7 Questions and recommendations for CRITIS operators

This blog post looks at the regulatory requirements for security and resilience in each country of the current VUCA world and the issues that arise.

Regardless of the country, the following issues and goals are always the same:

  • Regulating critical, essential, and important facilities and infrastructure
  • Strengthening cyber security, resilience, and physical security

CRITIS regulations vary from country to country
This blog post was written with some helpful references to the current German CRITIS regulation for better understanding, but is primarily aimed at the international perspective. You will not get an explicit overview of the current country-specific regulations. It would be beyond the scope of this blog article as well as beyond our resources and competences to know the corresponding CRITIS laws or other supplementary laws for all countries in the world. Our core competence is to increase the physical security of our customers through advanced and cyber-secure video security technology “Made in Germany”.

What we can offer are valuable tips and recommendations that have worked in practice:

7 tips and recommendations for CRITIS managers

  1. Find out what laws apply in your country.
  2. Determine how your business is affected. What laws do you need to comply with and how do they define your exposure? What are the technical or economic thresholds or size criteria?
  3. What are the personnel or organisational obligations such as reporting and registration requirements?
  4. What technical obligations or technical measures/functions must be implemented? For example, legal requirements for “state of the art”, “security by design” and “privacy by design”.
  5. What protection standards are required for IT and cyber security?
  6. What standards of protection are required for physical resilience and physical security? For example, video surveillance, access control or intrusion detection systems.
  7. Are there any other legal requirements for additional security?
  • Supply chain: redundancies, technology, geopolitics, trusted manufacturers or trusted countries of manufacture.
  • Awareness, prevention, event and alarm management, business continuity management (BCM), crisis management and human resources.

In our view, there are three key dimensions that need to be addressed to achieve holistic CRISIS resilience and security:

Your role – today and tomorrow

  • Please note and inform yourself about the current national legislation in your country: Am I affected?
  • If you are affected: Strengthen cyber security, resilience, and physical security (e.g., through video surveillance).

Case study for understanding – German CRITIS regulation
In Germany, as an example of national CRITIS legislation (and implementation of EU law), the IT Security Act 2.0 or the BSI Act currently regulates the cybersecurity of the classic CRITIS sectors. In the future (2023 ff.), an announced CRITIS umbrella law will also regulate the general resilience and in particular the physical security of the CRITIS sectors, thereby implementing a corresponding EU requirement (RCE Directive).

Recommendations for country-specific comparative information

1. German legal framework

2. EU legal framework

Are you specifically interested in the EU-wide CRITIS legal framework (NIS2 / RCE)?
Then our blog post “EU legal framework for CRITIS and other key sectors” is for you.

Further information: CRITIS expertise and video technology


Feel free to join in our discussion on LinkedIn

Do you have any questions? Or would you like to share your thoughts on this subject with us?
We welcome you to post your comments and remarks!