Oil - Critical Entities Resilience Directive (CER)
Overview
The Critical Entities Resilience Directive (CER) of the European Union (Directive (EU) 2022/2557) strengthens the resilience of critical infrastructure to a range of threats, including natural hazards, terrorist attacks, insider threats, or sabotage. 11 sectors must comply with the new requirements: energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration, space and food.
Deadlines: By 17 October 2024, Member States shall adopt and publish the measures necessary to comply with this Directive. They shall immediately inform the Commission thereof.
They shall apply those measures from 18 October 2024.
Must the Oil Subsector comply with the Critical Entities Resilience Directive (CER)?
According to Article 2 (Definitions) of the Critical Entities Resilience Directive (CER), ‘critical entity’ means a public or private entity which has been identified by a Member State as belonging to:
1. Energy.
c. Oil.
— Operators of oil transmission pipelines.
— Operators of oil production, refining and treatment facilities, storage and transmission.
— Central stockholding entities.
8 December 2022 - The Council approved the Critical Entities Resilience Directive (CER) and a recommendation which aim to reduce the vulnerabilities and strengthen the resilience of critical entities.
To respond to the recent acts of sabotage against the Nord Stream pipeline and the new risks brought by Russia’s aggression against Ukraine, the recommendation adopted focuses on strengthening the resilience of critical infrastructure.
This recommendation aims to accelerate the preparatory work for the implementation of the objectives set out in the critical entities and NIS 2 directives and step up the EU’s capacity to protect its critical infrastructure. It includes series of targeted actions covering key sectors such as energy, digital infrastructure, transport and space.
The recommendation covers three priority areas: preparedness, response and international cooperation. It invites member states to update their risk assessments to reflect current threats and encourages them to conduct stress tests of entities operating critical infrastructure, with the energy sector as a priority.
It also calls on member states to develop, in cooperation with the Commission, a blueprint for a coordinated response to disruptions of critical infrastructure with significant cross-border relevance. The EU will support partner countries in enhancing their resilience and strengthen cooperation with NATO in this area.
According to Article 1 (Subject matter and scope), the Critical Entities Resilience Directive (CER):
(a) lays down obligations on Member States to take specific measures aimed at ensuring that services which are essential for the maintenance of vital societal functions or economic activities are provided in an unobstructed manner in the internal market, in particular obligations to identify critical entities and to support critical entities in meeting the obligations imposed on them;
(b) lays down obligations for critical entities aimed at enhancing their resilience and ability to provide services in the internal market;
(c) establishes rules:
(i) on the supervision of critical entities;
(ii) on enforcement;
(iii) for the identification of critical entities of particular European significance and
on advisory missions to assess the measures that such entities have put in place
to meet their obligations under Chapter III;
(d) establishes common procedures for cooperation and reporting on the application of this Directive;
(e) lays down measures with a view to achieving a high level of resilience of critical entities in order to ensure the provision of essential services within the Union and to improve the functioning of the internal market.
CER Directive Training for the Energy Sector, Oil Subsector
1. Critical Entities Resilience Directive (CER), Instructor-led Training
Delivery format of the training program
a. In-House Instructor-Led Training program - designed and tailored for persons working for a specific company or organization (Board members, executive management, risk managers and employees etc.). In all In-House Instructor-Led Training programs an instructor from Cyber Risk GmbH that is approved by the Client travels to the location chosen by the Client and leads the class according to the needs of the Client and the Contract.
b. Online Live Training program - synchronous (real time, not pre-recorded) training program that takes place in a live virtual meeting room using platforms like Zoom, Webex, Microsoft Teams etc. In all Online Live Training programs, instructors from Cyber Risk GmbH that are approved by the Client tailor the method of delivery (interactive, non-interactive, etc.) to the needs of the Client, lead the virtual class, and answer questions according to the needs of the Client and the Contract.
c. Video-Recorded Training program - professional, pre-recorded training program. Instructors from Cyber Risk GmbH that are approved by the Client tailor the training content according to the needs of the Client and the Contract, and they record the training content in a professional studio. The training material (including any subsequent updates) is licensed by Cyber Risk GmbH to the Client for training purposes. Clients can incorporate the recorded videos to their internal learning system. Video-Recorded Training programs include Orientation Video Training and Compliance Video Training programs.
Course Synopsis
- Are you sure we must comply with the Critical Entities Resilience Directive (CER)? Where can we find this information?
- Subject matter and scope.
- Understanding the important definitions.
- What is ‘critical infrastructure’ and ‘essential service’?
The obligation for each EU Member State to adopt a strategy for enhancing the resilience of critical entities.
- The strategic objectives and policy measures.
- Risk assessment by Member States.
Criteria for the identification of critical entities.
- the entity provides one or more essential services,
- the entity operates, and its critical infrastructure is located, on the territory of a Member State,
- an incident would have significant disruptive effects on the provision by the entity of one or more essential services.
Criteria for the identification of significant disruptive effects.
