2. Companies concerned
- Sectors:
- Operators of critical facilities in the existing CRITIS sectors (energy, transport and traffic, finance and insurance, healthcare, drinking water, wastewater, food, information technology and telecommunications, municipal waste disposal)
- plus the space sector (new)
- plus federal administration (ministries, chancellery)
- Partial exemptions and exclusions for the ITC, finance and insurance and federal administration sectors
- Critical services:
- Partially defined in the draft in §3 (3)
- e.g. for the “transport and traffic” sector: air transport, rail transport, maritime and inland waterway transport, road transport, weather forecasting
- In addition to critical services, “essential services” also are defined for EU-wide operators in accordance with the CER Directiv
- Critical installations:
- Roughly defined in the draft in §4
- The exact installations and technical thresholds in the sectors still have to be defined in a new CRITIS Ordinance in accordance with §16 (similar to the current CRITIS Ordinance CRITISV)
- The standard threshold of 500,000 inhabitants to be supplied must be taken as a basis
- For the sake of clarity and consistency, it is planned to adopt a joint legal ordinance to determine operators of critical facilities as well as important and particularly important facilities in accordance with the CRITIS-DachG and the BSI Act (amended by NIS2 implementation)
- TOTAL concern (estimate by legislator):
- 2,000 affected companies (the current CRITIS operators)
3. Duties and requirements
- Key “resilience obligations”: risk analyses, resilience plans and, in addition to physical security (see 1), other resilience measures (including personnel security, crisis and disaster management, business continuity); attention to risks relating to “economic stability”
- Most important “formal obligations”: (self-)identification and registration, obligation to report security incidents, evidence (on request, no longer fixed period), sanctions and fines, obligations of management (à la NIS2)
4. “Trustworthiness check” of manufacturers
- For critical IT components: BSI Act (Section 9b (3) BSIG) requires guarantee declarations regarding the trustworthiness of the manufacturer
- For critical non-IT components: For comprehensive protection, regulations are being examined to protect CRITIS from influences and dependencies on questionable manufacturers from abroad. This passage was deleted (for the time being?) in the second draft bill.
5. Coherent supervision for holistic resilience
- “Thinking”, monitoring and testing physical security and cyber security together and across the board (“security convergence”)
- Coherent supervision: CRITIS supervision is expanded to include the BBK, together with the BSI and partial involvement of state authorities, sector-specific also Federal Network Agency and Federal Financial Supervisory Authority
- BBK not just supervision, but also optional right to propose cross-sector resilience standards
- Operators of critical facilities and their industry associations can propose sector-specific resilience standards
6. Implementation of European legal requirements
- Implementation of the EU CER Directive (“Critical Entities Resilience”) on the resilience of critical infrastructures in Germany via the CRITIS umbrella law
- To understand: Implementation of the EU NIS2 Directive (“Network and Information Security”) on measures for a high common level of cybersecurity in Germany via the “NIS2 Implementation and Cybersecurity Strengthening Act” (NIS2UmsuCG). The NIS2UmsuCG is an amendment act that amends existing laws – primarily the CRITIS sections of the BSI Act
7. Legislative implementation process and roadmap
- Political implementation process: in the course of 2024
- The umbrella law will enter into force on 18 October 2024, some of the binding measures will not enter into force until 17 July 2026 (Article 3 (1)(2))
8. The important individual paragraph §10 “Resilience measures” (including video security technology)
- Operators of critical facilities are obliged to take appropriate and proportionate technical, security-related and organisational measures to ensure their resilience within 10 months of registration, which are necessary to...
- ensure adequate physical protection of their properties and critical facilities
- including “perimeter monitoring tools and procedures” and “detection devices”
- including video surveillance as a measure to strengthen physical security and resilience
- according to the “state of the art”
Further CRITIS links: