Category: articles | 9 July 2026

When Critical Infrastructure Clients Call After 17 July, Have These Answers Ready

Brian Iselin

Brian Iselin

News and Trends Writer (EMEA), AVIXA

View Author

On 17 July 2026, the deadline set by the EU’s Critical Entities Resilience Directive for member states to identify their critical entities arrives.

The Critical Entities Resilience (CER) Directive is the EU framework designed to improve the resilience of organizations that provide essential services across sectors such as energy, healthcare, transport, finance, and digital infrastructure.

Once a state identifies an entity as critical, that operator’s obligations start running immediately: risk assessments, resilience plans, and proof that its suppliers meet the same standard. The Directive itself sets out the eleven sectors in scope and the 17 July identification deadline. For AV integrators serving venues, data centres, energy sites, hospitals, and transport hubs, this is the moment your installed base becomes something your client has to account for in an official filing.

Do not assume this looks the same in every country you work in, or that the date itself is fixed everywhere. Germany’s implementation of that same deadline moved in June. Two Nordic states have been ready for over a year; a third has just been referred to Europe’s highest court for not transposing it at all. The one thing that has not moved is what your clients will now ask you for.

That last point is the one worth sitting with. Whichever country you work in, and whatever stage its national law has reached, the questions a designated or soon-to-be-designated client puts to its suppliers are converging on the same shape: which AV systems sit inside the scope of CER, why the compliance calendar differs by country, and what you need to have ready before the phone rings rather than after.

Which AV Systems Will Your Clients Scrutinise?

When a client works out it is in scope, its first job is to map which systems affect its ability to keep delivering an essential service. AV rarely sits at the centre of that map, but it rarely sits outside it either.

Control rooms are the obvious case. Energy operators, transport authorities, and banking back offices depend on the visual information systems, communication networks, and real-time displays that keep an operation legible to the people running it. If those screens go dark during an incident, the people running that operation lose their ability to coordinate a response at the exact moment they need it most.

Meeting and communication systems carry weight too. A data centre needs dependable monitoring, recording, and incident communication. A hospital needs coordinated visual communication during an emergency. A transport hub depends on passenger information and coordination systems that cannot fail quietly.

The scope is wider than most integrators assume. CER covers eleven sectors: energy, transport, banking, financial market infrastructure, health, drinking water and wastewater, food, digital infrastructure, public administration, and space. Digital infrastructure operators, cloud providers, and data processors sit inside that net. So do organisations providing an essential service to six or more member states, which the Directive marks out for extra coordination as entities of particular European significance.

That last category matters more to European AV integrators than it first appears. If your client runs a chain of venues, data halls, or transport interchanges across several member states under a single group contract, a disruption at one site can trigger obligations that reach across the whole estate. 

A signage network operator working from Frankfurt to Copenhagen to Rotterdam answers to three different national authorities on what looks, from the inside, like a single account. Integrators bidding for multi-country group contracts should expect the tender documents to start reflecting that reality this year, even where the client has not yet said the word CER out loud.

A Patchwork, Not One Date

Here is where most trade coverage oversimplifies. The 17 July deadline binds member states to identify their critical entities. What that means for your actual client, and by when, depends on where they operate. A single infographic showing one EU-wide date, which is what most vendor blogs and even some law-firm client alerts have been circulating this year, will mislead you the moment your client base spans more than one country.

Germany’s KRITIS-Dachgesetz, in force since 17 March 2026, originally set operator registration at three months after designation, no earlier than 17 July 2026. In June, the Bundestag struck that fixed date, because the ordinance defining which facilities count as critical has still not been finalised. Registration for German operators now falls three months after that ordinance takes effect, whenever that turns out to be. If a German client tells you they know their compliance date with certainty, check which version of the law they are reading.