- the number of users relying on the essential service provided by the entity concerned,
- the extent to which other sectors and subsectors depend on the essential service in question,
- the impact that incidents could have, in terms of degree and duration, on economic and societal activities, the environment, public safety and security, or the health of the population,
- the entity’s market share in the market for the essential service or essential services concerned,
- the geographic area that could be affected by an incident, including any cross-border impact, taking into account the vulnerability associated with the degree of isolation of certain types of geographic areas, such as insular regions, remote regions or
mountainous areas,
- the importance of the entity in maintaining a sufficient level of the essential service, taking into account the availability of alternative means for the provision of that essential service.
Competent authorities and single point of contact.
Cooperation between Member States.
Risk assessment by critical entities, within nine months of receiving the notification.
- Risk assessment by critical entities whenever necessary subsequently, and at least every four years, to assess all relevant risks that could disrupt the provision of their essential services (‘critical entity risk assessment’).
- Risk assessment for all the natural and man-made risks which could lead to an incident, including those of a cross-sectoral or cross-border nature, accidents, natural disasters, public health emergencies, hybrid threats and other antagonistic threats, including terrorist offences.
- Resilience measures of critical entities.
Background checks on persons who:
- hold sensitive roles in or for the benefit of the critical entity, in particular in relation to the resilience of the critical entity,
- are authorised to directly or remotely access its premises, information or control systems, including in connection with the security of the critical entity,
- are under consideration for recruitment to sensitive positions.
Incident notification.
- initial notification no later than 24 hours after becoming aware of an incident,
- detailed report no later than one month thereafter.
The new Critical Entities Resilience Group.
- it supports the Commission and facilitates cooperation among Member States,
- it supports the exchange of information on issues relating to this Directive,
- it is analysing the strategies in order to identify best practices,
- it is composed of representatives of the Member States and the Commission who hold security clearance, where necessary.
Supervision and enforcement.
- on-site inspections of the critical infrastructure and the premises that the critical entity uses to provide its essential services,
- off-site supervision of measures taken by critical entities,
- audits in respect of critical entities.
- penalties.
- Other new EU directives and regulations that introduce compliance challenges.
- Closing remarks.
Target Audience, Duration
We offer a 60-minute overview for the Board of Directors and senior management of EU and non-EU entities, tailored to their needs. We also offer 4 hours training for risk and compliance teams, responsible for the implementation of the EU directives and regulations. We always tailor the program to the needs of the client.
Instructor
Our instructors are professionals with extensive, real-world experience in their respective fields. They are equipped to deliver full-time, part-time, or short-form programs, all customized to suit your specific requirements. Beyond teaching, our instructors provide hands-on guidance, offering real-world insights that help bridge the gap between theory and practice. You will always be informed ahead of time about the instructor leading your program.
Terms and conditions.
You may visit: https://www.cyber-risk-gmbh.com/Terms.html
2. Critical Entities Resilience Directive Trained Professional (CERDTPro) - online training, exam, certificate of completion.
Overview
With which Directive do we have to comply? The Critical Entities Resilience Directive (CER), the NIS 2 Directive, or another legal act?
The NIS 2 Directive (2022/2555) addresses cybersecurity challenges. Cybersecurity is addressed sufficiently in the NIS 2 Directive, so the matters covered by the NIS 2 Directive are excluded from the scope of the Critical Entities Resilience Directive (CER). To make it as clear as possible, for cybersecurity challenges the NIS 2 Directive applies, given that the requirements laid down in the NIS 2 Directive are at least equivalent to the corresponding obligations laid down in the Critical Entities Resilience Directive (CER).
Where provisions of sector-specific Union legal acts require critical entities to take measures to enhance their resilience, and where those requirements are recognised by Member States as at least equivalent to the corresponding obligations laid down in the Critical Entities Resilience Directive (CER), the relevant provisions of the Critical Entities Resilience Directive (CER) should not apply. The relevant provisions of sector-specific legal acts should apply.
What about challenges that affect both, the physical security and cybersecurity of critical entities? NIS 2 and CER will both be implemented in a coordinated manner, according to article 1.2 of the Critical Entities Resilience Directive (CER).
CER covers a wide range or risks, not just cybersecurity risks. According to Article 13 of CER, (Resilience measures of critical entities), critical entities must take technical, security and organisational measures to ensure their resilience, including measures necessary to:
(a) prevent incidents from occurring, duly considering disaster risk reduction and climate adaptation measures;
(b) ensure adequate physical protection of their premises and critical infrastructure, duly considering, for example, fencing, barriers, perimeter monitoring tools and routines, detection equipment and access controls;
(c) respond to, resist and mitigate the consequences of incidents, duly considering the implementation of risk and crisis management procedures and protocols and alert routines;
(d) recover from incidents, duly considering business continuity measures and the identification of alternative supply chains, in order to resume the provision of the essential service;
(e) ensure adequate employee security management, duly considering measures such as setting out categories of personnel who exercise critical functions, establishing access rights to premises, critical infrastructure and sensitive information, setting up procedures for background checks in accordance with Article 14 and designating the categories of persons who are required to undergo such background checks, and laying down appropriate training requirements and qualifications;
(f) raise awareness about the measures referred to in points (a) to (e) among relevant personnel, duly considering training courses, information materials and exercises.
