Implementing the CER Directive: strengthening Belgium’s resilience

Discover how the CER Directive reshapes resilience obligations for critical entities in Belgium.

In brief

• The CER Directive introduces an EU-wide framework to boost critical infrastructure resilience and ensure continuity of essential services amid rising cross-border threats.
• Belgium implements this directive through the Act on the Resilience of Critical Entities, introducing harmonized criteria and resilience obligations for critical entities across 11 key sectors.
• With limited time after designation, critical entities should act now, by tracking national updates, assessing risks, and preparing for compliance.

In an increasingly interconnected world, the resilience of critical entities is more vital than ever. Therefore, the EU adopted the Critical Entities Resilience Directive (CERD) in 2022. The directive has been in force since January 2023 and marks a major shift in how critical entities across Europe prepare for and respond to disruptions. To implement the CER Directive at national level, Belgium introduced the Act on the Resilience of Critical Entities (Wet betreffende de weerbaarheid van kritieke entiteiten), published in the Belgisch Staatsblad on 19 January 2026. The Act adapts the directive’s requirements to Belgium’s complex regulatory environment and establishes a comprehensive framework for the identification and oversight of critical entities. Its entry into force has significant compliance implications for all critical entities operating on Belgian territory.
 

A broader, more integrated approach

The predecessor of the CER Directive, the European Critical Infrastructure (ECI) Directive of 2008 focused narrowly on the energy and transport sectors. As Europe’s economy grew more interconnected, it became clear that essential services depend on wider, cross-sectoral networks spanning public and private entities, with its scope encompassing entities across eleven sectors (energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, public administration, space, and food) as well as related subsectors such as electricity and gas supply, air and rail transport, hospitals, data centers, and food processing.

The broader scope of the CER Directive requires Member States to update their national legal frameworks accordingly. In Belgium, this has resulted in the adoption of the Act on the Resilience of Critical Entities, which replaces the 2011 Law on the Security and Protection of Critical Infrastructure (KI‑wet). The updated legislation establishes a comprehensive framework to address all kinds of modern threats, from cyberattacks and natural disasters to hybrid warfare and public health crises.

Under this framework, sectoral authorities will identify critical entities by July 2026, organizations whose disruption could severely affect the delivery of essential services. The Nationaal Crisiscentrum (NCCN) will coordinate the national implementation and facilitate cross-border cooperation across the EU. While the law introduces new compliance and reporting obligations, it also ensures strong institutional support through the NCCN and EU-level guidance, helping organizations in essential sectors enhance their resilience, ensure business continuity, and build greater trust with regulators, partners, and the public.
 

Key provisions: what is changing?

Expanded scope and harmonized criteria

The Belgian Act aligns with the CER Directive by introducing harmonized criteria for identifying critical entities across all relevant sectors. An entity is considered ‘critical’ if it:

• Provides one or more essential services (defined in the sector definition)
• Operates within Belgian territory
• Would significantly affect the continuity of essential services if disrupted, either directly or through interdependencies with other sectors.

Entities operating in at least six EU Member States may be designated as ‘critical entities of European significance’ and subject to additional oversight by the European Commission. In Belgium, the NCCN will coordinate the identification and supervision process, in cooperation with the relevant sectoral authorities. To ensure legal continuity, all operators previously identified under the KI-wet will automatically be recognized as critical entities as of 17 July 2026.
 

New obligations for critical entities

With the implementation of the CER Directive into Belgian law, designated critical entities are now subject to a comprehensive set of resilience obligations. Within nine months of notification, each entity must be compliant with the law:

• Conduct a risk assessment based on threats identified by OCAD through a strategic common threat assessment.
• Develop and implement a resilience plan (Weerbaarheidsplan van de Kritieke Entiteit (W.P.E.), within ten months of notification, covering:
  • Risk reduction and climate adaptation
  • Physical protection of infrastructure
  • Business continuity management
  • Crisis management and recovery procedures
  • Regular staff training and exercises
• Designate a 24/7 single point of contact (SPOC) for communication with authorities.
• Report any incident that has occurred, or is likely to occur, which could significantly disrupt the provision of essential services within 24 hours, and submit a detailed incident report within one month.
• Request background check for personnel in sensitive roles, subject to national approval.
   

