The EU regulatory framework for critical infrastructure and other key sectors

 

This is what the EU directives NIS2 and RCE/CER will bring to the table:

  • Regulating critical, essential and important facilities and infrastructure
    in the European Union
  • Strengthening cyber security, resilience and physical security

This blog post is about the EU Security and Resilience Directives NIS2 and RCE/CER.

These international EU regulations are aimed at Critical Infrastructures and other essential and important companies and institutions in the EU.

This blog post was initially written for a German audience, with some helpful references to the current German CRITIS regulation, but has been updated with information and links to the current international EU regulatory framework.

You will get a rough overview of the content of the two EU Directives adopted in December 2022:

  • DIRECTIVE (EU) 2022/2555:
    Network and Information Security 2 = NIS2
  • DIRECTIVE (EU) 2022/2557:
    Resilience of critical entities (RCE) = CER (Critical entities resilience) (*)

(*) CER often used in German-speaking countries

Increased awareness of security and resilience due to geopolitical changes
At least since the change in the geopolitical security situation, the protection of Critical Infrastructures (CIP) and other system-critical enterprises has received increased attention in the European Union: from CIP operators in the EU, from the EU population, but also from political actors in the EU and the individual EU countries.

The regulation of CRITIS and other essential/important/critical entities will therefore evolve and become more stringent in the EU over the next few years. More obligations, more technical and organisational requirements, more impact (lower thresholds or other classification or impact criteria such as number of employees and turnover) and, for the first time, mandatory protection standards for physical security and resilience in addition to cybersecurity regulations will be imposed on affected EU companies.

In many cases, these regulations also apply to manufacturers and upstream suppliers, in terms of trustworthiness and security in the supply chain.

21 (d) “Supply chain security including safety-related aspects of the relationship between the individual institutions and their direct providers or service providers.”
 

Our interpretation of Article 21 (d): Security in the supply chain

  • Security in terms of technology: trustworthy and “technically (cyber) secure” vendors, manufacturers, service providers
  • Security with regard to geopolitics: trustworthy vendor countries

Thinking cybersecurity, resilience and physical security together and across the board
The aim of the new EU directives NIS2 and RCE/CER is not only cyber security, but – as required by RCE in particular – resilience and holistic security, including physical security, of critical infrastructure and other essential, important and system-relevant companies.

The three dimensions of CRITIS resilience
With reference to these EU legal requirements, we believe that the following three dimensions of resilience need to be considered in order to achieve holistic CRITIS resilience:


Legal regulatory framework TODAY
In Germany, as an example of national implementation of EU law, the IT Security Act 2.0 and the BSIG currently regulate the cybersecurity of classic CRITIS sectors.

The IT Security Act 2.0 and the BSIG currently regulate the cybersecurity of classic CRITIS sectors. All CRITIS cybersecurity regulations are concerned with ensuring that appropriate organisational and technical precautions are taken to prevent disruptions to the availability, integrity, authenticity and confidentiality of information technology systems, components or processes. An announced CRITIS umbrella law will not only regulate cybersecurity, but also general resilience and, in particular, the physical security of CRITIS sectors in Germany in the future (2023ff).

In the other EU countries, cybersecurity (and possibly already some aspects of resilience) are regulated by corresponding national laws transposing the European NIS Directive into national law.

In Austria, for example, the counterpart to the German IT Security Act / BSIG is called “NISG” in reference to the EU Directive.

TODAY’s task for security officers in CRITIS:

  • Please find out and observe the analogously applicable laws for your EU country on your own.
  • If affected: strengthen cybersecurity, resilience and physical security (e.g. through video surveillance).

Legal regulatory framework TOMORROW (year 2023ff)
The Network and Information Security Directive (NIS2) introduces new rules to promote a high common level of cybersecurity in the EU – for companies and countries. The Directive also strengthens cyber security requirements for medium and large companies operating in key sectors and providing services.

The RCE Directive introduces new rules to strengthen the resilience and physical security of critical assets.

In addition to existing EU or national cyber regulation of classic core CRITIS sectors, the following new and enhanced requirements will be the focus of Europe-wide security regulation in the period 2023-2024.

1) Content expansion

  • Holistic security
  • Cybersecurity, multi-layer RESILIENCE (including personnel) and explicit physical security are to be regulated for the first time (CER).

