnel with access to sensitive areas, supported by certificate-based identity verification systems.
The European Commission proposes a new directive to strengthen the resilience of critical entities, replacing the 2008 European Critical Infrastructure Directive.
The CER Directive (2022/2557) is formally adopted by the European Parliament and Council, establishing a comprehensive resilience framework.
EU member states must transpose the directive into national law and establish competent authorities for critical entity resilience.
Member states must have identified all critical entities across the 11 designated sectors using established criteria.
All critical entities must have implemented comprehensive resilience measures including physical and cyber security requirements.
The CER Directive places PKI at the heart of critical infrastructure protection, bridging physical and digital security requirements. Here are the critical areas:
Critical sites require certificate-based authentication for physical access control systems, ensuring only authorized personnel can enter sensitive areas.
As operational and information technology networks converge, mutual TLS certificates are essential for securing communications between industrial control systems and corporate networks.
Critical infrastructure monitoring devices require unique device certificates for secure identification, data integrity, and encrypted telemetry across distributed environments.
Cross-entity communications for incident reporting and coordination require certificate-based encryption, ensuring confidentiality and authenticity of sensitive operational data.
Certificate inventory across IT and OT environments — Discover and track all certificates across both information technology and operational technology networks, providing complete visibility for CER resilience audits.
Automated lifecycle management for access control certs — Automate the issuance, renewal, and revocation of certificates used in physical and digital access control systems, eliminating manual overhead and reducing risk of expired credentials.
Policy enforcement for critical infrastructure standards — Enforce certificate policies aligned with critical infrastructure protection requirements, including algorithm standards, key lengths, and validity constraints.
Integration with physical access control systems — Seamlessly integrate certificate management with PACS, enabling certificate-based badge authentication and automated credential provisioning for critical site access.