Objectives
The program has been designed to provide with the skills needed to understand and support compliance with the Critical Entities Resilience Directive (CER).
It also provides with the skills needed to pass the Critical Entities Resilience Directive Trained Professional (CERDTPro) exam, and to receive the Certificate of Completion, that provides independent evidence to firms and organizations that you have a quantifiable understanding of the subject matter.
Target Audience
The program is beneficial to risk and compliance managers and professionals, auditors, consultants, suppliers and service providers that work for companies and organizations that have to comply with the Critical Entities Resilience Directive (CER).
Who must comply with the Critical Entities Resilience Directive (CER)?
According to Article 2 (Definitions) of the Critical Entities Resilience Directive (CER), ‘critical entity’ means a public or private entity which has been identified by a Member State as belonging to one of the categories:
1. Energy.
a. Electricity.
— Electricity undertakings.
— Distribution system operators.
— Transmission system operators.
— Producers.
— Nominated electricity market operators.
— Market participants.
b. District heating and cooling.
— Operators of district heating or district cooling.
c. Oil.
— Operators of oil transmission pipelines.
— Operators of oil production, refining and treatment facilities, storage and transmission.
— Central stockholding entities.
d. Gas.
— Supply undertakings.
— Distribution system operators.
— Transmission system operators.
— Storage system operators.
— LNG system operators.
— Natural gas undertakings.
— Operators of natural gas refining and treatment facilities.
e. Hydrogen.
— Operators of hydrogen production, storage and transmission.
2. Transport.
a. Air.
— Air carriers used for commercial purposes.
— Airport managing bodies, airports, including the core airports and entities operating ancillary installations contained within airports.
— Traffic management control operators providing air traffic control (ATC) services.
b. Rail.
— Infrastructure managers.
— Railway undertakings, including operators of service facilities.
c. Water.
— Inland, sea and coastal passenger and freight water transport companies.
— Managing bodies of ports, including their port facilities, and entities operating works and equipment contained within ports.
— Operators of vessel traffic services (VTS).
d. Road.
— Road authorities responsible for traffic management control, excluding public entities for which traffic management or the operation of intelligent transport systems is a non-essential part of their general activity.
— Operators of Intelligent Transport Systems.
3. Banking.
— Credit institutions.
4. Financial market infrastructures.
— Operators of trading venues.
— Central counterparties (CCPs).
5. Health.
— Healthcare providers.
— EU reference laboratories.
— Entities carrying out research and development activities of medicinal products.
— Entities manufacturing basic pharmaceutical products and pharmaceutical preparations.
— Entities manufacturing medical devices considered to be critical during a public health emergency (public health emergency critical devices list).
6. Drinking water.
— Suppliers and distributors of water intended for human consumption, excluding distributors for which distribution of water for human consumption is a non-essential part of their general activity of distributing other commodities and goods.
7. Waste water.
— Undertakings collecting, disposing of or treating urban waste water, domestic waste water or industrial waste water, excluding undertakings for which collecting, disposing of or treating urban waste water, domestic waste water or industrial waste water is a non-essential part of their general activity.
8. Digital infrastructure.
— Internet Exchange Point providers.
— DNS service providers, excluding operators of root name servers.
— TLD name registries.
— Cloud computing service providers.
— Data centre service providers.
— Content delivery network providers.
— Trust service providers.
— Providers of public electronic communications networks.
— Providers of publicly available electronic communications services.
9. ICT service management (business-to-business).
— Managed service providers.
— Managed security service providers.
10. Public administration.
— Public administration entities of central governments as defined by a Member State in accordance with national law.
— Public administration entities at regional level as defined by a Member State in accordance with national law.
11. Space.
Operators of ground-based infrastructure, owned, managed and operated by Member States or by private parties, that support the provision of space-based services, excluding providers of public electronic communications networks.
Important note: This is an overview, not a detailed list of activities. Depending on their products or services, and where their products or services belong in NACE (the statistical classification of economic activities in the European Union), entities must carefully consider if they must comply with the Directive or not.
Course Synopsis
The European Union (EU) - key institutions, the EU legislative process, the roles.
- The European System of Financial Supervision.
- The major changes after the Lisbon Treaty.
- Delegated acts - supplementing or amending certain non-essential elements of a basic act.
- Implementing acts.
- Regulatory technical standards (RTS), Implementing technical standards (ITS).
- The Committee of European Auditing Oversight Bodies (CEAOB).
- The European External Action Service, Common Foreign and Security Policy (CFSP), Common Security and Defence Policy (CSDP), European Cyber Defence Policy Framework (CDPF).
Before the CER Directive.
- The European Programme for Critical Infrastructure Protection (‘EPCIP’) and the European Critical Infrastructures (‘ECIs’).
