CER Directive in the food industry

The purpose of Directive (EU) 2022/2557 of the European Parliament and of the Council is to strenghten the resilience and preparedness of essential services across the European Union. The Directive harmonizes procedures for identifying critical entities and enhancing their resilience throughout the EU and establishes clear procedures for cooperation between Member States. 

The Finnish Food Authority acts as the supervisory authority for the food sector under the CER Directive and the national legislation implementing it. The so-called CER Act (Act on the Protection of Infrastructure Critical to Society and on the Improvement of Resilience 310/2025) entered into force on 1 July 2025.

Scope of the CER Act

The CER Act implements the CER Directive on the resilence of critical entities. The legislation applies to eleven sectors that provide essential services to society, including the production, processing and distribution of food. According to the Annex to the CER Directive, the relevant category of entities in the food sector comprises food businesses as defined in Article 3, point 2, of Regulation (EC) No 178/2002 of the European Parliament and of the Council which are engaged exclusively in logistics and wholesale distribution and large scale industrial production and processing.

The obligations laid down in the Act apply to operators identified as critical entities by the ministry responsible for the sector. The Ministry of Agriculture and Forestry of Finland has identified the critical entities in the food sector. The operator has been notified by a separate decision of its identification as a critical entity. The identification decision remains in force for up to four years.

Act on Amendments to the Cybersecurity Act (369/2025) also entered into force on 1 July 2025. As a result of this Act entities identified as critical under the CER Act are also subject to obligations laid down in the Cybersecurity Act. Entities identified as critical under the CER Act are considered essential operators under the Cybersecurity Act, regardless of their size. 

Obligations of critical entities 

A food sector entity identified as critical must 

  • register in the list of operators referred to in the Cybersecurity Act,
  • implement cyber security risk management measures,
  • prepare a risk assesment and draw up a resilence plan and take the necessary measures to ensure resilience,
  • notify significant incidents.

Table 1. Timeline for the application of the CER Act

Table 1. Timeline for the application of the CER Act
Event Date Description Responsible Authority/Entity
Entry into force of the legislation 1 July 2025 The Act on the Protection of Infrastructure Critical to Society and on the Improvement of Resilience and the Act on Amendments to the Cybersecurity Act enter into force. Finnish Government
National plan and national risk assessment 17 January 2026 The Finnish Government adopts a plan and risk assessment concerning the resilience of critical entities. Finnish Government
Identification of a critical entity  17 July 2026 The Ministry of Agriculture and Forestry of Finland issues decisions identifying critical entities in the food sector. Ministry of Agriculture and Forestry of Finland
Incident notifying obligation under the CER Act 17 July 2026 The obligation applies to the critical entity from the date on which the identification decision is notified to the entity. Critical entity
Registration and incident notifying obligations under the Cybersecurity Act 17 October 2026 The obligations apply to the critical entity three months after notification of the identification decision.  Critical entity
Cyber security risk management obligation under the Cybersecurity Act   17 April 2027 The obligation applies to the critical entity nine months after notification of the identification decision. Critical entity
Risk assessment by a critical entity 17 April 2027 The risk assessment must be carried out within nine months of notification of the identification decision. Critical entity
Resilience plan 17 April 2028 A resilience plan must be drawn up within one year of completing the risk assessment. Critical entity

 

More information:

CER@ruokavirasto.fi

 

Page last updated 7/16/2026