European data center operators face an evolving regulatory framework that is placing new requirements on power infrastructure resilience, supply chain security and incident reporting. The two key instruments — the CER Directive and NIS2 — have specific implications for power supply that procurement teams need to understand.
THE CER DIRECTIVE — CRITICAL ENTITIES RESILIENCE
The EU Directive on the Resilience of Critical Entities (CER, 2022/2557) came into force in January 2023 and required transposition into national law by October 2024. It identifies data centers as potentially critical infrastructure in the digital infrastructure sector, with specific resilience obligations for designated critical entities.
Resilience measures: technical and organisational measures to prevent disruption
Incident reporting: notification of incidents affecting continuity to authorities
Supply chain security: assessment and management of supply chain risks
Background security checks: for personnel in sensitive roles
POWER SUPPLY RESILIENCE UNDER CER
The CER Directive does not specify technical standards for power supply resilience — that is left to member states and sector-specific guidance. However, it creates a framework within which power supply failures, transformer shortages and grid connection delays become reportable risk factors rather than purely commercial issues.
Data center operators designated as critical entities under CER need to formally assess their power supply risk — including transformer availability, grid connection redundancy, and supply chain dependencies for electrical equipment. This is no longer optional for designated operators.
NIS2 — NETWORK AND INFORMATION SECURITY
The NIS2 Directive (2022/2555) applies to digital infrastructure including data centers. Its most significant power-related requirement is supply chain security: operators must assess and manage risks arising from their suppliers, including electrical equipment suppliers.
This creates a formal compliance driver for the supply chain diversification that makes commercial sense anyway. A data center operator that has not assessed its transformer supply chain concentration risk is potentially non-compliant with NIS2 supply chain security requirements.
THE FRENCH IMPLEMENTATION
France has transposed CER into national law and applies its existing SAIV (Secteurs d'Activité d'Importance Vitale) framework for critical infrastructure designation. French data centers above certain capacity thresholds may qualify as Opérateurs d'Importance Vitale (OIV), triggering the most stringent regulatory requirements.
The French rare earth and permanent magnet plan (May 2025) adds a further layer: certain companies will be legally required to formalise supply diversification plans for critical inputs. This connects rare earth supply chain risk directly to data center compliance obligations.
PRACTICAL COMPLIANCE IMPLICATIONS
- Document your power supply chain: Map transformer manufacturers, grid connection dependencies and backup power sources as a formal risk register
- Assess geographic concentration: If your electrical equipment supply chain is concentrated in one country or region, this is a CER/NIS2 risk to document and mitigate
- Prepare for audit: National authorities are beginning to audit critical entity compliance; power supply resilience documentation will be reviewed
- Supply chain diversification plans: For entities subject to the French rare earth plan's diversification requirements, formal plans are mandatory
HOW GRIDREADINESS SUPPORTS COMPLIANCE
Our supply chain intelligence and audit services directly address CER and NIS2 compliance requirements. We help data center operators map their electrical equipment supply chains, identify concentration risks, and prepare the diversification documentation that regulators will increasingly require.