CER directive: Timely diligence reduces risks

Companies within critical infrastructure must prevent incidents, as prescribed by the EU CER directive. Andreas Norstedt, a security advisor at DBI – the Danish Institute of Fire and Security Technology, provides guidance on how to approach this.

What does incident prevention entail in the CER directive?

Incident prevention involves identifying and mitigating risks that could disrupt critical infrastructure companies from delivering their services to society. This includes technical, organizational, and security measures to ensure that potential incidents do not escalate into critical disruptions.

The CER directive focuses on physical threats to critical infrastructure, whereas the NIS2 directive primarily addresses digital risks. The importance of the CER directive was highlighted by the Nord Stream sabotage in 2022, which underscored Europe’s vulnerability to targeted attacks.

How should companies proceed in practice?

To prevent incidents in line with the CER directive, companies must systematically manage risks. The first step is conducting a thorough risk assessment to identify potential threats and their consequences. These risks range from natural disasters, such as floods, to deliberate actions like sabotage and terrorist attacks. The goal is to evaluate the likelihood and impact of such incidents so that efforts can be prioritized towards the most critical risks in an emergency response plan.

Additionally, it is crucial to understand how different sectors and supply chains are interconnected. For example, a power outage in one sector may have cascading effects on others. Companies should therefore consider these ‘cascade effects’ when conducting risk assessments.

Once risks are identified, the next step is implementing preventive measures where feasible and appropriate. These may include physical security measures such as fences, gates, and bollards to prevent unauthorized access. Electronic surveillance, including video monitoring, alarm systems, and access control, ensures continuous monitoring and rapid threat detection.

These measures should be integrated into the company’s overall risk management strategy and documented in a security plan. Regular evaluations, testing, and drills help ensure that measures remain effective and adapted to an evolving risk landscape.

What is a good approach?

A strong starting point is to bring together key personnel from various company departments for a risk workshop. This should include representatives from finance, operations/production, HR, and IT. The workshop aims to identify and map out the most significant risks to the company’s critical assets. By gathering insights from multiple perspectives, a more nuanced understanding of potential threats and vulnerabilities emerges. Internal experiences should be combined with publicly available risk assessments to identify risks effectively.

Following the workshop, a detailed risk assessment should be conducted to analyze identified risks. The results form the foundation for prioritizing efforts against the most critical risks. Next, targeted preventive measures should be implemented, tailored to the company’s specific needs and context.

Are there pitfalls to be aware of?

One of the biggest mistakes companies can make is underestimating risks. Many overlook their dependencies on supply chains and other sectors, which can amplify the consequences of an incident. Therefore, it is crucial to map dependencies and understand potential consequences.

Data is a valuable resource in risk management, but there must be a balance between gathering sufficient data and avoiding excessive analysis. Efficiency lies in identifying key risks and responding in a timely manner rather than striving for perfection.

Limited resources can also hinder effective prevention. Insufficient investment in both human and technological solutions may result in inadequate measures that fail to meet CER directive requirements, weakening the company’s resilience. Resources should be prioritized based on a risk-based approach to ensure that the most critical areas receive the necessary attention.

Special considerations for the energy sector

The energy sector is subject to specific rules and requirements regarding incident prevention. Companies must conduct RVA analyses (Risk and Vulnerability Assessments), evaluating scenarios outlined by the Danish Energy Agency. It remains uncertain whether similar requirements will be imposed on other sectors, as this depends on how individual ministries implement the CER directive.