The 2025 European Commission EU digital omnibus package: The CER Directive

The Digital Omnibus Regulation Proposal introduces targeted amendments to Directive (EU) 2022/2557 of 14 December 2022 on the resilience of critical entities (the “CER Directive” or “CER”). The Proposal does not alter the designation of critical entities, the scope of sectors covered, or the substantive obligations relating to risk assessment, resilience measures, or incident notification under the Directive, including the incident notification duty in Article 15 CER. Instead, the amendments focus on procedural coordination and alignment, in particular with NIS2, with the stated objective of reducing duplicative reporting and improving supervisory coherence where the same incident triggers obligations under both regimes. CER already contains existing CER–NIS2 coordination provisions  (including Article 1(2) and Article 6(4) CER, and sectoral carve-outs in Article 8 CER), and the Proposal is best understood as building on, rather than replacing, those existing interfaces.

Proposals most likely to be adopted and rationale

This Section addresses, in turn: (1) coordination of incident notification obligations between the CER Directive and NIS2; and (2) procedural alignment of supervisory engagement and information exchange between competent authorities.

1. Coordination of incident notification obligations with NIS2

The Proposal introduces targeted amendments to the CER Directive aimed at coordinating the incident notification obligations imposed on critical entities under Article 15 of the CER Directive with those applicable under Articles 23 and 30 of NIS2.

Under the Proposal, where the same incident triggers notification obligations under both the CER Directive and NIS2, notification may be effected through a coordinated reporting route (i.e., a shared submission channel), without prejudice to the substantive notification thresholds, content requirements, or addressees prescribed under each Directive. This coordination is a routing  measure only and should not be read as collapsing the distinct legal tests, addressees, or supervisory functions under CER and NIS2. The Proposal does not remove or modify the obligation on critical entities to notify incidents having a significant disruptive effect within the meaning of Article 15 of the CER Directive, nor does it amend the notification timelines laid down in that provision, including the initial notification requirement (“without undue delay” and, unless operationally unable to do so, no later than 24 hours after becoming aware), with a detailed report to follow, where relevant, within one month.

This amendment is likely to be adopted because it:

• preserves the independent notification obligations under Article 15 CER;
• addresses widely recognised duplication where entities are subject to parallel notification duties under CER and NIS2; and
• is framed as a procedural coordination measure rather than as a substantive change to the level of resilience or security required of critical entities.

In practice, adoption is most likely where the coordination rule is drafted to make clear that (i) one submission can satisfy two separate notification duties, but (ii) the entity must still apply and record both thresholds (Article 15 CER and Article 23 NIS2) and provide the information required by each regime.

2. Procedural alignment of supervisory engagement and information exchange between the relevant competent authorities

The Proposal introduces further amendments intended to facilitate procedural alignment between competent authorities operating under the CER Directive and those designated under NIS2.

These amendments relate, in particular, to the handling and exchange of information received following incident notifications under Article 15 CER, where that information is also relevant for NIS2 supervision and incident-handling.. The Proposal does not amend the supervisory powers or enforcement measures set out in Articles 21 and 22 of the CER Directive, nor does it alter the designation or competence of national authorities. The existing CER text already anticipates operational coordination with NIS2 authorities in certain circumstances (including a mechanism allowing CER competent authorities to request NIS2 competent authorities to exercise supervisory/enforcement powers: Article 21(4) CER), and the Proposal’s alignment measures should be read against that baseline.

This element of the Proposal is likely to be adopted because it:

• does not affect the allocation of supervisory competence established under the CER Directive;
• supports more efficient oversight where the same entity is subject to parallel supervision under CER and NIS2; and
• is limited to procedural alignment rather than substantive supervisory reform.

However, negotiators are likely to require express confidentiality safeguards to ensure that information shared across CER/NIS2 authorities remains subject to the CER handling requirements (including Article 15(3) CER) and does not expand access beyond what is necessary.

Proposals more likely to be challenged, or rejected and rationale

This Section addresses, in turn: (1) boundary and scope issues arising from the coordination of incident notification obligations between the CER Directive and NIS2; (2) confidentiality and onward use of information exchanged between authorities; and (3) issues of legal certainty arising from the drafting of the Proposal.

1. Boundary and scope issues in coordinated incident notification

The Proposal’s approach to coordinating incident notification obligations under Article 15 CER with those under Articles 23 and 30 of NIS2 raises questions as to the respective scope and continued autonomy of the two notification regimes.

