New legislation for critical entities: Belgium’s (proposed) implementation of the CER Directive

Belgium has tabled a draft law transposing Directive (EU) 2022/2557, also known as the Critical Entities Resilience Directive (“CER Directive”), into national law. This proposal, sent to the Federal Parliament, outlines how critical entities will be identified and designated, introduces mandatory resilience exercises, and establishes both administrative and criminal sanctions for non-compliance.
Although the text is a draft, it offers a clear signal of regulatory expectations and priorities. Given that the draft law was adopted by the relevant parliamentary committee on 2 December 2025, we expect the proposal to be passed soon. Organisations operating in relevant sectors should already begin assessing their potential qualification and preparing internal governance structures. 

What is the CER Directive?

The CER Directive establishes an EU framework to enhance the resilience of critical entities against a wide range of threats (natural, accidental, malicious or systemic). It replaces the European Critical Infrastructure Directive (Directive 2008/114/EC) and shifts the focus from asset protection to systemic risk management and the continuity of essential societal functions.

The Directive applies to entities in the following sectors and sub-sectors, as specified in its Annex:

• Energy
• Transport
• Banking
• Financial market infrastructures
• Digital infrastructures
• Drinking water 
• Wastewater
• Public administration (central government entities as defined by national law)
• Space
• Food

Under the Directive, Member States identify and designate critical entities on a risk-based basis and oversee their compliance with resilience obligations. Identifications must be reviewed at least every four years.

The core obligations contained in the CER Directive cover the following matters:

• Risk assessment. Within nine months of notification and at least every four years, critical entities should conduct comprehensive, periodic risk assessments, taking into account interdependencies and relevant national/EU assessments.
• Resilience measures and resilience plan. A resilience plan should be established, maintained and implemented with proportionate technical, security and organisational measures in light of the risks posed to the critical entity.
• Incident notification. Significant incidents should be notified to the competent authorities within 24 hours, with a detailed follow-up report within one month where relevant.
• Cooperation and information. The CER Directive provides for cooperation with competent authorities and the sharing of necessary information to align internal resilience with external protection measures.
• Background checks. Critical entities may request background checks for certain categories of personnel, subject to national conditions and data protection rules.
• Continuity and staff security. Continuity arrangements, staff security measures and training are typically maintained as components of the resilience plan.

When designated as such, entities providing essential services to or in six or more EU Member States are subject to special compliance procedures due to their European significance.

The CER Directive was adopted together with Directive (EU) 2022/2555, otherwise known as the NIS2 Directive. The NIS2 Directive prescribes cyber resilience measures for a wider array of sectors than those included in the CER Directive. While the CER framework focuses on physical and operational resilience, entities identified as “critical” will generally also qualify as “essential entities” under NIS2. For certain sectors subject to detailed EU regimes (notably banking, financial market infrastructures and digital infrastructures), parts of the CER framework may not apply where equivalent obligations exist under sectoral law.

Belgian draft law: targeted specifications and additional obligations

On 27 September 2025, the Belgian Federal Government submitted its CER transposition draft law to the Federal Parliament. The proposal adheres closely to the Directive’s minimum harmonisation approach, but introduces targeted additions.

The principal additions are as follows:

• Resilience exercises and updates. Critical entities must periodically organise exercises to test their resilience plan and update their resilience plan based on the lessons learned from these exercises.

Royal or ministerial decrees may a) prescribe sector-specific frequency for exercises and updates to the resilience plan and b) set detailed rules for participation by relevant government services in these exercises.

• Sector-specific content and information. Sectoral authorities may specify the content of the resilience plan for their sector and impose additional information requirements.
• General cooperation principle. The draft law provides for a general principle of cooperation between critical entities and the competent authorities, aimed at aligning internal resilience and external protection measures.
• Sanctions. Enforcement mechanisms include both administrative and criminal sanctions:
  • Administrative fines: between EUR 500 and EUR 125,000. Fines are doubled if imposed within three years of a prior final sanction. Suspension of payment (sursis/uitstel) may be granted.
  • Criminal fines: imprisonment from eight days to one year and/or fines of EUR 26 to EUR 10,000 (with higher penalties for repeat offences).
• Governance and deadlines. Enforcement is more likely to be undertaken by sectoral authorities, in contrast to the more centralised enforcement model under the NIS2 compliance practices in Belgium (led by the Centre for Cybersecurity Belgium). The first obligations for critical entities are due six months after designation.

While Belgium’s draft CER law is still under parliamentary review, it represents a significant step toward completing the long-overdue transposition of the Directive, which was required by 17 October 2024. The proposal envisaged an entry into application in 2025, given that the first deadline found in the text (aimed at regulators) was set for 17 January 2026. We expect the proposal to be adopted soon, given that the draft law was adopted by the relevant parliamentary committee on 2 December 2025.

In the meantime, organisations in relevant sectors should treat the draft as a clear indication of forthcoming compliance expectations and begin aligning their internal structures accordingly.

Practical takeaways for organisations

1. Monitor potential designation. Companies in listed sectors should monitor whether they are likely to be identified as critical entities in Belgium.
2. Develop a resilience plan early. If designation is likely, begin assembling a compliant resilience plan using existing resources such as risk assessments, business continuity, crisis management, physical security and emergency planning.
3. Prepare for resilience exercises. Be ready to conduct and document regular resilience exercises, updating plans based on lessons learned. Sectoral decrees could in the future define minimum frequency and authority involvement.
4. Establish governance and contact points. Ensure internal governance structures and contact points are in place to cooperate with authorities, while protecting sensitive and commercially confidential information.
5. Align with cybersecurity teams. Coordinate with cybersecurity (and NIS2) compliance teams to align physical and cyber resilience measures, incident response and regulatory engagement.
6. Monitor the draft law’s implementation status. Keep a close watch on the legislative process for the Belgian draft law implementing the CER Directive to anticipate compliance.