SISTEC
EU Directive

Checklist for Background Checks According to the CER Directive

For HR and security managers in organizations that may be classified as critical operators and subject to background check requirements.

Read more about how we can assist with background checks here →
Background

What is the CER Directive?

  • Purpose: To strengthen the resilience of critical operators to ensure essential services even during crises, attacks, or disruptions.
  • Replaces the previous ECI Directive (2008/114/EC).
  • Complements NIS2 (cybersecurity) but focuses on physical and organizational resilience.
  • Becomes law in Sweden through the Act on Resilience of Critical Operators (LOM).
  • A critical operator is an entity that:
    1. Provides essential services in one of the eleven designated sectors.
    2. Has critical infrastructure in Sweden.
    3. Where an incident could have significant disruptive effects.
Timeline

Important Dates

Year-end 2025/2026

The Act on Resilience of Critical Operators (LOM) is proposed to enter into force.

Summer 2026

Supervisory authorities are to have identified critical operators.

10 months after identification

Organizations are to have implemented routines, including background checks.

Authorities

Supervisory Authorities

  • MSB's role: Coordinating authority for CER in Sweden, responsible for guidance, national strategy, and reporting to the EU.
  • Supervisory authorities: Each sector will have its own supervisory authority (e.g., the Energy Agency for the energy sector).
  • Sanction fees: Proposed to be harmonized with the Security Protection Act (up to SEK 120 million, or 2% of global annual turnover).
EU CER-direktivet
Sectors

Which Sectors Are Covered?

The CER Directive applies to 11 critical sectors:

Energy

Transport

Banking

Financial Markets

Healthcare

Drinking Water Supply

Wastewater

Digital Infrastructure

Public Administration

Food Production

Space Activities

Operators of European significance: If the organization operates in multiple EU countries or has cross-border impact, it should assess whether it may be classified as an operator of European significance under the CER Directive. This may entail additional reporting and coordination requirements with the EU Commission.

Control Requirements

Who Should Be Checked and When?

  • Everyone with physical or digital access to essential services where participation could cause more than minor harm: Employees, consultants, and suppliers
  • Frequency: When warranted, but no later than within two years of the most recent check
Kandidater vid bakgrundskontroll

What Is Included in a Background Check According to CER?

  • Verified identity: Verification of an approved and valid ID document. If the expiration date has passed, the check is considered invalid. ID verification is fundamental - without this step, other checks lack credibility.
  • Criminal record extract: The individual brings a special extract from the criminal record (max 1 year old) which is presented in conjunction with the ID check at a physical meeting. A note that the check has been performed should be made (no copy or other information is saved).
  • Complementary assessment: References, employment history, assessment of loyalty and reliability, good personal knowledge.
  • Re-check: When warranted, but at least every two years.
Security Risks

Risks of False Identities

  • Fake ID documents are frequently found in the labor market and pose a significant security risk.
  • For an ID check to be considered secure, it should always include an authenticity analysis by trained personnel - visual inspection alone is not sufficient.
  • If the ID document is fake or invalid, other background checks lack credibility.

Examples of Risks

Sabotage

Espionage

Infiltration by Criminals

Money Mules

Enablers

Workplace Crime

Äkthetsanalys av ID-handling
Implementation - Step 1 - Routines and Processes

Employers must thoroughly document personnel security work to meet the requirements of CER. This includes:

  • Appoint a responsible function: Appoint a person responsible for personnel security (HR manager, security manager, or equivalent) who ensures that checks are performed according to regulations and that no individuals are missed. This person is also the point of contact with the supervisory authority regarding background checks.
  • Timeline for compliance: Once the organization has been identified as a critical operator by the supervisory authority, it has 10 months to implement routines for personnel security, including background checks. Ensure the checklist is linked to this deadline and that an internal project plan exists to meet the requirements on time.
  • Policies and procedures: There must be documented internal procedures for how background checks are conducted, how often, by whom, and how results are handled. These documents may be requested by the supervisory authority and are useful for training managers and HR staff internally.
  • Register of checked individuals: A list should be maintained of which positions have been identified as critical and which individuals hold them. The date of the background check per individual and the planned date for the next check should also be recorded. Only authorized personnel should have access to the list.
  • Handling check results: If a background check raises no "red flags," it is usually sufficient to note that the person is approved without remarks. However, if something unusual emerges - e.g., the criminal record extract shows a relevant conviction - the employer must document how it has been handled. This may include a special risk assessment, decision on possible reassignment or other measures, and that the employee has been informed and given the chance to explain. These steps should also be documented.
  • Prepare for supervision and sanction risk: Supervisory authorities have the right to review procedures, documentation, and compliance with personnel security requirements. Deficiencies can lead to sanction fees of up to SEK 120 million or 2% of global annual turnover. Ensure the checklist includes an item on internal auditing and that responsible parties are aware of the supervision process.
Implementation - Step 2 - Execution
  • Conduct an operations-based risk analysis: Before positions are identified as critical, the organization should conduct a risk assessment of its operations. The purpose is to understand which functions, systems, and roles are most vulnerable in the event of incidents. This analysis should be documented and serve as the basis for which positions require background checks.
  • Identify critical positions: Conduct a position analysis that clarifies which roles in the organization are so significant that an unsuitable person in that role could cause more than minor harm to the essential service. This includes positions with major impact on operations and security - e.g., operations managers, system administrators, security officers, key personnel in control rooms. This also applies to external personnel.
  • Set external requirements: Conduct a position analysis of external personnel with access to the essential service and require that this personnel also be checked. External actors should also be able to present documentation showing which checks have been performed, when and how, upon request.
  • Execution: Perform background checks on individuals in these positions before appointment (i.e., upon new hire or internal transfer to such a role), and on an ongoing basis during employment. The government's CER investigation proposes that employees already in critical roles should be checked periodically - at least every two years - to detect if a previously reliable person's circumstances change in ways that may pose a risk.
  • Document the checks: Have organized procedures and maintain records showing that a background check has been completed for each person in the designated positions, when it was done, and by whom. The material must be available for inspection but otherwise handled under confidentiality.
  • Follow-up and reminders: Implement routines for notifications or reminders to responsible parties for background checks to be carried out, sent well before 24 months have passed since the last background check for an employee. The purpose is to ensure follow-up occurs on time and no checks are missed.
Checklist

Your Checklist for CER Compliance

Checklist

Identify if your organization is covered by CER/LOM

Appoint a person responsible for personnel security work

Conduct a risk analysis

Map out which roles require background checks

Ensure a process for identity validation

Establish a register for checks, documentation, and follow-ups

Implement digital support

Update internal policy documents

Train staff in new routines and risk awareness

Plan for regular audits

Implement a routine for internal audits

Conduct background checks

Follow up on each check every two years

Recommendations

Best Practices and Recommendations

Managing individual checks that include identity validation, documentation, and follow-up requires structure and system support. Both to ensure that the checks are carried out correctly and that the handling complies with applicable laws and regulations.

Sistec's service Right to Work offers a digital platform with automated processes to meet the CER Directive's requirements for background checks. Since its launch in 2019, Sistec has met and checked over 300,000 individuals in the Swedish labor market.

Right to Work-plattformen

Right to Work

  • Authenticity analysis of ID documents
  • Verified identity and nationality
  • Criminal record check in conjunction with ID verification
  • Secure documentation of completed checks
  • Automated reminders for follow-ups
  • Integration capability with HR systems
  • Customer portal to invite third parties who need to verify that the supplier's personnel have been checked.
Read more here or contact us at rtw@sistec.com