The EU’s Critical Entities Resilience (CER) Directive is raising expectations for how organisations manage risk, shifting the focus from assessment to execution. For organisations delivering essential services, resilience is no longer defined by the breadth of risk coverage, but the ability to act on it.
An “all hazards” approach requires organisations to assess the full spectrum of threats and to connect them, from cyber and physical attacks to climate disruption and systemic failure. At the same time, the draft ISO/DIS 22316 on Resilience signals a broader shift from principle-based formats toward demonstrable resilience, grounded in testing, validation and measurable outcomes. For many critical entities, this exposes a familiar challenge. Across sectors including energy, transport, telecommunications, water and healthcare, risk assessments are already well established. Cyber, safety, security and continuity teams all produce robust analysis. The issue is not a lack of insight, but limited integration. CER exposes the disconnect between what risks organisations know and what they can connect and operationalise. The gap tends to lie between governance frameworks and real-world preparedness.
Why “all hazards” remains difficult in practice
Most organisations still manage risk through functional silos. Threat intelligence sits with security teams, vulnerability assessments with technical specialists, and resilience planning with business continuity functions. While individually mature, these disciplines can sometimes lack a shared language and common prioritisation model.
As a result, decision-makers face competing narratives. Multiple “high-risk” issues emerge without a consistent basis for comparison. This makes investment decisions more difficult to sequence, whether it’s weighing up strengthening flood defences, reducing cyber exposure or addressing supply chain dependencies. Governance structures struggle to translate assessments into clear trade-offs, funded actions and measurable improvements.
In the Nordic context, who are in varying stages of the national implementation, the challenge is amplified by high levels of digitisation and cross-border interdependence. Critical services are deeply interconnected, meaning disruption rarely remainscontained within one domain. An “all hazards” approach must therefore move beyond compliance and towards integrated, decision-relevant insight.
From assessment to insight: a scenario-led model
Delivering on CER requires a shift from static hazard lists toward understanding how threats exploit vulnerabilities to disrupt essential services. This is best achieved through scenario-led analysis that reflects real-world complexity. For example, a cyber incident could affect operational technology in an energy network, which may cascade into telecommunications and transport disruption. Severe weather may simultaneously impact power, access and workforce availability.
These scenarios reveal not just risks, but points of failure, dependencies and priorities for action. The critical step is linking intelligence to decisions: what must be protected, what level of disruption is tolerable and where investment delivers the greatest resilience uplift. This is where many organisations struggle—and where targeted support becomes critical.
Extending resilience beyond organisational boundaries
A defining feature of CER is its emphasis on systemic and supply chain risk. Many failures originate in third-party providers, contractors or shared infrastructure. In the Nordics, resilience is inherently collective due to regional integration, particularly across energy and digital networks.
This means that assessing vulnerability must extend beyond the enterprise. It requires visibility of supplier dependencies, contractual resilience expectations and operational interfaces that are often poorly understood. Without this, organisations risk overestimating their control and underestimating exposure.
Bridging analysis and action: the role of integrated capability
The true test of “all hazard” resilience is whether it delivers tangible changes in readiness: improved plans, targeted investments, realistic exercising and faster decision-making under pressure. Achieving this requires assessments that are integratedacross disciplines and lifecycle stages.
Control Risks supports organisations in moving from CER narrative to operational reality, connecting threat intelligence, vulnerability assessment and operational resilience.
- Threat-led analysis combines geopolitical, cyber and security intelligence to contextualise risk
- Integrated vulnerability assessment spans physical, technical and organisational domains, including supply chains
- Scenario development and stress testing translates complex risk into decision-relevant insight
- Resilience capability building—including planning, exercising and crisis response—ensures organisations can act effectively under pressure
- Governance and prioritisation frameworks enable leadership teams to make informed, cross-domain investment decisions
This breadth is critical. CER readiness requires alignment across the organisation, supported by consistent methodologies and clear leadership engagement.
CER as a catalyst for operational resilience
For clients that fall within the category of critical entities, CER is more than a regulatory exercise. It is an opportunity to embed resilience into how decisions are made across investments, operations and partnerships.