The Nordics are not moving together either. Finland and Denmark transposed CER into national law over a year ago and are already operating under it. Sweden has not transposed it at all: in April, the European Commission referred Sweden, along with Bulgaria, France, Luxembourg, the Netherlands, Poland, and Spain, to the Court of Justice of the European Union for failing to do so. If you work with Swedish clients who believe CER does not yet apply to them, that belief is currently correct in law and entirely fragile in practice. Referral to the Court is what precedes enforcement, not what replaces it.

The UK sits outside all of this. CER is EU law, and the UK’s own critical national infrastructure regime, run through the NCSC, is a separate regime with its own separate obligations. Do not quote a UK client their CER date. Ask instead what their NCSC-aligned obligations already require, because the substance overlaps even where the legal instrument does not.

This matters practically for integrators working across the UK and the EU on the same account. A financial services client with a London trading floor and a Frankfurt data centre is managing two regimes that ask broadly similar questions in different legal language, on different timetables, supervised by different authorities. Treat them as genuinely separate conversations rather than one compliance programme with a translation layer.

What Clients Will Demand From You, Regardless Of The Date

None of that uncertainty changes what a client who suspects it is in scope will ask you. The compliance clock, wherever it starts, forces entities to document resilience measures and prove it to suppliers as well as regulators. Expect four questions, in some order.

Can you show how this system is patched and maintained? They want a schedule, a testing process, and a rollback plan in writing, ready to hand over on request.

What happens if this system is compromised, and who do we call? They want an incident response plan and an escalation path, with response times attached to it. AVIXA’s reporting on public-facing AV security makes the point sharply: a Barcelona train station lost an entire afternoon of service in 2025 not because a screen failed, but because nobody had decided in advance what to do when it did.

How long will you support this equipment? They want a stated end-of-support date. CER expects support periods to reflect a product’s realistic working life, and critical infrastructure clients are now far enough into this process to know the difference between a real answer and a sales one.

What security measures have you implemented? They want to know whether you hold, or can credibly work towards, a recognised standard such as ISO/IEC 27001, and whether you can produce evidence rather than opinion.

Do not assume that only formally designated clients will ask these questions. Plenty of organisations that sit close to the thresholds, without knowing for certain whether they will be designated, are choosing to comply as though they already are. It is cheaper to build the documentation once than to explain to a regulator why it does not exist. If your client’s procurement team has started asking questions that sound like this brief, treat that as a signal in its own right, whatever the official designation status happens to be on paper.

What To Have Ready

You do not get to wait for a single tidy deadline before doing this, because there is not one. Prepare as if the call could come from any client, in any country, at any point this year.

Write down your patching and update process in enough detail that an outside auditor could follow it without your help in the room. State your support periods per product line, including what happens the day support ends. Build an incident response plan with named contacts and response-time targets, rather than an assumption that someone will improvise well under pressure.

Audit your own supply chain for components with known vulnerabilities or approaching end of life. If you lack in-house security expertise, commission a third-party assessment rather than guessing at your own posture. AVIXA’s conversation with Diversified’s Tyler Bonner on mission-critical utility work is a useful listen for what this looks like once it is actually running rather than only promised.

Build relationships with your local security community rather than working this out alone. The rules differ enough between Germany, the Nordics, and the UK that a general policy statement will not survive contact with a specific auditor. Know which regime your client actually sits under before you promise them anything.

My Verdict

CER runs on different clocks in different countries, and all of them converge on the same demand: prove your own resilience, and prove your suppliers’ resilience too. Germany moved its own goalposts in June. Sweden is being taken to court for failing to transpose the Directive at all. Your clients, whichever of those positions they occupy, will still ask you the same four questions. Have the answers ready before they call, not after.

CER Readiness Checklist for AV Integrators

  • Asset inventory

  • Patch management policy

  • Firmware update schedule

  • End-of-support documentation

  • Incident response contacts

  • Escalation procedures

  • Third-party security assessment

  • ISO 27001 or equivalent evidence

  • Supplier vulnerability disclosures

Solutions in this article

More News and Trends from the EU