CER: Control employee access and check their background

Employees should only have access to areas and systems relevant to their work. And trusted employees should also undergo background checks. Here, DBI shares useful advice on managing employees and performing background checks.

What does employee management mean under the CER Act?

Companies covered by the CER Act are responsible for protecting sensitive information and ensuring that essential societal functions can be maintained. This requires having control over who has access to what – and how that access is used and monitored.

It concerns not only internal employees but also regular suppliers such as cleaning and cafeteria staff, and external parties like visitors, contractors, and technical support. You must know who has access, where, and when – and ensure that it’s the right access with the right restrictions. This involves both technical and physical access control – and, not least, background checks.

What should companies do in practice?

The first step is to look at operations and organization: Which functions are critical for the company to deliver its part to society? Once that’s clear, you must assess how critical they are, and who has access to them.

From there, it’s about identifying which individuals – both employees and external parties – have access to various functions, and what rights they have. Do they have access to something they don’t need? And how do you ensure that only the right people have access?

At the same time, the risks associated with critical functions must be assessed. What needs protection? Who or what might threaten it? And what vulnerabilities exist? Once that picture is clear, you can decide which security measures are needed – technical, physical, and organizational.

An example: If you have a control room managing operations, you must decide who actually needs to enter it. Should cleaning staff, for instance, have access? If yes, their access can be limited so that their access card only unlocks the door during the time they are scheduled to be there. That’s the technical and physical aspect. The organizational aspect involves defining who has which tasks – and when they should perform them. Should external cleaning staff have unaccompanied access to the control room at all? And at what times of day should cleaning be done?

Once measures are implemented, the work doesn’t stop there. They must be operated, maintained, and adjusted when things change – for example, when new equipment, processes, or threats arise. Random checks and tests should also be performed to ensure the measures work as intended.

An important part of employee management is verifying that nothing in an employee’s background makes them unsuitable for their position. This is especially important for those with access to sensitive information or critical areas. You must know who you’re letting in (identity verification) and whether they have ’baggage’ (e.g., criminal record) that poses a risk. Therefore, background checks should be carried out during recruitment and when employees move into positions with more responsibility or broader access. In some cases, it may also make sense to repeat checks periodically.

What is a good approach?

It’s a good idea to start with a solid foundation – a thorough mapping and risk assessment. That means first gaining an overview of which functions, data, and systems are critical, and what needs protection, in order of priority. Then, assess which threats could affect them. Next, evaluate where the company is vulnerable to those specific threats. This provides a clear picture of where to act, and where it makes sense to invest resources.

Once that’s in place, it becomes easier to choose the right measures and maintain them over time. A good initial analysis can save the company a lot of trouble later – in both maintenance and documentation.

In the analysis, it’s important to get a realistic picture. Sometimes, daily practice looks different from what management believes. Things may be done differently in reality. Therefore, it’s beneficial to involve employees from different parts and levels of the organization, both in mapping and in the subsequent evaluation. This ensures that the measures work in practice, and don’t conflict with operations.

Are there pitfalls to watch out for?

A common pitfall is failing to think holistically. It’s not enough to protect individual systems or buildings – you need to understand the connections between operationally critical functions, sensitive information, and the people who have access to them. Security must therefore be considered broadly: organizationally, technically, and physically.

On the organizational level, it’s about having clear procedures, well-defined roles, up-to-date instructions, and employee involvement. Technical security includes access control and monitoring. Physical security covers everything from locks and doors to fences and gates. These three areas must be integrated so that the solutions don’t hinder each other, but actually work in practice for those who need to use them.

Another pitfall is neglecting suppliers and partners. Do they have access to buildings or systems? If so, the company must know who they are, whether they are reliable, and which security requirements they meet. This may require background checks on both the company and the individuals involved. The supplier agreement should also specify what they can and cannot do – for example, whether they may bring equipment or who may accompany them inside.

Furthermore, many companies covered by the CER Act will also fall under NIS2. Therefore, it makes sense to think of physical and digital security together, and to avoid IT and operations working in separate silos. Cross-functional collaboration can both enhance security and save resources.