- The evaluation of Directive 2008/114/EC.
The Critical Entities Resilience Directive (CER), important Articles.
- Before discussing Article 1 of the CER Directive.
- We must start with the Annex, and NACE Rev. 2.
- Subject matter and scope.
- Definitions.
- Strategy on the resilience of critical entities.
- Risk assessment by Member States.
- Identification of critical entities.
- Significant disruptive effect.
- Critical entities in the banking, financial market infrastructure and digital infrastructure sectors.
- Competent authorities and single point of contact.
- Member States’ support to critical entities.
- Cooperation between Member States.
- Risk assessment by critical entities.
- Resilience measures of critical entities.
- Background checks.
- Incident notification.
- Identification of critical entities of particular European significance.
- Advisory missions.
- Critical Entities Resilience Group.
- Commission support to competent authorities and critical entities.
- Supervision and enforcement.
- Penalties.
- Exercise of the delegation.
- Committee procedure.
- Reporting and review.
- Transposition.
- Repeal of Directive 2008/114/EC.
- Entry into force.
Understanding better the CER Directive.
- NIS 2 and the resilience of critical entities.
- Sector-specific Union legal acts and the resilience of critical entities.
- National security, defence, law and order, and the resilience of critical entities.
- Entities that are jointly established.
- Employees / contractors of critical entities.
- Requests for background checks.
- So many deadlines … Mark your calendar.
- Important national options and discretions.
Other new EU Directives and Regulations.
- 1. The European Cyber Resilience Act.
- 2. The NIS 2 Directive.
- 3. The Digital Operational Resilience Act (DORA).
- 4. The Digital Services Act (DSA).
- 5. The Digital Markets Act (DMA).
- 6. The European Health Data Space (EHDS).
- 7. The European Chips Act.
- 8. The European Data Act.
- 9. The European Data Governance Act (DGA).
- 10. The Artificial Intelligence Act.
- 11. The European ePrivacy Regulation.
- Closing remarks
Become a Critical Entities Resilience Directive Trained Professional (CERDTPro)
This is a Distance Learning with Certificate of Completion program, provided by Cyber Risk GmbH. The General Terms and Conditions for all legal transactions made through the Cyber Risk GmbH websites (hereinafter “GTC”) can be found at: https://www.cyber-risk-gmbh.com/Impressum.html
Each Distance Learning with Certificate of Completion program (hereinafter referred to as “distance learning program”) is provided at a fixed price, that includes VAT. There is no additional cost, now or in the future, for any reason.
We will send the distance learning program via email up to 24 hours after the payment (working days). Please remember to check the spam folder of your email client too, as emails with attachments are often landed in the spam folder.
You have the option to ask for a full refund up to 60 days after the payment. If you do not want one of our distance learning programs for any reason, all you must do is to send us an email, and we will refund the payment, no questions asked.
Your payment will be received by Cyber Risk GmbH (Dammstrasse 16, 8810 Horgen, Switzerland, Handelsregister des Kantons Zürich, Firmennummer: CHE-244.099.341). Cyber Risk GmbH will also send the certificates of completion to all persons that will pass the exam.
The all-inclusive cost is 297 USD (US Dollars).
First option: You can purchase the Critical Entities Resilience Directive Trained Professional (CERDTPro) program with VISA, MASTERCARD, AMEX, Apple Pay, Google Pay etc.
Purchase the CERDTPro program here (VISA, MASTERCARD, AMEX, Apple Pay, Google Pay etc.)
Second option: QR code payment.
i. Open the camera app or the QR app on your phone.
ii. Scan the QR code and possibly wait for a few seconds.
iii. Click on the link that appears, open your browser, and make the payment.
Third option: You can purchase the Critical Entities Resilience Directive Trained Professional (CERDTPro) program with PayPal
When you click "PayPal" below, you will be redirected to the PayPal web site. If you prefer to pay with a card, you can click "Debit or Credit Card" that is also powered by PayPal.
What is included in the cost of the distance learning program:
A. The official presentations (656 slides).
The presentations are effective and appropriate to study online or offline. Busy professionals have full control over their own learning and are able to study at their own speed. They are able to move faster through areas of the course they feel comfortable with, but slower through those that they need a little more time on.
B. Up to 3 online exam attempts per year.
Candidates must pass only one exam. If they fail, they must study the official presentations and retake the exam. Candidates are entitled to 3 exam attempts every year.
If candidates do not achieve a passing score on the exam the first time, they can retake the exam a second time.
If they do not achieve a passing score the second time, they can retake the exam a third time.
If candidates do not achieve a passing score the third time, they must wait at least one year before retaking the exam. There is no additional cost for additional exam attempts.
To learn more, you may visit:
C. The certificate of completion, with a scannable QR code for verification.
We will send it via email in Adobe Acrobat format (pdf). You will receive it up to 7 working days after you pass the exam.
