Could Your Cable Operation End Up on the EU’s July CER List?

At a Glance

• The EU Action Plan on Cable Security, adopted in February 2025 in response to Nord Stream and the wave of subsequent incidents, marked a policy shift placing critical infrastructure protection obligations directly on operators, now being formalized through binding CER Directive designations.
• EU member states must designate critical entities under the Critical Entities Resilience (CER) Directive by July 17, 2026, across eleven sectors covered by the Directive, including digital infrastructure and submarine cables.
• Companies likely to fall within scope include submarine cable operators, telecommunications providers, hyperscalers, cloud and data center operators, Transmission System Operators (TSOs), offshore energy operators, and other companies responsible for critical subsea connectivity and power infrastructure.
• Once designated, critical entities have 10 months to demonstrate compliance, meaning the operational deadline lands by May 17, 2027, at the latest.
• Operating cable infrastructure on EU soil can bring a company into scope under CER, regardless of where the parent company is headquartered.
• Designated entities must report any incident that disrupts or could disrupt essential services within 24 hours of detection, a standard that depends on detection capability AIS-only monitoring may struggle to meet when vessels operate dark.
• The EU Action Plan on Cable Security calls for stronger detection capacity around submarine cables, including solutions that automatically detect abnormal vessel behavior, especially when AIS is turned off or spoofed. 
• EU funding mechanisms, including Connecting Europe Facility Digital (CEF Digital), are supporting submarine cable infrastructure security and resilience investment, with €347 million allocated to cable projects in 2026.

The Policy Arc That Brought Cable Operators Into Scope

The September 2022 Nord Stream pipeline sabotage and the wave of subsequent incidents on European subsea infrastructure brought cable risk firmly into the policy picture. Debates followed over who bears responsibility for protecting critical subsea assets, governments or commercial operators. The EU Action Plan on Cable Security, adopted in February 2025, settled the direction by placing infrastructure protection obligations directly on operators. 

The Critical Entities Resilience (CER) Directive, which entered into force on January 16, 2023, is how those obligations are now being formalized into binding legal requirements across member states. The Commission has now adopted the list of essential services across the eleven sectors the Directive covers, including digital infrastructure. Member states have until July 17, 2026, to identify which specific companies and entities operating in those sectors are designated as critical.

Once designated, critical entities have 10 months to demonstrate compliance with the Directive’s operational requirements. That puts the latest possible compliance deadline at May 17, 2027.

Operators that prepare in advance can use those 10 months for actual compliance work rather than for scoping, gap analysis, and planning that should have been done before designation.

Many commercial operators currently assume they will not be on the list. That assumption is the risk.

Why You May Be on the List Without Realizing It

The CER Directive’s scope is broader than the term “critical entity” suggests. The Directive covers eleven sectors, and within each sector, member states identify the specific entities that provide essential services. The essential services list itself, adopted by the Commission, is the basis on which member states will conduct their designation assessments.

For cable infrastructure specifically, two things matter.

The first is that the headquarters location does not exempt an operator. If a company operates cable infrastructure on EU soil, that operation can fall within the scope of the member state’s designation assessment, even if the company is headquartered outside the EU. A U.S.-based operator with cable landing stations in France or Spain, a UK operator with cable transit through Dutch waters, and an Asia-headquartered hyperscaler with subsea routes terminating in EU member states are all potentially in scope.

The second is that “essential services” is the operative threshold, not commercial scale. An operator does not need to be the largest player in a market to be designated. The question is whether the services they provide are essential to the functioning of society, the economy, public health, safety, or the environment in the member state where they operate. For subsea cable infrastructure carrying intercontinental data, financial transactions, defense communications, and commercial cloud traffic, the answer is increasingly likely to be yes.

The practical implication is that a meaningful share of operators who currently view themselves as commercial market participants rather than critical infrastructure providers may find themselves designated. 

What CER Actually Requires

Operators designated as critical entities are expected to implement appropriate measures, set out in a resilience plan, to prevent incidents from occurring across the four-part resilience cycle the EU Action Plan on Cable Security outlines: prevention, detection, response and repair, and deterrence.

Within that framework, three obligations are likely to drive the largest operational changes for cable operators.

A Formal Resilience Plan 

Designated entities must implement measures across the resilience cycle, documented in a plan that the member state authority can review. The plan must cover: 

• Prevention Measures: Reducing the likelihood of an incident occurring.
• Detection Capability: Identifying threats and incidents as they emerge.
• Response and Recovery Procedures: Coordinating incident response with public authorities, restoring essential services as quickly as possible, and maintaining business continuity during disruptions.
• Deterrence Posture: Implementing physical and operational measures that make critical infrastructure a harder target, coordinating with national authorities on enforcement, and supporting evidence collection that enables accountability for malicious actors.

Incident Detection and 24-Hour Reporting

Designated entities must report any incident that disrupts or could disrupt the provision of essential services within 24 hours of detection. The reporting clock starts when the incident is detected, which places meaningful pressure on reporting workflows. The Directive also emphasizes detection capability as a separate operational requirement, which is where many operators will find existing systems do not meet the standard.

Impact Measurement and Reporting Methods

Operators must be able to demonstrate not just that an incident occurred, but its operational impact, the scope of disruption, and the recovery posture. Reporting methods and tools that are sufficient for internal operational purposes are not necessarily sufficient for regulatory reporting under CER.

