Cybersecurity in CRITIS regulated by law

If companies belong to the so-called critical infrastructures (CRITIS), they are regulated by law with regard to cyber security, for example

  • in the European Union (EU) through a mandatory directive to ensure a high level of network and information security (NIS-1 and NIS-2 directive)
  • in Germany by a national law that transposes the EU NIS directive into national law.

Tightening the rules

In Germany, this law is called the “IT Security Act” (version 2.0 since 2022), which is an article law that amends the “individual law” relevant to CRITIS, namely the BSI Act, or BSIG for short.

With the IT Security Act 2.0 or the amended BSIG, the obligations for German CRITIS operators have become even more stringent. The group of companies affected has also increased due to new definitions and threshold values.

In our view, with the IT Security Act 2.0, Germany, as with the NIS 1 Directive, has “pre-empted” the NIS 2 Directive in terms of content and time. The strict IT Security Act 2.0 is likely to have already implemented parts of the new NIS 2 Directive. The missing parts and an expected expanded circle of affected parties would then possibly be transposed into national law in an IT Security Act 3.0 (Update 07_2023: Not IT Security Act 3.0, but NIS-2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG)).
The same implementation scenario is also considered likely for the EU RCE Directive on the resilience of critical entities, the CER Directive, which is to be implemented into national law via the CRITIS umbrella law.

State-of-the-art technology required

All regulations on CRITIS cyber security are always about ensuring appropriate organisational and technical precautions to prevent disruptions to the

  • availability
  • integrity
  • authenticity
  • and confidentiality

of information technology systems, components or processes. These must correspond to the current state of the art in order to achieve a high level of security of network and information systems.

In Germany: Optional guarantee declaration on the part of the manufacturer / upstream supplier

In Germany, since 2022, in addition to the CRITIS operators, manufacturers and upstream suppliers must also optionally submit a guarantee declaration / trustworthiness check for critical components in accordance with § 9b paragraph (3) BSIG.

The Dallmeier promise

Dallmeier products and solutions have the highest level of technical precautions and functions that enable customers and CRITIS operators to implement cybersecurity-compliant video security solutions.

Dallmeier stands for the highest level of security in terms of law and compliance, data protection and cybersecurity:

  • Made in Europe, made in Germany
  • GDPR-compliant
  • compliant with EU-wide cybersecurity regulations such as the EU NIS Directive or national regulations such as the German IT Security Act 2.0 / BSIG

Further Information

Our CRITIS expertise and core competence video technology

In the following, we would like to provide you with three pieces of information on our own behalf and for your CRITIS video project:

Info 1 / Top Tip: CRITIS Practical Guide to Video Technology

  • CRITIS video technology practical guide from Dallmeier provides an overview for security managers (right now in German language only)
  • 80 pages of orientation for decision-makers on the subject of video technology.
  • Request your personal copy here

Info 2 / Blog post “The EU Regulatory Framework for Critical Infrastructure and other Key Sectors”.

  • What the EU Directives NIS2 and RCE/CER will bring

Info 3 / Blog post “Cornerstones for the CRITIS umbrella law”.

  • Physical security and its regulation in focus