D. Cyber Risk GmbH will develop a web page dedicated to each certified professional (https://www.cyber-risk-gmbh.com/Your_Name.htm).
When third parties scan the QR code on your certificate, they will visit this web page (https://www.cyber-risk-gmbh.com/Your_Name.htm), and they will be able to verify that you are a certified professional, and your certificates are valid and legitimate.
In this web page we will have your name, all the certificates you have received from us, and pictures of your certificates.
This is an example:
https://www.cyber-risk-gmbh.com/Monika_Meier.html
You can print your certificate that you will receive in Adobe Acrobat format (pdf). With the scannable QR code, all third parties can verify the authenticity of each certificate in a matter of seconds. Professional certificates are some of the most frequently falsified documents. Employers and third parties need an easy, effective, and efficient way to check the authenticity of each certificate. QR code verification is a good response to this demand.
E. If you purchase the CERDTPro program now, you can receive all the updated and amended CERDTPro programs at no cost until January 31, 2028.
Every time we have important developments that affect regulatory compliance with the Critical Entities Resilience Directive (CER), we will update and amend this training program, especially when we have important:
- Joint final draft technical standards, from the European Supervisory Authorities (ESAs) – the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), the European Securities and Markets Authority (ESMA).
- Regulatory Technical Standards (RTS),
- Implementing Technical Standards (ITS),
- Delegated Acts, that supplement or amend non‑essential parts of EU legislative acts, and
- Implementing Acts, that ensure that EU laws are applied uniformly.
The all-inclusive cost of your first program is $297. The all-inclusive cost of your second (and each additional) program is $197. It includes the exam, the certificate of completion, and all the updated and amended programs at no cost until January 31, 2028. You can take the exam and receive the certificate of completion only once. You cannot take the exam again, and it is not possible to receive a new certificate of completion every time you receive an updated and amended program at no cost.
If you want to take the exam again, to receive a certificate of completion having a later date on it, and to have both certificates of completion with different dates at your dedicated web page, you must purchase the updated program at a discounted cost ($197). This is not required, your original certificate will not expire.
In order to receive the updated and amended program (you have purchased the program in the past, and now you want to receive the updated and amended program at no cost), please follow the simple steps:
Please check the “Course synopsis” of the program at the registration page, to check if you have the latest version.
If we have updated the program, please send us an email with title: “Please send me the updated CERDTPro program.”
In the email, please let us know which was the name and email address of the person or legal entity that had initially purchased the program.
You will receive the updated program in less than 48 hours (working days). Please remember to check your spam folder too.
Frequently Asked Questions for the distance learning programs.
1. I want to know more about Cyber Risk GmbH.
“Cyber Risk GmbH” is a company incorporated in Switzerland.
Registered address: Dammstrasse 16, 8810 Horgen, Switzerland.
Company number: CHE-244.099.341.
Cantonal Register of Commerce: Canton of Zürich.
Swiss VAT number: CHE-244.099.341 MWST.
EU VAT number: EU276036462. Cyber Risk GmbH is registered for EU VAT purposes in Germany (Bundeszentralamt für Steuern, One-Stop-Shop, Nicht EU-Regelung) for the sale of services in the EU. Cyber Risk GmbH declares and pays EU VAT in a single electronic quarterly return submitted to Germany, and the German Bundeszentralamt für Steuern forwards the EU VAT due to each member State of the EU.
Cyber Risk GmbH was founded in Horgen, Switzerland, by George Lekatis, a well-known expert in risk and compliance management. The company specializes in providing advanced cybersecurity, risk, and compliance training, helping organizations navigate and implement complex European, U.S., and international cybersecurity regulations. Additionally, Cyber Risk GmbH supports professionals in completing online training programs, passing exams, and obtaining Certificates of Completion, which serve as independent verification of their expertise for firms and organizations.
George Lekatis serves as the General Manager of Compliance LLC, a company incorporated in Wilmington, NC, with offices in Washington, DC. Compliance LLC provides risk and compliance management training in 58 countries. Several of its business units function as highly successful associations, offering a wide range of services to their members, including membership programs, regular updates (weekly or monthly), specialized training, and certification.
George is also the president of the International Association of Risk and Compliance Professionals (IARCP, https://www.risk-compliance-association.com). He leads the team responsible for developing and maintaining the Certified Risk and Compliance Management Professional (CRCMP) program. The CRCMP certification is widely regarded as a preferred credential by companies and organizations. For more information on the demand for CRCMPs, you may visit: https://www.risk-compliance-association.com/CRCMP_Jobs_Careers.pdf
Other business units of Compliance LLC:
- The Sarbanes-Oxley Compliance Professionals Association (SOXCPA), the largest Association of Sarbanes-Oxley professionals in the world. You may visit: https://www.sarbanes-oxley-association.com
- The Basel iii Compliance Professionals Association (BiiiCPA), the largest association of Basel iii Professionals in the world. You may visit: https://www.basel-iii-association.com
- The Solvency II Association, the largest association of Solvency II professionals in the world. You may visit: https://www.solvency-ii-association.com
Our instructors are professionals with extensive, real-world experience in their respective fields. They are equipped to deliver full-time, part-time, or short-form programs, all customized to suit your specific requirements. Beyond teaching, our instructors provide hands-on guidance, offering real-world insights that help bridge the gap between theory and practice. You will always be informed ahead of time about the instructor leading your program.
