What’s the Difference, and Why Does It Matter? · Riskonnect
The CER Directive and DORA are two major EU regulations focused on making organizations more resilient in different ways. But how do you know which one applies to your business? And if one (or both) does, what steps should you be taking right now to comply?
What Are CER and DORA?
At a high level, both CER and DORA aim to boost resilience, but they tackle different kinds of risks in different industries:
- The Critical Entities Resilience (CER) Directive concerns physical resilience for organizations in critical sectors. It centers on physical threats, like terrorism, natural disasters, and supply chain disruptions.
- The Digital Operational Resilience Act (DORA) specifically targets the financial sector and focuses on digital resilience. It ensures that financial institutions, as well as their technology partners, are prepared for cyber risks, like hacking and system failures.
CER and DORA both emphasize the need for strong cybersecurity and resilience for critical services in the EU. These laws help keep systems stable and secure in the face of serious threats.
So, Are You Affected?
Which of these regulations applies to your business? Here’s how to figure it out:
|
|
DORA, on the other hand, is specific to the financial sector, including:
-
- Banks
- Investment firms
- Insurance companies
- ICT service providers to these institutions
If you work in a financial institution and operate in a critical sector, such as banking, both regulations may apply to you. Additionally, even though CER and DORA cover different domains (physical vs. digital), they overlap when it comes to managing third-party risks. Both require you to assess how resilient your suppliers are, not just your own business.
What’s the Difference Between CER and DORA?
While the two frameworks have similar aims, they also differ in a few ways. Here’s how they compare when it comes to scope and requirements:
| CER Directive | DORA | |
| Focus | Physical resilience of critical infrastructure | Digital resilience and ICT management |
| Industries | 11 critical sectors | Financial sector |
| Primary Risks Addressed | Physical threats | Cyber threats |
| Key Enforcement Body | National regulators in each EU country | European Supervisory Authorities (ESAs) and national financial regulators |
|
Penalties for Non-Compliance |
National authorities can impose fines or revoke licenses | Heavy financial penalties and regulatory enforcement actions |
| Requirement | CER Directive | DORA |
| Risk Assessments | Mandatory every four years, covering physical risks to operations | Mandatory continuous ICT risk monitoring and testing |
| Incident Reporting | Physical security incidents must be reported to national authorities | Cybersecurity and ICT-related incidents must be reported to financial regulators |
| Incident Reporting | Entities must develop continuity strategies for critical physical infrastructure | Firms must ensure full digital operational resilience, including system redundancies |
| Third-Party and Supply Chain Risk | Critical suppliers must be assessed for physical security resilience | Mandatory oversight of third-party ICT providers, including cloud services |
What Should You Do Now?
Whether you’re complying with DORA, preparing for CER, or both, here are five steps to get ahead of the curve:
1. Confirm whether you’re affected.
- If you’re in a critical sector, CER applies to you.
- If you’re in the financial sector, DORA applies to you.
If you’re still unsure, consult with your compliance or legal teams to confirm.
2. Identify the right stakeholders.
These regulations will impact multiple departments. You’ll need to engage teams across risk management, business continuity management (BCM), IT, compliance, and third-party risk management (TPRM). More specifically, they’ll involve:
- CER: Enterprise risk management (ERM), BCM, and supply chain management teams.
- DORA: Risk, cybersecurity, IT, and compliance teams.
3. Conduct a gap analysis.
Assess where your current systems fall short in meeting the requirements of either regulation. Focus on the following areas:
- Physical risk assessments (CER)
- Continuous ICT monitoring and testing of digital systems (DORA)
- Third-party vendor assessments (both)
4. Integrate across teams.
To streamline compliance with CER and/or DORA, integrate your governance, risk, and compliance (GRC) functions with your BCM and resilience efforts.
- Shared systems: Implement unified GRC and resilience software to track risk assessments, third-party risks, incidents, and compliance status across both domains. This ensures that ERM, TPRM, and compliance data are all connected and provide a single source of truth.
- Regular alignment: Schedule regular, cross-functional meetings between risk, compliance, IT, cybersecurity, and BCM teams. This keeps everyone aligned on progress, deadlines, and areas of improvement.
5. Create a compliance roadmap.
DORA became effective in 2025. CER, on the other hand, has a compliance timeline with deadlines starting in 2026 and continuing into 2027. Getting a head start will help your business avoid a last-minute rush.
How Risk Management Software Helps
Keeping up with new regulations can be daunting, but the right tools can simplify the process. Here’s how risk management software can bolster your compliance:
- Centralize all your risk data: Get the full picture on your compliance with both regulations by having your risk data – physical, digital, third-party, and more – in one place.
- Conduct gap analysis and continuous monitoring: With DORA, this is critical for ongoing ICT risk management, while for CER, it helps track and assess physical security resilience.
- Automate reporting and incident tracking: Both regulations require timely incident reporting; Software automates that process, ensuring incidents are tracked and reported quickly.
- Collaborate across teams: Compliance requires input from multiple teams, and a risk management platform allows all stakeholders to collaborate on the same platform and ensures alignment.
- Manage your third-party risk: A software platform can assess and monitor your suppliers’ resilience across both physical and digital systems.
DORA is already in effect, and CER deadlines are quickly approaching. Now’s the time to assess your risk posture, get your teams aligned, and make sure your compliance strategy is set. By understanding which regulations apply to you, what actions to take, and how to streamline the process, you can make sure your organization is compliant – and resilient.
For more information on resilience, read GRC: The Definitive Guide, and learn more about operationalizing these regulations in your business by downloading our CER Directive and DORA fact sheets.