While the Proposal seeks to avoid duplicative notifications where the same incident affects both the resilience of critical entities and the security of network and information systems, it does not fully articulate how competent authorities are to assess whether a single notification satisfies the distinct legal thresholds and objectives laid down in each Directive.

In particular:

• Article 15 CER is concerned with incidents that significantly disrupt the provision of essential services by a critical entity;
• Article 23 NIS2 is concerned with “significant incidents” having a significant impact on the provision of the entity’s services (as supported by network and information systems), triggering the staged notification model under Article 23(4).

These thresholds are not identical and are applied for different regulatory purposes. Accordingly, any single submission model will need to preserve (and evidence) two separate threshold assessments, even where the same factual event is being reported.

This aspect of the Proposal is more likely to be challenged because insufficiently clear coordination mechanisms risk blurring the distinct purposes of the two regimes. During negotiations, Member States and the European Parliament are likely to seek amendments clarifying that the coordinated notification routes do not substitute or collapse the separate legal assessments required under Article 15 CER. This point is sharpened in “borderline” cases where the disruptive effect is driven by non-cyber causes (squarely CER) versus cyber causes (typically NIS2), or where both are intertwined.

This means the coordinated route will likely need a clear mapping requirement (i.e., which information fields are provided to satisfy CER Article 15 and which to satisfy NIS2 Article 23), so that competent authorities can enforce each regime on its own terms.

2. Confidentiality and onward use of information contained in incident notifications

The Proposal gives rise to concerns regarding the handling of information submitted pursuant to Article 15 CER where such information is exchanged with authorities operating under the NIS2 framework.

The CER Directive contains specific provisions on the handling of sensitive information by competent authorities, including safeguards intended to protect security interests and confidential business information. In particular, Article 15(3) CER requires information that is notified under Article 15 to be handled in a manner that respects confidentiality and protects the security and commercial interests of the critical entity, as well as information security. By facilitating coordinated reporting and cross-authority information exchange with NIS2 authorities, the Proposal raises questions as to::

• the legal basis for onward disclosure of information originally submitted under the CER framework;
• the extent to which confidentiality protections under the CER Directive continue to apply once information is shared for NIS2-related supervisory purposes; and
• the limits on further use or disclosure of information relating to vulnerabilities affecting critical infrastructure.

This element of the Proposal is more likely to be narrowed or supplemented, as legislators are likely to insist on express confirmation that coordinated reporting and information exchange do not weaken or bypass the confidentiality protections laid down in the CER Directive, including Article 15(3) CER and the parallel confidentiality handling obligations under NIS2, and that onward sharing does not widen access beyond what is necessary and legally permitted.

It is expected that specific drafting will be required to confirm: (i) who can access the notification within each regime; (ii) permitted onward disclosure; and (iii) that shared handling does not reduce the protection of sensitive security and confidential business information.

3. Issues of legal certainty arising from the drafting of the Proposal

The drafting of the Proposal raises issues of legal certainty in relation to how coordinated notification and supervisory engagement are to operate in practice under the CER Directive.

In particular, the Proposal relies on general formulations regarding coordination and alignment without specifying:

• the legal effect of a notification submitted through a coordinated reporting route for the purposes of Article 15 CER;
•  how conflicts are to be resolved where there are divergent information requirements under the CER Directive and NIS2; and
• the consequences where coordinated mechanisms are unavailable or fail to function as intended.

Given that Article 15 of the CER Directive imposes enforceable obligations on critical entities, these uncertainties are material. As a result, this aspect of the Proposal is more likely to be refined during the legislative process through additional drafting specifying the legal effect of a coordinated-route submission for Article 15 CER purposes (including timestamping, proof of submission, and deemed delivery to the competent authority); recitals clarifying the relationship between CER and NIS2 threshold assessments; and explicit fallback provisions to ensure compliance where coordination mechanisms cannot be used.  In addition, negotiators may seek express clarification on how the coordination model is intended to operate for sectors affected by CER’s internal carve-outs (Article 8 CER) and the single point of contact architecture (Article 9 CER), to avoid fragmentation in cross-border incident handling and to ensure consistent routing where multiple authorities are involved.

As a result, a workable text will usually need (i) a “deemed receipt” rule, (ii) a clear fallback route where the coordinated channel is unavailable, and (iii) a rule stating that use of the coordinated route does not change the competent authority for CER purposes.