“Cyber Risk GmbH Training Programs” are training programs developed, updated and provided by Cyber Risk GmbH, and include:
a) In-House Instructor-Led Training programs,
b) Online Live Training programs,
c) Video-Recorded Training programs,
d) Distance Learning with Certificate of Completion programs.
“Cyber Risk GmbH websites” are all websites that belong to Cyber Risk GmbH, and include the following:
a. General, Sectors, Industries.
1. Hybrid Risk
4. Defensive Hybrid Intelligence (DHI)
5. Cognitive Intelligence (COGINT)
6. Legal Intelligence (LEGINT)
7. Algorithmic and AI Intelligence (ALGINT)
8. Synthetic Cognitive Intelligence (SCINT)
9. Hybrid Resilience Initiative (HRI)
10. Cyber Risk GmbH
11. Social Engineering Training
22. Sanctions Risk
23. American Privacy Rights Act of 2024 (APRA)
24. Travel Security
25. Risk management, what is different in Switzerland
b. Understanding Cybersecurity.
4. What is Synthetic Identity Fraud?
6. What is Quantum Risk Management?
c. Understanding Cybersecurity in the European Union.
2. The Digital Operational Resilience Act (DORA)
3. The Critical Entities Resilience Directive (CER)
5. The European Data Governance Act (DGA)
6. The European Cyber Resilience Act (CRA)
7. The Digital Services Act (DSA)
8. The Digital Markets Act (DMA)
10. The Artificial Intelligence Act
11. The Artificial Intelligence Liability Directive
12. The Framework for Artificial Intelligence Cybersecurity Practices (FAICP)
13. The EU Cyber Solidarity Act
14. The Digital Networks Act (DNA)
15. The European ePrivacy Regulation
16. The European Digital Identity Regulation
17. The European Media Freedom Act (EMFA)
18. The Corporate Sustainability Due Diligence Directive (CSDDD)
19. The Systemic Cyber Incident Coordination Framework (EU-SCICF)
20. The European Health Data Space (EHDS)
21. The European Financial Data Space (EFDS)
22. The Financial Data Access (FiDA) Regulation
23. The Payment Services Directive 3 (PSD3), Payment Services Regulation (PSR)
24. The Internal Market Emergency and Resilience Act (IMERA)
26. The European Cyber Defence Policy
27. The Strategic Compass of the European Union
28. The European Space Law (EUSL)
30. The EU-US Data Privacy Framework
31. The European Cloud and AI Development Act
34. The EU Cyber Diplomacy Toolbox
2. Is there any discount available for the distance learning programs?
We do not offer a discount for your first program. You have a $100 discount for your second and each additional program.
After you purchase the CERDTPro program at $297, you can purchase:
a. The Artificial Intelligence Act Trained Professional (AIActTPro) program at $197. You can find more about the program at: https://www.artificial-intelligence-act.com/Artificial_Intelligence_Act_Trained_Professional_(AIActTPro).html .
b. The Digital Operational Resilience Act Trained Professional (DORATPro) program at $197. You can find more about the program at: https://www.digital-operational-resilience-act.com/Digital_Operational_Resilience_Act_Trained_Professional_(DORATPro).html .
c. The NIS 2 Directive Trained Professional (NIS2DTP) program at $197. You can find more about the program at: https://www.nis-2-directive.com/NIS_2_Directive_Trained_Professional_(NIS2DTP).html .
d. The Digital Services Act Trained Professional (DiSeActTPro) program at $197. You can find more about the program at: https://www.eu-digital-services-act.com/DiSeActTPro_Training.html.
e. The Digital Markets Act Trained Professional (DiMaActTPro) program at $197. You can find more about the program at: https://www.eu-digital-markets-act.com/DiMaActTPro_Training.html.
f. The Data Governance Act Trained Professional (DatGovActTP) program at $197. You can find more about the program at: https://www.european-data-governance-act.com/DatGovActTP_Training.html.
g. The European Chips Act Trained Professional (EChipsActTPro) program at $197. You can find more about the program at: https://www.european-chips-act.com/European_Chips_Act_Trained_Professional_(EChipsActTPro).html .
h. The Data Act Trained Professional (DataActTPro) program at $197. You can find more about the program at: https://www.eu-data-act.com/Data_Act_Trained_Professional_(DataActTPro).html .
In order to receive the URL for the discounted cost for your second and each additional program, please send us an email with title: “Please send me the URL for the discounted cost.”
In the email, please let us know:
a. Which was the name and email address of the person or legal entity that had purchased the first program.
b. Which is the program you want to purchase now at $197 instead of $297.