2) Scope and affectedness

  • Until now (at least in Germany) regulatory focus on specific facilities, operating sites and critical processes according to technical thresholds (CRITIS)
  • Extension to whole companies (NIS2/CER)
  • Quantity: many more affected companies (also outside the classic CRITIS) through different and lower threshold criteria
  • Instead of technical thresholds, e.g. in the transport sector, commercial values such as number of employees, turnover, balance sheet total (NIS2)

3) Entities 

  • Beyond the classic “core CRITIS sectors”
  • New “essential, important, system-critical entities”
  • Essential and important entities (NIS2)
  • Affected important entities: Even medium-sized operators with > 50 employees > 10 million turnover/total assets from the (manufacturing) industry, e.g. manufacture of medical devices, data processing equipment, electronic and optical products, motor vehicles and motor vehicle parts, mechanical engineering (NIS2)
  • In Germany, for example, the BSIG (Article 8f || Article 2 (14)) already includes the so-called UBI = enterprises of special public interest, e.g. production or development of armaments (UBI1) or enterprises of considerable economic importance (UBI2) or operators of the upper class of the Major Accidents Ordinance such as hazardous substances / chemicals (UBI3).
  • Critical entities (CER) Almost congruent e.g. in Germany with existing CRITIS sectors, plus new sector “space” in CER

The following is a quick overview of the EU legal framework

 

 

 


The original wording of the EU directives

  •  NIS-2 “Network and Information Security” Guideline
    - Official document DIRECTIVE (EU) 2022/2555 “Measures towards a high common level of cyber security in the Union” (language selection page | English Version PDF)
    - EU states must transpose NIS-2 into national law by October 2024; in Germany, for example, possibly with an IT Security Act 3.0 (Update 07_2023: Not IT Security Act 3.0, but NIS-2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG))
  • RCE/CER Guideline “Resilience of Critical Facilities”
    - Official document DIRECTIVE (EU) 2022/2557 “On the resilience of critical facilities” (language selection page | English Version PDF)
    - EU countries must transpose RCE/CER into national law by October 2024; in Germany, for example, possibly with the CRITIS umbrella law.

Complex EU regulation “cries out” for harmonisation
In the case of EU directives, in addition to the EU's original problem of “reconciling” the interests of 27 individual states, the detailed and hetrogenic EU bureaucracy and the “federal national freedom of implementation with various national opening clauses” become apparent with the justifiably audible opinion of the market:

“The whole regulation is very complex and confusing, it cries out for harmonisation.”

Our attempt to “demystify” and “harmonise” in simple terms:

  • Despite some overlaps, demarcation difficulties and priority issues regarding operators, sectors and affected parties
  • the majority of affected companies are the classic “core CRITIS sectors”
    o Energy
    o Water
    o ITC
    o Transport & Traffic
    o Healthcare
    o Finance
    o Food
  • and other essential, important, system-critical companies (of public interest for national security and security of supply)

Many questions of detail and implementation still open
The various definitions, classifications and demarcations on the “EU paper” will, in reality and in national implementation, lead to overlaps or multiple effects, or to difficulties of demarcation and questions about the precedence of individual provisions, and will still leave exciting questions of detail to be resolved by the respective national legislators or competent national authorities.

The CRITIS security officer’s task TOMORROW:

  • Prepare for EU regulation (NIS2/RCE Directive) from 2023 and check whether you or your customers will be affected.
  • Independently identify and comply with the applicable national laws in your EU country, which will be amended or new laws introduced by NIS2/RCE by 10/2024.
  • If you are affected, strengthen your cybersecurity, resilience and physical security (e.g. through video surveillance).

Our CRITIS expertise and core competence video technology

In the following, we would like to provide you with three pieces of information on our own behalf and for your CRITIS video project:

Info 1 / Top Tip: CRITIS Practical Guide to Video Technology

  • CRITIS video technology practical guide from Dallmeier provides an overview for security managers (right now in German language only)
  • 80 pages of orientation for decision-makers on the subject of video technology.
  • Request your personal copy here

Info 2 / Tip 2:

  • Case Study – CRITIS – Transport and Traffic
  • Real, working AI-based video analysis for CRITIS perimeter protection

 

 

Info 3 / Tip 3: External independent source of information

Feel free to join in our discussion on LinkedIn

Do you have any questions? Or would you like to share your thoughts on this subject with us?
We welcome you to post your comments and remarks!