On 1 July 2025, Denmark's Act on the Resilience of Critical Entities (the "CER Act") enters into force. The Act transposes the CER Directive (Directive (EU) 2022/2557) and introduces binding resilience requirements for critical entities essential to societal functions, including utility providers and infrastructure operators.
Key implications
The CER Act transposes the Critical Entities Resilience Directive (Directive (EU) 2022/2557) and introduces binding resilience requirements for infrastructure operators and providers of services that are crucial for the maintenance of vital societal functions, economic activities, public health and safety, or the environment.
The CER Act mandates that entities designated as "critical" must actively manage physical and operational risks that could disrupt essential services. Measures may include physical security, crisis management protocols, business continuity planning and staff vetting procedures. Critical entities amongst other are required to:
- Prepare risk analysis, resilience plan, and implement procedures for incidents and disruptions
- Ensure physical protection of facilities and infrastructure
- Designate a liaison officer for competent authorities
- Notify authorities of incidents that significantly disrupt or may disrupt services—within 24 hours
Legal consequences of non-compliance include administrative enforcement, binding instructions, fines, and potentially criminal liability for legal persons.
Critical entities
The CER Act applies to both public and private entities operating in key sectors where essential services are performed. These key sectors amongst other include:
- Energy sector: Electricity, energy storage, gas, oil, hydrogen, district heating and cooling.
- Utility sector: Drinking water and wastewater services.
- Transport sector: airport infrastructure, railway infrastructure, road transport, public transport.
- Food sector: Large-scale industrial food production and processing, food supply and distribution.
- Digital infrastructure: internet exchange point service, domain name systems, cloud computing, and data center.
Notably, the CER Act does not apply to entities within the Energy Sector which are subject to the Act on Enhanced Preparedness in the Energy Sector (in Danish: "Lov om styrket beredskab i energisektoren").
Entities that operate infrastructure essential to the continuity of vital services may be formally designated as critical entities by the competent authority.
Criteria for identification
The competent minister in each sector will formally designate critical entities based on several factors, including:
- Whether the entity provides one or more "essential services" critical to public welfare or security.
- The location of the entity's critical infrastructure within Danish territory.
- The potential disruptive impact of an incident — measured by number of users affected, inter-sectoral dependencies, geographical scope, and lack of viable alternatives.
Entities serving six or more EU Member States may be classified as "critical entities of particular European significance", subject to additional oversight.
Process going forward
Entities identified as critical will be notified by the relevant sectoral authority - at the latest by July 2026. Within nine months of the notice, such entities must conduct a comprehensive risk assessment and within ten months, they must also implement proportionate technical, security and organisational resilience measures, and document these in a formal resilience plan.
Sector-specific regulations may be issued by the relevant ministers.
Proactive preparation is recommended to ensure swift implementation of measures necessary for compliance once formal notifications under the CER Act begin.
Entities expecting to be comprised by the CER Act may already now start to plan how to comply with the requirements of the CER Act.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
