The CER Directive

CER stands for Critical Entities Resilience, and the directive supplements the NIS2 Directive. In Sweden, the CER Directive is expected to enter into force during 2026.

Entities covered by the CER Directive

Unlike the Cybersecurity Act, there is no rule based on company size. An entity is to be identified as critical and thus covered by the law if it:

• provides an essential service in or to Sweden by belonging to one of the sectors listed in the annex to the CER Directive
• has critical infrastructure in Sweden
• risks causing significant disruption in the event of an incident.

If an operator has been notified that it constitutes a critical operator under CER, the following applies:

• 9 months to carry out a risk assessment
• 10 months to meet the remaining requirements.

After that, the competent authority may carry out inspections. In the Swedish Government Official Report (SOU 2024:18) it was assessed that the Swedish Energy Agency will be the competent authority for the energy sector.

The CER Directive and the NIS2 Directive, implemented in Sweden through the Cybersecurity Act, complement each other. This means that if your entity is covered by the CER Directive, it is also covered by the Cybersecurity Act.

Requirements imposed on critical entities

• Carry out a risk assessment that
  • covers all relevant risks
  • is updated when necessary and at least every four years.

• Take measures based on the risk assessment to
  • prevent incidents
  • respond to and limit the consequences of incidents
  • protect premises and critical infrastructure
  • ensure appropriate personnel security
  • increase organisational awareness of resilience.

• Establish and apply a plan for these measures.
• Report incidents that may cause significant disruption.