The Act also retains the concept of critical infrastructure alongside critical entity, allowing authorities to distinguish between the organizational level (the entity) and the physical level (the infrastructure). While sectoral authorities identify the entities, these entities must, within six months, map and maintain an up-to-date list of their critical infrastructure.
 

Strengthened governance and oversight

Belgium’s federal structure is reflected in the governance framework, with responsibilities distributed across national, sectoral, and local levels. The NCCN serves as the central authority, coordinating implementation, supporting sectoral authorities, and facilitating cross-border cooperation. It will also develop Belgium’s national resilience strategy by 17 January 2026, outlining the country’s approach to strengthening critical entities.

Sectoral authorities, representing federal, community, and regional levels, will conduct risk assessments by 17 January 2026 and designate critical entities within six months. Each designated entity will receive a formal notification, and local authorities (mayors, provincial governors) will be informed to enable the planning of external protection and emergency measures.

Oversight is enforced by dedicated inspection services, empowered to conduct audits, mandate corrective actions, and impose sanctions for non-compliance:

• Criminal sanctions: Imprisonment (8 days to 1 year) and/or fines (€26 - €10,000);
• Administrative fines: €500 to €125,000, doubled for repeat violations within three years.

SICAD (Communication and Information Service) ensures rapid information-sharing by promptly notifying relevant authorities of any incident that could significantly affect the delivery of essential services.
 

Preparing for compliance: what should critical entities do now?

With the Belgian Act on the Resilience of Critical Entities now in force and the January 2026 identification deadline approaching, critical entities should take proactive steps to ensure timely compliance and avoid last-minute pressure. Key steps include:

1. Monitor implementation and guidance: Closely follow Belgium’s ongoing implementation of the Act, including guidance issued by sectoral authorities, the NCCN, and other competent bodies, as well as sector‑specific requirements and timelines.
   
   
2. Engage with competent authorities and peers: Actively engage with regulators, sectoral authorities, and industry peers to clarify designation status, procedural expectations, and supervisory practices.
   
   
3. Assess, implement, and strengthen resilience measures: Review and update existing risk assessments, policies, and continuity plans; invest in appropriate training and technology; and ensure internal governance and operational processes are fully aligned with the obligations under the Act.
    

The broader resilience landscape

The CER Directive is a cornerstone of the EU’s resilience strategy, complementing frameworks like NIS2 (cybersecurity) and DORA (financial sector resilience). In Belgium, the national Act ensures alignment with NIS2, treating designated critical entities as essential entities under NIS2 to streamline cooperation with the Centre for Cybersecurity Belgium.

The directive also integrates with sector-specific standards (e.g., ENTSO-E for energy, WHO for healthcare) and the 2024 EU Blueprint for Coordinated Response, which enhances cross-border crisis management. By integrating these frameworks, Belgium and the EU establish a cohesive, interconnected system to safeguard critical infrastructure and maintain the continuity of essential services.

Certain sectors, such as financial institutions and digital infrastructure, are already covered by robust EU regulations like DORA. To avoid duplication, obligations in the CER Directive generally do not apply to these sectors, though Belgium may introduce additional measures if sector-specific rules are deemed insufficient.

For the public sector, the framework is adapted to exclude regional authorities, focusing only on central government entities. Sectors related to national security, defense, law enforcement, and nuclear energy are largely exempt, reflecting their sensitive nature.
 

How EY can help

Navigating the complexities of the CER Directive requires expertise and strategic planning. EY offers tailored support, including:

• Gap analysis to align existing resilience measures with CERD requirements.
• ISO 22301 certification and Business Continuity Management (BCM) framework implementation.
• Resilience training and crisis simulations to build internal capacity.
• Crisis management drills to prepare leadership and staff for real-world disruptions.

With deep sectoral knowledge and regulatory experience, EY helps organizations not only achieve compliance but also build lasting resilience.