NIS 2 vs CER Directive: cyber resilience next to physical resilience
Two directives, adopted on the same day, with the same transposition deadline, covering almost the same critical sectors from two different angles.
Two directives, one resilience package
On 14 December 2022 the EU adopted two directives in parallel. Directive (EU) 2022/2555 (NIS 2) is the cybersecurity directive. Directive (EU) 2022/2557 (CER) is the directive on the resilience of critical entities. Both had to be transposed by 17 October 2024.
NIS 2 protects network and information systems. CER protects the physical operation of critical entities against non-cyber threats such as natural hazards, sabotage, terrorism, insider attacks, and pandemics. The sectors covered overlap heavily, but the object of protection is different.
For operators in energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, public administration, and space, both directives often apply in parallel. This wiki page sets out where the two meet and where they diverge.
NIS 2, Article 2(3) (verbatim)
This Directive applies to entities identified as critical entities under Directive (EU) 2022/2557.
Article 2(3) of NIS 2 makes the link explicit: an entity that a Member State designates as a critical entity under CER is in scope of NIS 2 and is treated as an essential entity under Article 3(1)(f) of NIS 2.
CER, Article 1 (subject matter, verbatim)
This Directive lays down obligations on Member States to take specific measures aimed at ensuring that services which are essential for the maintenance of vital societal functions or economic activities within the scope of Article 5 are provided in an unobstructed manner in the internal market, in particular obligations on Member States to identify critical entities and to support critical entities in meeting the obligations imposed on them.
CER focuses on the continuity of essential services in the face of physical, natural, hybrid, and human-made threats. The cyber angle is left to NIS 2.
National transposition (Germany)
NIS 2 is transposed in Germany through the BSIG (NIS2UmsuCG draft). CER is transposed through a separate KRITIS-Dachgesetz (KRITIS umbrella act) led by the Federal Ministry of the Interior.
The two directives are transposed by two different national acts, supervised by two different federal agencies. As of June 2026 the German NIS 2 transposition is still in the legislative procedure, and the KRITIS umbrella act is in parallel draft status.
Sector lists overlap, but not perfectly
NIS 2 Annexes I and II list 18 sectors. CER Annex lists 11 sectors. The energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, public administration, and space sectors appear in both. CER additionally covers production, processing, and distribution of food, which sits outside NIS 2.
Network and information systems vs physical service continuity
NIS 2 protects the cybersecurity of network and information systems used by the entity. CER protects the entity's ability to keep providing the essential service against physical, natural, and human-made disruptions. Same operator, two different risk lenses.
Critical entities under CER are essential entities under NIS 2
Article 2(3) NIS 2 routes any entity designated as a critical entity under CER directly into NIS 2 as an essential entity. The opposite does not hold automatically: being in scope of NIS 2 does not designate you as a critical entity under CER.
Cyber risk is not physical risk
NIS 2 Article 21 requires cybersecurity risk management measures (policies, incident handling, business continuity, supply chain security, access control, cryptography, and so on). CER Articles 12 to 13 require a resilience plan covering physical protection measures, redundancy, business continuity, and personnel security. Evidence overlaps in places (for example business continuity plans), but the risk catalogue is different.
Often the same operator, two reports, two authorities
A water utility, a hospital group, an energy distributor, or a public administration body can hold obligations under both directives at the same time. That usually means two parallel risk assessments and two parallel reporting lines, one to the NIS 2 competent authority and one to the CER competent authority.
BSI
In Germany the Bundesamt fuer Sicherheit in der Informationstechnik (BSI) is the lead authority for NIS 2 implementation. BSI receives registrations, incident notifications, and supervises the NIS 2 cybersecurity risk management measures.
BBK
The German lead for CER is the Bundesamt fuer Bevoelkerungsschutz und Katastrophenhilfe (BBK), not BSI. BBK supervises designation of critical entities and physical resilience under the planned KRITIS-Dachgesetz.
ENISA and the Critical Entities Resilience Group
On the cyber side, ENISA supports Member States and operators under NIS 2. On the CER side, the Critical Entities Resilience Group set up under Article 19 CER coordinates between Member States. The Commission supports both layers but the cyber and physical lanes stay institutionally separate at EU level.
CER also covers cybersecurity, so we only need one project
CER does not regulate cybersecurity. Recital 4 and the scope provisions of CER explicitly leave cyber risk to NIS 2. CER focuses on physical, natural, and human-made threats to the service. A cyber-only ISMS does not satisfy CER. A physical resilience plan alone does not satisfy NIS 2.
The two directives apply to exactly the same operators
Sector overlap is high, but not 100 percent. CER includes food production, processing, and distribution. NIS 2 includes ICT service management and several digital service categories that CER does not cover. And even where both apply, CER requires an explicit designation by the Member State, while NIS 2 mostly operates by self-identification against size and sector criteria.
KRITIS is the German CER transposition
KRITIS is a longstanding German concept that pre-dates both directives and is currently spread across BSIG, BSI-KritisV, and sector-specific laws. The planned KRITIS-Dachgesetz is intended to transpose CER, but it is not the same as the existing KRITIS perimeter, and it is not the NIS 2 transposition. Three separate workstreams, not one.
A regional energy distributor with around 400 employees runs one ISMS for NIS 2 (Article 21 risk management measures, incident notification to BSI within 24 hours, supply chain security, training). In parallel the same distributor runs a critical entity resilience plan under CER, covering physical site protection, redundancy of substations, personnel reliability checks, and business continuity for physical disruptions. The two plans share business continuity inputs but live under two separate governance lines.
In day-to-day practice the cleanest setup is a single risk register that tags each risk as cyber, physical, or both, and feeds two outputs: the NIS 2 cybersecurity risk management measures on one side, the CER resilience plan on the other. That avoids duplicating the asset inventory and the business continuity work while keeping the regulatory deliverables clearly separated.
This platform implements NIS 2 Article 21 obligations as an obligation register: asset inventory, supplier inventory, risk register, incident handling, business continuity, training, and supervision evidence. CER is not in scope of the platform.
Operators that hold obligations under both directives can reuse the NIS 2 asset and supplier inventory as input to their CER resilience plan, but the CER resilience plan itself sits in a separate workstream supervised by the CER competent authority.
- Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 (NIS 2). EUR-Lex: 32022L2555.
- Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 (CER). EUR-Lex: 32022L2557.
- NIS 2, Article 2(3) on the link to CER. NIS 2, Annexes I and II on sectors.
- CER, Article 1 (subject matter), Article 5 (sectors), Article 6 (criteria for identification of critical entities), Articles 12 and 13 on resilience plans.
- Federal Office for Information Security (BSI), national NIS 2 implementation page.
- Federal Office of Civil Protection and Disaster Assistance (BBK), national CER implementation page.