Federal Cabinet adopts “Cornerstones for the CRITIS Umbrella Act“ on 07.12.2022

Physical security and its regulation in focus

At the latest since the “physical sabotage attacks“ of autumn 2022 on Nordstream pipelines and on Deutsche Bahn control cables, the protection of critical infrastructures (CRITIS) gained increased attention in Germany, both among the population and in politics.

Politicians acted quickly and so the German Federal Cabinet presented “Cornerstones for the CRITIS Umbrella Act“ on 07.12.2022.

The most important cornerstones for a CRITIS Umbrella Act:

  1. Physical security to be regulated by law for the first time
    • Mandatory implementation of uniform minimum technical protection standards
    • Including detection systems and systems for monitoring the environment, e.g. through video surveillance.
  2. Affected CRITIS defined and expanded
    • Public AND private sector CRITIS operators
    • A new sector (space/space)
    • Clear, uniform “who belongs to CRITIS“ definitions according to qualitative and quantitative criteria 
  3. Manufacturer trustworthiness check
    • For critical IT components: BSI Act (§ 9b para. 3 BSIG) requires guarantee declarations on the manufacturer’s trustworthiness
    • For other critical NON-IT components: For comprehensive protection, regulations are being examined to protect CRITIS as a whole from influences and dependencies on questionable manufacturers from abroad.
  4. Holistic resilience as the goal
    • Think, monitor and check physical security and cyber security together and across the board
    • Increase “geopolitical“ resilience through the above optional item “Screening of manufacturers of concern from abroad“.
    • Coherence in cyber protection and physical protection also through close cooperation between two supervisory authorities:
      • IT and cyber protection: Federal Office for Information Security (BSI)
      • Physical protection (new): Federal Office of Civil Protection and Disaster Assistance (BBK)
  5. Embedding in the EU legal framework
    • Implementation of the EU Critical Entities Resilience Directive (CER Directive)
    • Implementation of the EU NIS-2 Directive (Network and Information Security)
    • More info on NIS2 and CER policy
  6. Law and legal implementation process

Our assessment of the key points from the manufacturer’s point of view

“Physical resilience“:
The still missing legal building block for holistic CRITIS resilience

In our assessment, behind the planned CRITIS umbrella law is the political realisation that for the protection and resilience of CRITIS, one does not need to pursue a “fragmented-regulated“, non-coordinated, but rather a holistic and hybrid approach. Only a kind of “holistic umbrella“ for the protection of CRITIS would be effective.

There are already individual regulatory provisions for CRITIS operators regarding cyber security in the form of the IT Security Act and the BSI Act, but only for cyber security.

There are currently also fragmented, sector-specific, industry-specific regulations for physical security, e.g. in the Aviation Security Act with e.g. “Articles 8 and 9“, but general, cross-sector and cross-hazard nationwide “umbrella regulations“ or “umbrella security standards“ for the physical security and safeguarding of CRITIS do not yet exist.

In addition, the definition in the CRITIS regulation of “who belongs to CRITIS“ (“size classes“, thresholds) only focuses on the aspect of information and cyber security.

From our point of view, the planned regulations and this step towards more physical security by means of a CRITIS umbrella law are to be welcomed from a geopolitical and security policy perspective, also with regard to the supply-related sovereignty, independence and continuity of CRITIS.

In addition, such an umbrella law would also be desirable for simple reasons alone, such as legally clear, binding definitions of CRITIS facilities, of responsibilities and competences and cross-sectoral and uniform protection standards throughout Germany.

Video technology made in Germany versus “questionable manufacturers“
We have recently noticed that “Made in Europe, Made in Germany“ is again increasingly perceived, valued and demanded as a seal of quality, security and trust.

If, in addition to the “voluntary“ Made in Europe/Made in Germany trend, there is also a legal regulation codified in the BSI Act or in a forthcoming CRITIS umbrella law for more physical security, for more trustworthy manufacturers and trustworthy products and components, this can only be positive in terms of CRITIS security.

PS: In the CRITIS umbrella law proposal of 07.12.22, the state offers CRITIS operators support with guidance documents.

We hereby also offer you our brand-new, vendor-neutral, practical guide, which is based on 38 years of experience and will be published in Q1_2023:


(*) Topics include:

  • Legal and policy framework
  • The KRITIS resilience triangle
  • Which “stumbling blocks“ can be expected in a KRITIS video project?
  • No fear of data protection – top priority cybersecurity
  • Planning is good – planning in 3D is (even) better
  • Technology and financial decisions
  • Practical tips and checklists and much more

Click here to request a digital copy of the practical guide. (**)

(**) Notice:
The offer to send the practical guide is exclusively directed to those responsible for CRITIS as well as to planners, specialist installers, authorities and politicians with an official connection to CRITIS.The offer is not directed to private individuals.
We ask for your understanding that we only check e-mail enquiries where the identity of the interested party is evident to us, e.g. through an e-mail from an official domain. We expressly reserve the right to make a decision in individual case

Feel free to join in our discussion on LinkedIn

Do you have any questions? Or would you like to share your thoughts on this subject with us?
We welcome you to post your comments and remarks!