You will receive the URL for the discounted cost for your second and each additional program in less than 48 hours (working days). Please remember to check your spam folder too.
3. Are there any entry requirements or prerequisites required for enrolling in the training programs?
There are no entry requirements or prerequisites for enrollment in our programs. We believe that learning should be accessible to everyone, regardless of their background, academic credentials, or professional experience. In contrast to providers that set stringent prerequisites or entry barriers, our approach prioritizes accessibility and openness. We do not believe that the opportunity to learn and grow should be limited by prior qualifications. Whether you're just beginning your career, changing paths, or expanding your expertise, our programs are designed to support individuals at all levels. Each course provides a clear and structured learning path, allowing individuals at all levels to gain valuable insights, and build practical skills. Our approach empowers motivated learners from different industries and career stages to gain value and opportunity from the program.
4. I want to learn more about the exam.
You can take the exam online from your home or office, in all countries.
It is an open book exam. Risk and compliance management is something you must understand and learn, not memorize. You must acquire knowledge and skills, not commit something to memory.
You will be given 90 minutes to complete a 35-question exam. You must score 70% or higher.
The exam contains only questions that have been clearly answered in the official presentations.
All exam questions are multiple-choice, composed of two parts:
a. A stem (a question asked, or an incomplete statement to be completed).
b. Four possible responses.
In multiple-choice questions, you must not look for a correct answer, you must look for the best answer. Cross out all the answers you know are incorrect, then focus on the remaining ones. Which is the best answer? With this approach, you save time, and you greatly increase the likelihood of selecting the correct answer.
TIME LIMIT - This exam has a 90-minute time limit. You must complete this exam within this time limit, otherwise the result will be marked as an unsuccessful attempt.
BACK BUTTON - When taking this exam you are NOT permitted to move backwards to review/change prior answers. Your browser back button will refresh the current page instead of moving backward.
RESTART/RESUME – You CANNOT stop and then resume the exam. If you stop taking this exam by closing your browser, your answers will be lost, and the result will be marked as an unsuccessful attempt.
SKIP - You CANNOT skip answering questions while taking this exam. You must answer all the questions in the order the questions are presented.
When you are ready to take the exam, you must follow the steps described at "Question h. I am ready for the exam. What must I do?", at:
5. How comprehensive are the presentations? Are they just bullet points?
The presentations are not collections of bullet points, they are thoughtfully structured, in-depth learning materials designed to provide clear explanations, context, and real-world relevance. Unlike slide decks that rely on brief summaries, our presentations guide you through each concept in a comprehensive and engaging manner. They are highly effective for both online and offline study, making them ideal for professionals who value substance and flexibility in their learning experience.
6. Do I need to buy books to pass the exam?
No. If you study the presentations, you can pass the exam. All the exam questions are clearly answered in the presentations. If you fail the first time, you must study more. You can:
- Highlight key terms and sections to help you focus during review.
- Add digital sticky notes (just like Post-it notes) anywhere in the document to remind yourself where specific answers or explanations are.
- Underline or circle text using freehand drawing tools.
- Add bookmarks to easily navigate to important sections.
- Search each document using keywords to quickly find what you need.
7. Is it an open book exam? Why?
Yes, it is an open book exam. Risk and compliance management is a field that requires deep understanding, critical thinking, and the ability to apply principles in real-world situations, not simply the ability to memorize facts. The goal of our certification programs is to help you build lasting knowledge and practical skills that you can confidently use in your professional role.
In real-life scenarios, risk and compliance professionals have access to regulations, frameworks, and reference materials, and are expected to use them thoughtfully. Our open book exam reflects this reality by assessing your comprehension and ability to apply what you've learned, rather than testing your memory.
8. Do I have to take the exam soon after receiving the presentations?
No, there is no fixed exam date. You may take the exam at any time that suits you within four (4) years from the date of your payment. Your access to the training materials, including any future updates, will remain available to you at no additional cost during this four-year period.
Cyber Risk GmbH reserves the right to amend the General Terms and Conditions (GTC) at any time. Any changes will become effective upon publication on our websites, and will apply exclusively to training programs purchased after the date of modification.
For our distance learning and online certification programs, the General Terms and Conditions (GTC) in effect at the time of purchase shall apply for a period of four (4) years from the date of payment. After the expiry of this four-year period, the participant’s access to the program and the right to take the exam shall expire. Any future participation in the program shall require a new enrollment and will be subject to the General Terms and Conditions in force at that time.
Cyber Risk GmbH may, at its sole discretion, extend the four-year period for individual participants or for a group of participants. Such an extension is a voluntary option of Cyber Risk GmbH and shall not create any obligation, entitlement, or precedent for future cases.
9. Do I have to spend more money in the future to keep my certificate of completion valid?
No. Your certificate of completion is issued with lifetime validity and does not expire. There are no renewal fees, no hidden costs, and no requirement to retake the exam in the future. Once certified, you remain certified.
