EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
The CERD (in the Netherlands: WWKE) requires eleven sectors to enhance their resilience. Prepare your organization for this law and a safer future.
In brief:
- WWKE requires eleven sectors to be resilient against disruptions such as cyber attacks, floods and technical failures.
- Organizations must prepare risk analyses, continuity plans and incident protocols within ten months of designation.
- Strategic resilience provides competitive advantage, increases investment confidence and strengthens operational efficiency.
In response to an increasingly volatile global landscape, the EU's Critical Entities Resilience Directive (CER Directive) is set to fortify the backbone of Europe's essential services. In the Netherlands, the Wet Weerbaarheid Kritieke Entiteiten (WWKE) will be transposed in national law in Q2 2026. This law covers a wide range of eleven sectors and requires organizations that are crucial to our economic and societal functions to enhance their resilience. The WWKE is more than a legal requirement; it is an opportunity to increase both strategic adaptability and competitive strength. Discover how you can prepare your organization for the challenges of tomorrow and shape the future with confidence.*
Why is the CER Directive significant?
Organizational resilience is now a legal expectation in the Netherlands (and the EU). The WWKE fosters a proactive stance against a spectrum of threats, from natural calamities to sophisticated cyber and terrorist attacks. The WWKE emphasizes the need for organizations to develop strong adaptability and a robust incident response process.
Disruptions occur more frequently than is shown in the media. Below, we have selected three practical examples of disruptions that will fall under the reporting obligation of the Resilience Act for Critical Entities (WWKE) starting Q2 2026. All of these examples have been in the news.
Is your organization impacted by the WWKE?
Due to the broader sector coverage of the WWKE, many organizations, including those that previously had little to do with resilience mandates, now fall under this regulation. An important aspect is that the CER Directive is not limited to large entities; it recognizes that even smaller organizations can have (inter)national impact. The ministries related to the sectors below designate critical entities themselves. Some organizations are excluded from the law, such as the MIVD, AIVD, and Police, and there are three sectors where fewer articles apply, such as banking, financial markets, and digital infrastructure.
When and how will your organization be impacted?
After the introduction of the WWKE into Dutch legislation, ministries will designate critical entities. Although the designation of critical entities may continue until July 2026, organizations have only ten months after designation to demonstrate compliance. Organizations likely to be subject to the WWKE are advised to start preparations immediately to avoid the potential risks of non-compliance.
Ultimately, designated businesses will be required to:
1. Conduct risk analysis, consider:
- canning continuity risks and threat assessment (environmental, technological, geopolitical, man-caused and utilities & services)
- Definition of the minimum viable company and identifying critical services (processes and activities);
- Identifying critical dependencies (machines, locations, employees, IT/OT, data, third parties);
- Mapping risks on critical dependencies, current measures, and evaluating remaining risks.
2. Develop resilience plans and measures, considering:
- Identifying critical dependencies (machines, locations, employees, IT/OT, data, third parties);
- Mapping risks on critical dependencies, current measures, and evaluating remaining risks.
3. Establish incident response and notification protocols.
- Identifying critical dependencies (machines, locations, employees, IT/OT, data, third parties);
- Mapping risks on critical dependencies, current measures, and evaluating remaining risks.
How can I start preparing?
A good first step is to familiarize yourself with national legislation so you can assess whether your company will be designated as a critical entity. If so, it is important to understand the requirements of the WWKE.
Secondly, gain insight into the current maturity of your business continuity management. Then conduct a gap analysis to review and improve your continuity system. However, keep in mind that this is not a one-time exercise but requires continuous effort from your organization. Ensure you gain insight into your resource needs during and after the resilience program.
Just compliance or a strategic advantage?
The WWKE is not just about compliance; it offers companies the opportunity to adopt a strategic approach to resilience. The WWKE can be seen as a tool—instead of the end goal—to evolve organizations from a reactive mindset to those with proactive and adaptive resilience capabilities. Business resilience is both a value-protecting and value-creating investment. By following a strategic approach, companies can:
- Identify and leverage operational efficiencies that enhance resilience.
- Increase external investment willingness in their organization.
- Benefit from disruptions by being better prepared than competitors.
- Foster innovation by integrating resilience into business models and practices.
Resilient enterprises are sustainable and capable of maintaining continuity despite production-disrupting threats. A solid methodology for operational resilience is crucial to achieve this. Resilient enterprises are also viable in the long term and can cope with strategic change and a rapidly evolving threat landscape. The figure below shows a mature process that anticipates short-term and long-term disruptions and allows your organization to adapt to deal with the new situation.
Want to know more?
Do you want to know if your organization will fall under the WWKE? Sign up below to stay informed about the WWKE and to be invited to workshops that help you understand national regulations regarding resilience, improve methodologies, and apply useful technologies for operational resilience programs.
Summary
The Critical Entities Resilience Act (WWKE), which will take effect in 2026, requires organizations in eleven sectors to develop strategic resilience against disruptions such as cyberattacks, floods, and technical failures. Within ten months of being designated, they must develop risk analyses, continuity plans, and incident response protocols. The WWKE offers not only a legal framework but also opportunities for competitive advantage and investment confidence. Practical examples demonstrate the urgency. Organizations are advised to start conducting a gap analysis and strengthening their resilience strategy now. This will help them build sustainable continuity and future-proof business operations.
Related articles
How AI navigates third-party risk in a rapidly changing risk landscape
Learn what the 2025 EY Third-Party Risk Management survey reveals about new AI-driven approaches to managing risks in a more volatile environment.
Top 10 geopolitical developments for 2025
Geopolitical risk will remain elevated due to economic sovereignty and global rivalries. Learn how to manage the uncertainty to grow your business.