Cybersecurity for Critical Infrastructures

Cybersecurity for CRITIS Operators and NIS 2 Facilities

If companies are so-called CRITIS operators or NIS 2 institutions, they are regulated by law with regard to cybersecurity, 

  • in the European Union (EU) through a mandatory directive to ensure a high level of network and information security (NIS 2 directive)
  • in all European countries through national laws transposing the EU NIS2 Directive into national law

Tightening the rules

As a manufacturer of video surveillance solutions, we are responsible for the security of our products – especially in the use and context of critical infrastructures (KRITIS) and under the new European NIS 2 Directive.  The Network and Information Security Directive 2 (NIS2) is an EU directive designed to strengthen cybersecurity in key sectors and industries. It expands the scope of the previous NIS1 Directive and introduces stricter requirements and sanctions. Affected operators and companies must better protect their network and information systems and report security incidents.

CRITIS high-voltage systems

State-of-the-art technology required

Flag Germany and EU

All regulations on CRITIS cyber security are always about ensuring appropriate organizational and technical precautions to prevent disruptions to the

  • availability
  • integrity
  • authenticity
  • and confidentiality

of information technology systems, components or processes. These must correspond to the current state of the art in order to achieve a high level of security of network and information systems.

In Germany: Optional guarantee declaration on the part of the manufacturer / upstream supplier

In Germany, since 2022, in addition to the CRITIS operators, manufacturers and upstream suppliers must also optionally submit a guarantee declaration / trustworthiness check for critical components in accordance with § 9b paragraph (3) BSIG.

The Dallmeier promise

Dallmeier products and solutions have the highest level of technical precautions and functions that enable customers and CRITIS operators to implement cybersecurity-compliant video security solutions.

Dallmeier stands for the highest level of security in terms of law and compliance, data protection and cybersecurity:

Consulting Persons Men

NIS2 individual requirements

Mirrored in Dallmeier ISO 27001 processes

NIS2 requirement NIS2 Directive (EU) NIS2 Implementation Act / BSIG (Germany) Dallmeier ISO 27001 Dallmeier as upstream supplier/manufacturer
State of the art Article 21 (1),
EG 85 		§ 30 ISO 27001 = technology-neutral ISO as the basis for state-of-the-art IT security (TeleTrust guideline) + state-of-the-art video surveillance technology + note (*): Dallmeier complies
Security by Design Article 21 (2) e) § 30 A.5.20, A.5.24, A.5.36, 5.37, A.6.08, A.8.09, A.8.19, A.8.20, A.8.21
Supply chain security Article 21 (2) d),
Article 21 (3) 		§ 30 A.5.19, A.5.20, A.5.21, A.5.22, A.5.23
Integration chain security Article 21 (2) d) and e) § 30 A.5.19, A.5.20, A.5.21, A.5.22, A.5.23
Regular updates and patches Article 21 (2) e) and g) § 30 A.5.35, A.5.36, A.5.07, A.5.24, A.5.25, A.5.26, A.5.27, A.5.28, A.6.08, A.8.16
Authentication and authorization Article 21 (2) i) and j) § 30 A.5.12, A.5.13, A.5.14, A.5.15, A.5.16, A.5.17, A.5.18, A.8.01, A.8.02, A.8.03
Cryptography and data encryption Article 21 (2) f) § 30 A.8.20, A.8.21, A.8.22, A.8.24
Reporting and vulnerability management Article 21 (2) e) § 30 A.5.07, A.5.24, A.5.25, A.5.26, A.5.27, A.5.28, A.6.08, A8.07, A8.08, A8.15, A8.16
Data protection through IT security Derivation from Article 20,
Article 21 (1),
Article 23 (4),
EG 14 and 51 		§ 30 in particular: A.5.34 Privacy and protection of personal information (PII)
Training and awareness measures Article 20 (1) and (2),
Article 21 (2) d) and g);
EG 88 and 89 		§ 30 A.5.1, A. 5.2, A.5.3, A.6.3, A. 5.23, A.5.28

Benefits for NIS2 customers

  • Cyber resilience along the entire supply chain
  • Proof of NIS2 compliance to regulatory authorities
  • Avoidance of downtime costs through stable business continuity
  • Avoiding fines for the institution
  • Avoiding personal liability for management

(*)
There is no provision in ISO 27001 or in any law that states in a general and binding manner: “Anyone who complies with ISO 27001 automatically complies with the state of the art.”

Why not?

  • ISO 27001 is an international management standard for information security management systems (ISMS).
  • It defines processes and controls, but it is technology-neutral and does not specify which specific security measures are “state of the art.”

Where does the reference to ISO 27001 ↔ “state of the art” come from?

  • Authorities such as the BSI or data protection supervisory authorities often say:
    The introduction of an ISMS in accordance with ISO 27001 supports compliance with the state of the art because the standard systematically records security risks and selects appropriate measures.
  • In practice, ISO 27001 is often accepted as proof that an organization works in a state-of-the-art manner in terms of organization and processes.
  • ISO 27001 alone = a good foundation, but does not automatically fulfill “state of the art.”
  • Combination of ISO 27001 + current technical security standards = strong evidence.

Further Information

CRITIS Practical Guide

Our CRITIS expertize and core competence video technology

In the following, we would like to provide you with three pieces of information on our own behalf and for your CRITIS video project:

Info 1 / Top Tip: CRITIS Practical Guide to Video Technology

  • CRITIS video technology practical guide from Dallmeier provides an overview for security managers (right now in German language only)
  • 80 pages of orientation for decision-makers on the subject of video technology.
  • Request your personal copy here

Info 2 / Blog post “The EU Regulatory Framework for Critical Infrastructure and other Key Sectors”.

  • What the EU Directives NIS 2 and RCE/CER will bring

Info 3 / Blog post “Cornerstones for the CRITIS umbrella law”.

  • Physical security and its regulation in focus