NIS2 vs CER Directive cybersecurity duties and critical-entity resilience

NIS2 covers public or private entities in Annex I and Annex II sectors that meet the size-cap or special-case rules, and it also applies regardless of size to entities identified as critical under CER.

The grounded CER comparison point is critical-entity resilience alignment: Commission guidance says NIS2 and CER are aligned to address physical and cyber resilience of critical entities comprehensively.

Start with NIS2 applicability, then flag any critical-entity designation as both a NIS2 scope trigger and a resilience-coordination item.

NIS2 work needs entity leadership, management bodies, security owners, incident-response teams, supplier-risk owners, legal or compliance, and national authority contacts.

CER-facing overlap needs the owner who tracks critical-entity identification, non-cyber risks, resilience facts, and communications with the competent authority responsible for critical entities.

Use one register if helpful, but assign named owners for cybersecurity controls, incident reporting, critical-entity status, and resilience evidence.

NIS2 is triggered by Annex sector coverage, medium-size or larger status unless an exception applies, special-case inclusion, and critical-entity identification under CER regardless of size.

The grounded CER trigger for this page is identification as a critical entity, because NIS2 expressly uses that identification as a scope rule and the Commission describes the two regimes as aligned.

Do not wait for a cybersecurity incident to decide scope; run the NIS2 sector, size, special-case, and critical-entity checks before assigning controls.

NIS2 requires cybersecurity risk-management measures, significant-incident reporting, management-body accountability, supply-chain security attention, registration or notification for some entities, and evidence for supervision.

The grounded comparison is not a full CER obligation list; it is that critical entities may require coordinated treatment of cyber risks, non-cyber risks, threats, incidents, and supervisory information between NIS2 and CER authorities.

Treat NIS2 controls as mandatory cybersecurity work; treat CER-facing items as resilience coordination unless a separate CER source supports a more specific duty.

Keep NIS2 records for entity classification, Article 21 controls, supplier security, management approval, Article 23 incident notifications, registration, authority requests, and supervision responses.

Keep overlap records for critical-entity identification, resilience and non-cyber risk facts, shared incident information, authority correspondence, and any request to coordinate supervisory activity.

Tag each file before reuse: NIS2 cybersecurity evidence, CER-alignment evidence, or shared evidence that must keep both source citations.

NIS2 timing includes national transposition and registration effects plus Article 23 incident reporting steps: early warning, incident notification, intermediate updates where relevant, and final reporting.

The grounded timing point for CER overlap is coordination: authority information exchange and Cooperation Group engagement with the Critical Entities Resilience Group are recurring cooperation mechanisms.

Track NIS2 incident clocks separately from critical-entity coordination cycles and authority requests.

NIS2 competent authorities supervise essential and important entities, with different supervisory treatment and enforcement powers for the two categories.

For entities identified as critical under CER, NIS2 authorities and CER authorities are expected to inform, cooperate, exchange information, and in some cases coordinate supervisory or enforcement activity.

Prepare separate authority-response material for NIS2 cybersecurity compliance and critical-entity resilience coordination.

NIS2 can reuse service maps, supplier files, incident logs, continuity records, and asset inventories when they prove cybersecurity risk-management or reporting duties.

CER alignment can reuse those same records only for supported critical-entity, physical-resilience, non-cyber risk, incident, or authority-cooperation questions.

Reuse facts, not conclusions: the same incident log may support both workstreams, but the NIS2 reportability decision and the CER resilience question remain separate.

If the question is about Annex scope, essential or important entity status, Article 21 controls, Article 23 reporting, management bodies, or NIS2 supervision, route it to the NIS2 workstream.

If the question is about critical-entity designation, physical resilience, non-cyber risk exchange, or CER authority coordination, route it to the resilience owner and keep unresolved CER-only claims flagged until separately sourced.

Create a coordinated work item only when the same entity, service, incident, supplier, or authority request has both a NIS2 citation and a CER-alignment citation.