CRITIS Umbrella Act

Published

15 December 2022

Author

Jürgen Seiler

Federal Cabinet adopts “Cornerstones for the CRITIS Umbrella Act“ on 07.12.2022

Physical security and its regulation in focus

At the latest since the “physical sabotage attacks“ of autumn 2022 on Nordstream pipelines and on Deutsche Bahn control cables, the protection of critical infrastructures (CRITIS) gained increased attention in Germany, both among the population and in politics.

Politicians acted quickly and so the German Federal Cabinet presented “Cornerstones for the CRITIS Umbrella Act“ on 07.12.2022.

The most important cornerstones for a CRITIS Umbrella Act:

Physical security to be regulated by law for the first time
- Mandatory implementation of uniform minimum technical protection standards
- Including detection systems and systems for monitoring the environment, e.g. through video surveillance.
Affected CRITIS defined and expanded
- Public AND private sector CRITIS operators
- A new sector (space/space)
- Clear, uniform “who belongs to CRITIS“ definitions according to qualitative and quantitative criteria
Manufacturer trustworthiness check
- For critical IT components: BSI Act (§ 9b para. 3 BSIG) requires guarantee declarations on the manufacturer’s trustworthiness
- For other critical NON-IT components: For comprehensive protection, regulations are being examined to protect CRITIS as a whole from influences and dependencies on questionable manufacturers from abroad.
Holistic resilience as the goal
- Think, monitor and check physical security and cyber security together and across the board
- Increase “geopolitical“ resilience through the above optional item “Screening of manufacturers of concern from abroad“.
- Coherence in cyber protection and physical protection also through close cooperation between two supervisory authorities:
  - IT and cyber protection: Federal Office for Information Security (BSI)
  - Physical protection (new): Federal Office of Civil Protection and Disaster Assistance (BBK)
Embedding in the EU legal framework
- Implementation of the EU Critical Entities Resilience Directive (CER Directive)
- Implementation of the EU NIS-2 Directive (Network and Information Security)
- More info on NIS2 and CER policy
Law and legal implementation process
- Message BMI (07.12.22): Federal Cabinet approves the key points of the so-called CRITIS umbrella law
- Website BMI: Cornerstones for the CRITIS umbrella law (original wording/pdf)
- Further planned implementation process: in the course of 2023
- We will keep you informed about the legal implementation process here.

The CRITIS RESILIENCE TRIANGLE © Dallmeier – With the CRITIS umbrella law and Dallmeier solutions for holistic CRITIS resilience

Our assessment of the key points from the manufacturer’s point of view

“Physical resilience“:
The still missing legal building block for holistic CRITIS resilience

In our assessment, behind the planned CRITIS umbrella law is the political realisation that for the protection and resilience of CRITIS, one does not need to pursue a “fragmented-regulated“, non-coordinated, but rather a holistic and hybrid approach. Only a kind of “holistic umbrella“ for the protection of CRITIS would be effective.

There are already individual regulatory provisions for CRITIS operators regarding cyber security in the form of the IT Security Act and the BSI Act, but only for cyber security.

There are currently also fragmented, sector-specific, industry-specific regulations for physical security, e.g. in the Aviation Security Act with e.g. “Articles 8 and 9“, but general, cross-sector and cross-hazard nationwide “umbrella regulations“ or “umbrella security standards“ for the physical security and safeguarding of CRITIS do not yet exist.

In addition, the definition in the CRITIS regulation of “who belongs to CRITIS“ (“size classes“, thresholds) only focuses on the aspect of information and cyber security.

From our point of view, the planned regulations and this step towards more physical security by means of a CRITIS umbrella law are to be welcomed from a geopolitical and security policy perspective, also with regard to the supply-related sovereignty, independence and continuity of CRITIS.

In addition, such an umbrella law would also be desirable for simple reasons alone, such as legally clear, binding definitions of CRITIS facilities, of responsibilities and competences and cross-sectoral and uniform protection standards throughout Germany.

Video technology made in Germany versus “questionable manufacturers“
We have recently noticed that “Made in Europe, Made in Germany“ is again increasingly perceived, valued and demanded as a seal of quality, security and trust.

If, in addition to the “voluntary“ Made in Europe/Made in Germany trend, there is also a legal regulation codified in the BSI Act or in a forthcoming CRITIS umbrella law for more physical security, for more trustworthy manufacturers and trustworthy products and components, this can only be positive in terms of CRITIS security.

PS: In the CRITIS umbrella law proposal of 07.12.22, the state offers CRITIS operators support with guidance documents.

We hereby also offer you our brand-new, vendor-neutral, practical guide, which is based on 38 years of experience and will be published in Q1_2023:

“VIDEO TECHNOLOGY AND SECURITY FOR CRITICAL INFRASTRUCTURES“ (*)

(*) Topics include:

Legal and policy framework
The KRITIS resilience triangle
Which “stumbling blocks“ can be expected in a KRITIS video project?
No fear of data protection – top priority cybersecurity
Planning is good – planning in 3D is (even) better
Technology and financial decisions
Practical tips and checklists and much more

Click here to request a digital copy of the practical guide. (**)

(**) Notice:
The offer to send the practical guide is exclusively directed to those responsible for CRITIS as well as to planners, specialist installers, authorities and politicians with an official connection to CRITIS.The offer is not directed to private individuals.
We ask for your understanding that we only check e-mail enquiries where the identity of the interested party is evident to us, e.g. through an e-mail from an official domain. We expressly reserve the right to make a decision in individual case

Feel free to join in our discussion on LinkedIn

Do you have any questions? Or would you like to share your thoughts on this subject with us?
We welcome you to post your comments and remarks!

To the LinkedIn-Post >

About the Author:

Jürgen Seiler

Head of Business Development
Dallmeier electronic GmbH & Co.KG

Regensburg

Name	Purpose	Lifetime	Type	Provider
CookieConsent	Saves your consent to using cookies.	1 year	HTML	Website
fe_typo_user	Assigns your browser to a session on the server.	session	HTTP	Website
m2c_accepted_hosts	Cookie to permanently allow the playback of videos from external sources.	31 days	HTTP	Website

Name	Purpose	Lifetime	Type	Provider
_pk_id	Used to store a few details about the user such as the unique visitor ID.	13 months	HTML	Matomo
_pk_ref	Used to store the attribution information, the referrer initially used to visit the website.	6 months	HTML	Matomo
_pk_ses	Short lived cookie used to temporarily store data for the visit.	30 minutes	HTML	Matomo
_pk_cvar	Short lived cookie used to temporarily store data for the visit.	30 minutes	HTML	Matomo

Name	Purpose	Lifetime	Type	Provider
reg_form_loaded	Used to show or hide the newsletter banner.	31 days	HTTP	Website
reg_form_not_loaded	Used to show or hide the newsletter banner.	7 days	HTTP	Website

CRITIS Umbrella Act

Newsletter