Industry analysis of the Directive has highlighted that critical entities will need to review and revamp their incident detection, impact measurement, and reporting methods and tools to meet these reporting deadlines and requirements, and that the requirement is likely to be technology-enabled. Operators that wait until designation to consider this are starting later than the timeline supports.

Why AIS-Only Monitoring Cannot Meet the Detection Standard

The 24-hour detection-and-reporting requirement is where the regulatory expectation collides with the operational reality of how many cable operators currently monitor their infrastructure.

AIS-based monitoring has been the industry default for tracking vessels operating near subsea cable corridors. It is also, by design, a cooperative signal. Vessels broadcast their AIS voluntarily, and the system can be switched off or manipulated by any operator who does not want to be seen. The behavior is observable in European waters, including in proximity to subsea infrastructure.

The implication for CER compliance is direct. A monitoring posture that depends entirely on AIS data cannot reliably detect incidents involving vessels that have switched off AIS or are exhibiting behavior near critical infrastructure that AIS alone cannot interpret. If a vessel disables AIS, loiters above a cable, causes damage, and only reappears on AIS hours later, the operator may detect the incident only after the damage has occurred, leaving the resulting compliance reporting reliant on after-the-fact reconstruction of what happened in the detection gap.

The technical requirement that CER creates is for a detection capability that does not depend on the adversary’s cooperation. That means multi-source intelligence, with persistent, fused intelligence across AIS, satellite imagery, radio frequency detection, and complementary positioning data that closes the gaps single-source monitoring leaves open.

The EU Action Plan on Cable Security explicitly identifies automatic detection of abnormal vessel behavior, particularly where AIS is turned off or spoofed, as a relevant detection capability for strengthening submarine cable security. EU funding mechanisms, including CEF Digital, are supporting submarine cable security and resilience investment, signaling that the regulatory expectation is being supported by funding pathways.

What Cable Operators Should Be Doing Now

Operators that wait for the July 2026 designation list before preparing are giving themselves less time to get ready. The preparatory work that should already be underway, regardless of designation status, falls into four areas.

The first is scope assessment. Operators should be working with regulatory counsel to assess whether their operations are likely to meet the essential services threshold in the member states where they have cable infrastructure. The answer is not always obvious, and the assessment is better done internally before the designation list is published than reactively after it.

The second is a gap analysis on the current detection capability. Operators should map current vessel monitoring against the 24-hour detection-and-reporting standard. Specific questions to test against: Can the current system detect an incident involving a vessel with AIS disabled? Can it surface behavioral patterns (loitering, repeated returns, anchoring near corridors) before they become incidents? Can it produce a defensible evidence base for regulatory reporting within 24 hours? If the answer to any of these is no, the gap will need to be closed.

The third is the groundwork for a resilience plan. Operators should be drafting the structure of a resilience plan covering the four CER pillars — prevention, detection, response and repair, deterrence — even before designation. Plans can be refined after designation, but are much harder to build from scratch under the 10-month clock.

The fourth is the funding strategy. CEF Digital is a 2021–2027 budget programme and supports the EU Action Plan on Cable Security through specific funding calls for cable infrastructure, repair capacity, and smart cable monitoring. Operators building business cases for security and monitoring investments before designation can explore CEF Digital funding pathways for eligible infrastructure components.

How Windward Fits

Windward’s Critical Maritime Infrastructure Protection solution is built for the kind of detection standard the CER Directive creates. It combines vessel verification, behavioral risk profiling across multiple voyages, identity and ownership intelligence, and anomaly detection in defined infrastructure corridors. Underneath, Multi-Source Intelligence fuses SAR, EO, RF, and AIS into one operational picture that verifies what vessels actually do, independently of what they broadcast.

For cable operators preparing for CER compliance, the operational fit is direct. Detection capability that does not depend on AIS cooperation, behavioral pattern recognition that surfaces threats before they become incidents, and a sensor-verified evidence base that supports defensible regulatory reporting are the capabilities the 24-hour standard requires.

What to Watch Between Now and July

The next four weeks before designations begin will involve several developments worth tracking.

Member states are working through their risk assessments using the essential services list, which forms the basis for designation decisions. Operators in dialogue with national authorities have earlier visibility into the likely outcome than operators waiting for formal notification.

The EU Action Plan on Cable Security continues to be implemented through additional funding rounds and technical guidance, with the Cable Security Toolbox providing strategic and technical measures that member states can draw on. The EU has allocated €347 million across CEF Digital funding calls in 2026 to support submarine cable security and resilience investment.

In addition, the operational threat picture continues to evolve. A recent Windward investigation documented a Russian-flagged research vessel loitering above a major trans-Atlantic telecommunications cable for 41 days, with AIS broadcasting continuously, a valid flag, and clean filings throughout. A document-based screen would not have flagged the vessel. The behavioral pattern is what surfaced the picture. Vessels exhibiting cable-proximate behavior in European waters are continuing to operate under exactly these conditions, with strategies and signatures that are evolving faster than single-source monitoring can keep up. Whatever the designation status of any individual operator, the underlying risk environment is the regulatory framework’s reason for existing.

The operators best positioned for CER will be the ones who treated the July 17 deadline as already running.