10. Ok, the certificate of completion never expires, but things change.
Things do change. While many organizations introduce mandatory recertification as a recurring revenue stream, we’ve taken a different approach. Although we were advised to "introduce multiple recurring revenue streams to keep business flowing", we made a conscious decision to prioritize long-term value for our clients over short-term profit. That’s why no recertification is required for our programs.
Instead, we are committed to keeping you informed and up to date, at no cost. We invite you to visit our Reading Room each month and explore our newsletter, where you’ll find valuable insights, regulatory updates, timely alerts, and new opportunities. This ongoing access ensures you remain current and well-informed in a dynamic and constantly evolving field.
Our newsletter is the most extensive monthly cybersecurity and compliance intelligence report available anywhere worldwide. This is a curated report for decision-makers, executives, and security professionals who cannot afford blind spots. Our extensive editorial provides expert analysis on the most pressing cyber, regulatory, and geopolitical risks impacting businesses today. Busy professionals don’t avoid long reports, they avoid reports that waste their time. You may visit:
https://www.cyber-risk-gmbh.com/Reading_Room.html
11. Which is your refund policy?
Cyber Risk GmbH maintains a clear and customer-friendly refund policy. You are entitled to request a full refund within 60 days of your payment, no questions asked. If, for any reason, you decide that one of our programs or services is not right for you, simply send us an email within this 60-day window.
Once we receive your request, we will process your refund within one business day. There are no forms to fill out, no explanations required, and no delays. Our goal is to provide a risk-free and stress-free experience.
12. I want to receive a printed certificate. Can you send me one?
Unfortunately, we do not issue printed certificates. Instead, you will receive your official certificate via email in Adobe Acrobat (PDF) format, which includes a scannable QR code for instant verification. Certificates are issued within 7 business days after you pass the exam. Please note that business days refer to Monday through Friday, excluding weekends and public holidays.
To ensure authenticity and transparency, the association creates a dedicated web page for each certified professional (cyber-risk-gmbh.com/Your_Name.html). This page will include your full name, a list of all certificates you have earned from us, and images of your certificates.
When a third party scans the QR code on your certificate, they are directed to your personalized verification page. This allows employers, clients, and other stakeholders to easily confirm that your certification is valid, current, and legitimately issued.
Professional certificates are among the most frequently falsified documents. Providing a secure, scannable QR code with direct access to official verification offers a fast, reliable, and efficient solution. You may also print your certificate from the PDF file at any time, with the embedded QR code ensuring instant and reliable validation.
13. Why should I choose your training programs?
I. Recognition and Credibility. Cyber Risk GmbH is trusted by professionals and organizations around the world (please look below, "Cyber Risk GmbH, some of our clients"). Our specialized training programs help participants master complex cybersecurity, risk, and compliance requirements and demonstrate their competence through examination. Our clients include leading companies and organizations. Their trust in our programs reflects the high standards of quality, accuracy, and professionalism that define every Cyber Risk GmbH training program.
II. Flexible and Convenient Learning: Our training programs are designed with flexibility in mind. Participants can access course materials and complete the exam anytime, from anywhere. This is especially beneficial for professionals with demanding schedules who need to learn at their own pace.
III. Affordable, All-Inclusive Pricing: Each program is offered at a low, all-inclusive price. There are no hidden fees or additional costs, now or in the future, for any reason.
IV. Discounts on Additional Programs: When you enroll in a second program, you receive a $100 discount. This means the all-inclusive cost for your second (and every additional) program is $197 (compared to the regular price of $297). There are no hidden fees or recurring charges.
V. Multiple Exam Attempts Included: Each program includes up to three exam attempts per year at no additional cost, as outlined above.
VI. No Recertification Required: Your certificates are issued with lifetime validity. No recertification is required, and your credentials will not expire.
VII. Potential for Career Advancement and Industry Recognition: There is a clear and growing demand for qualified professionals in risk and compliance management. Trained managers and employees are often recognized by employers, may enjoy broader career opportunities, and may be preferred for promotions or new roles. Specialized training and Certificates of Completion demonstrate your commitment to continuous learning.
However, it’s important to note that no training can guarantee a new or better job. Career advancement depends on many factors, including supply and demand, market conditions, and timing. Training is important, but it is only a part of a larger professional development journey.
VIII. The fit and proper requirement in regulations: Firms and organizations hire and promote fit and proper professionals who can provide evidence that they are qualified. Employers need assurance that managers and employees have the knowledge and skills needed to mitigate risks and accept responsibility. Supervisors and auditors ask for independent evidence that professionals are qualified, and that controls can operate as designed, because the persons responsible for these controls have the necessary knowledge and experience.
IX. Increased Earning Potential: Professionals who invest in gaining new skills may become eligible for higher-paying roles. Training and ongoing professional development may significantly enhance your earning potential and contribute to long-term career success. However, it’s important to understand that increased earnings are not guaranteed. Compensation and career advancement depend on various factors. Training is a valuable tool, but not a guarantee on your path to career growth.
Cyber Risk GmbH, some of our clients
