German CRITIS operators should prepare now for CRITIS Umbrella Act

The German CRITIS Umbrella Act will regulate the physical security and resilience of CRITIS operators starting from October 2024. This will be an additional law to the existing BSI Act, which already regulates the IT security of CRITIS operators. The implementation of the European CER Directive (“Critical Entities Resilience”) is the reason behind the introduction of the CRITIS Umbrella Act in Germany. Detection systems and environmental monitoring are used to physically protect CRITIS properties and critical facilities. For instance, video surveillance can be employed.

Our blog article provides information on the timing and content of the German CRITIS Umbrella Act and the resulting implementation obligations for operators. The article is based on the 2nd draft bill of the CRITIS Umbrella Act of 21 December 2023.

For the international CRITIS regulation perspective, please see our other blog posts:

CRITIS umbrella law aims to improve overall resilience
The law’s main contents and objectives are outlined in the 2nd draft bill of 21 December 2023:

1. Contents and objectives of the law

  • Title: Umbrella law to strengthen the physical resilience of operators of critical facilities (CRITIS Umbrella Act – CRITIS-DachG)
  • With regard to physical measures to strengthen the resilience of critical facilities, the CRITIS-DachG will standardise mandatory, uniform, cross-sector minimum standards under federal law for the first time
  • Physical security will therefore be regulated by law for the first time (IT security protection is already regulated by the BSIG)
  • The physical protection of CRITIS properties and critical facilities is to be realised with detection systems and systems for environmental monitoring, for example through video surveillance
  • Estimates and simplified assumptions according to the draft:
    • 1,300 operators of critical facilities do not have sufficient physical resilience
    • The costs for resilience are ten times higher than for IT security
    • Estimated annual compliance costs for the economy in the high three-digit million range

 

2. Companies concerned

  • Sectors:
    • Operators of critical facilities in the existing CRITIS sectors (energy, transport and traffic, finance and insurance, healthcare, drinking water, wastewater, food, information technology and telecommunications, municipal waste disposal)
    • plus the space sector (new)
    • plus federal administration (ministries, chancellery)
    • Partial exemptions and exclusions for the ITC, finance and insurance and federal administration sectors
       
  • Critical services:
    • Partially defined in the draft in §3 (3)
    • e.g. for the “transport and traffic” sector: air transport, rail transport, maritime and inland waterway transport, road transport, weather forecasting
    • In addition to critical services, “essential services” also are defined for EU-wide operators in accordance with the CER Directiv
       
  • Critical installations:
    • Roughly defined in the draft in §4
    • The exact installations and technical thresholds in the sectors still have to be defined in a new CRITIS Ordinance in accordance with §16 (similar to the current CRITIS Ordinance CRITISV)
    • The standard threshold of 500,000 inhabitants to be supplied must be taken as a basis
    • For the sake of clarity and consistency, it is planned to adopt a joint legal ordinance to determine operators of critical facilities as well as important and particularly important facilities in accordance with the CRITIS-DachG and the BSI Act (amended by NIS2 implementation) 
  • TOTAL concern (estimate by legislator):
    • 2,000 affected companies (the current CRITIS operators)

3. Duties and requirements

  • Key “resilience obligations”: risk analyses, resilience plans and, in addition to physical security (see 1), other resilience measures (including personnel security, crisis and disaster management, business continuity); attention to risks relating to “economic stability”
  • Most important “formal obligations”: (self-)identification and registration, obligation to report security incidents, evidence (on request, no longer fixed period), sanctions and fines, obligations of management (à la NIS2)

4. “Trustworthiness check” of manufacturers

  • For critical IT components: BSI Act (Section 9b (3) BSIG) requires guarantee declarations regarding the trustworthiness of the manufacturer
  • For critical non-IT components: For comprehensive protection, regulations are being examined to protect CRITIS from influences and dependencies on questionable manufacturers from abroad. This passage was deleted (for the time being?) in the second draft bill.

5. Coherent supervision for holistic resilience

  • “Thinking”, monitoring and testing physical security and cyber security together and across the board (“security convergence”)
  • Coherent supervision: CRITIS supervision is expanded to include the BBK, together with the BSI and partial involvement of state authorities, sector-specific also Federal Network Agency and Federal Financial Supervisory Authority
  • BBK not just supervision, but also optional right to propose cross-sector resilience standards
  • Operators of critical facilities and their industry associations can propose sector-specific resilience standards

6. Implementation of European legal requirements

  • Implementation of the EU CER Directive (“Critical Entities Resilience”) on the resilience of critical infrastructures in Germany via the CRITIS umbrella law
  • To understand: Implementation of the EU NIS2 Directive (“Network and Information Security”) on measures for a high common level of cybersecurity in Germany via the “NIS2 Implementation and Cybersecurity Strengthening Act” (NIS2UmsuCG). The NIS2UmsuCG is an amendment act that amends existing laws – primarily the CRITIS sections of the BSI Act

7. Legislative implementation process and roadmap

  • Political implementation process: in the course of 2024
  • The umbrella law will enter into force on 18 October 2024, some of the binding measures will not enter into force until 17 July 2026 (Article 3 (1)(2))

8. The important individual paragraph §10 “Resilience measures” (including video security technology)

  • Operators of critical facilities are obliged to take appropriate and proportionate technical, security-related and organisational measures to ensure their resilience within 10 months of registration, which are necessary to...
    • ensure adequate physical protection of their properties and critical facilities
    • including “perimeter monitoring tools and procedures” and “detection devices”
    • including video surveillance as a measure to strengthen physical security and resilience
    • according to the “state of the art”

Further CRITIS links:

Feel free to join in our discussion on LinkedIn

Do you have any questions? Or would you like to share your thoughts on this subject with us?
We welcome you to post your comments and remarks!