Many organisations have introduced and regularly tested extensive cybersecurity measures. The CER Directive requires exactly the same for physical security. The concept is identical – only the attack vectors are different.
Organisations that already take NIS2 seriously have learned: systematic testing is better than blindly trusting security measures. CER transfers this principle to the physical world – with the same legal consequences for non-compliance.
CER applies to operators of critical entities in eleven sectors – with significant overlap with NIS2. Many operators are subject to both directives simultaneously and must provide evidence on both levels.
CER explicitly places responsibility for physical resilience at board level. This means: managing directors and board members face personal liability if audit obligations are not fulfilled. It is not sufficient to delegate the matter to IT or the security officer. The duty to provide evidence lies with management – and so does the personal liability in the event of damage.
Article 13 CER defines concrete measures for physical resilience. A physical penetration test is the audit instrument for the most important ones – and the evidence that regulators expect.
Operators must ensure that only authorised persons have access to critical areas. A pentest shows whether these controls hold up in practice – or only exist on paper.
Fences, cameras, lighting, and barriers must be effective. We test whether they actually stop a determined attacker – or merely serve as a deterrent.
Not all threats come from outside. Social engineering and insider scenarios show how resilient your organisation truly is against internal risks.
Employees are the first and last line of defence. We test whether they recognise tailgating, pretexts, and manipulation attempts – or willingly hold the door open.
How quickly is a physical intruder detected and reported? We test the detection and response capability of your organisation under realistic conditions.
Servers, control systems, operations centres: the most sensitive areas need the highest protection. We test their security specifically – and show where the gaps are.
Systematic, documented, and CER-compliant – our approach delivers the evidence the directive requires and regulators expect.
Which areas, buildings, and scenarios should be tested? We jointly define the scope – taking your operational requirements and CER obligations into account.
Information gathering about your site, publicly visible security measures, employee movements, and potential entry points.
Simulated break-in attempt under realistic conditions: tailgating, lock picking, perimeter tests, social engineering – within the agreed scope.
Complete logging of all test actions, findings, and timestamps. Assessment by severity, exploitability, and regulatory relevance.
Complete report with all findings, recommendations, and CER mapping per Art. 13. Suitable as audit evidence for regulatory authorities and management.
CER focuses on physical resilience. These three modules cover the central requirements of the directive – and deliver the evidence regulators expect.
Simulated break-in attempt at your facilities: tailgating, lock picking, perimeter tests. The core module for CER evidence – we test whether unauthorised access is possible.
Learn morePhishing, vishing, personal manipulation: most physical security gaps arise through the human factor. We show how far targeted deception goes.
Learn moreFor CER, the test alone is not enough – the evidence must also be documented and suitable for regulators. We deliver a structured final report as a complete audit document.
Learn more
Think like an Attacker, Act as a Partner