Framework for critical infrastructures

This blog post is about the EU Security and Resilience Directives NIS2 and RCE/CER.

These international EU regulations are aimed at Critical Infrastructures and other essential and important companies and institutions in the EU.

This blog post was initially written for a German audience, with some helpful references to the current German CRITIS regulation, but has been updated with information and links to the current international EU regulatory framework.

You will get a rough overview of the content of the two EU Directives adopted in December 2022:

• DIRECTIVE (EU) 2022/2555:
  Network and Information Security 2 = NIS2
• DIRECTIVE (EU) 2022/2557:
  Resilience of critical entities (RCE) = CER (Critical entities resilience) (*)

(*) CER often used in German-speaking countries

Legal regulatory framework TODAY
In Germany, as an example of national implementation of EU law, the IT Security Act 2.0 and the BSIG currently regulate the cybersecurity of classic CRITIS sectors.

The IT Security Act 2.0 and the BSIG currently regulate the cybersecurity of classic CRITIS sectors. All CRITIS cybersecurity regulations are concerned with ensuring that appropriate organisational and technical precautions are taken to prevent disruptions to the availability, integrity, authenticity and confidentiality of information technology systems, components or processes. An announced CRITIS umbrella law will not only regulate cybersecurity, but also general resilience and, in particular, the physical security of CRITIS sectors in Germany in the future (2023ff).

In the other EU countries, cybersecurity (and possibly already some aspects of resilience) are regulated by corresponding national laws transposing the European NIS Directive into national law.

In Austria, for example, the counterpart to the German IT Security Act / BSIG is called “NISG” in reference to the EU Directive.

TODAY’s task for security officers in CRITIS:

• Please find out and observe the analogously applicable laws for your EU country on your own.
• If affected: strengthen cybersecurity, resilience and physical security (e.g. through video surveillance).

Legal regulatory framework TOMORROW (year 2023ff)
The Network and Information Security Directive (NIS2) introduces new rules to promote a high common level of cybersecurity in the EU – for companies and countries. The Directive also strengthens cyber security requirements for medium and large companies operating in key sectors and providing services.

The RCE Directive introduces new rules to strengthen the resilience and physical security of critical assets.

In addition to existing EU or national cyber regulation of classic core CRITIS sectors, the following new and enhanced requirements will be the focus of Europe-wide security regulation in the period 2023-2024.

1) Content expansion

• Holistic security
• Cybersecurity, multi-layer RESILIENCE (including personnel) and explicit physical security are to be regulated for the first time (CER).

2) Scope and affectedness

• Until now (at least in Germany) regulatory focus on specific facilities, operating sites and critical processes according to technical thresholds (CRITIS)
• Extension to whole companies (NIS2/CER)
• Quantity: many more affected companies (also outside the classic CRITIS) through different and lower threshold criteria
• Instead of technical thresholds, e.g. in the transport sector, commercial values such as number of employees, turnover, balance sheet total (NIS2)

3) Entities 

• Beyond the classic “core CRITIS sectors”
• New “essential, important, system-critical entities”
• Essential and important entities (NIS2)
• Affected important entities: Even medium-sized operators with > 50 employees > 10 million turnover/total assets from the (manufacturing) industry, e.g. manufacture of medical devices, data processing equipment, electronic and optical products, motor vehicles and motor vehicle parts, mechanical engineering (NIS2)
• In Germany, for example, the BSIG (Article 8f || Article 2 (14)) already includes the so-called UBI = enterprises of special public interest, e.g. production or development of armaments (UBI1) or enterprises of considerable economic importance (UBI2) or operators of the upper class of the Major Accidents Ordinance such as hazardous substances / chemicals (UBI3).
• Critical entities (CER) Almost congruent e.g. in Germany with existing CRITIS sectors, plus new sector “space” in CER

The following is a quick overview of the EU legal framework

The original wording of the EU directives

•  NIS-2 “Network and Information Security” Guideline
  - Official document DIRECTIVE (EU) 2022/2555 “Measures towards a high common level of cyber security in the Union” (language selection page | English Version PDF)
  - EU states must transpose NIS-2 into national law by October 2024; in Germany, for example, possibly with an IT Security Act 3.0 (Update 07_2023: Not IT Security Act 3.0, but NIS-2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG))
• RCE/CER Guideline “Resilience of Critical Facilities”
  - Official document DIRECTIVE (EU) 2022/2557 “On the resilience of critical facilities” (language selection page | English Version PDF)
  - EU countries must transpose RCE/CER into national law by October 2024; in Germany, for example, possibly with the CRITIS umbrella law.

Complex EU regulation “cries out” for harmonisation
In the case of EU directives, in addition to the EU's original problem of “reconciling” the interests of 27 individual states, the detailed and hetrogenic EU bureaucracy and the “federal national freedom of implementation with various national opening clauses” become apparent with the justifiably audible opinion of the market:

“The whole regulation is very complex and confusing, it cries out for harmonisation.”

Our attempt to “demystify” and “harmonise” in simple terms:

• Despite some overlaps, demarcation difficulties and priority issues regarding operators, sectors and affected parties
• the majority of affected companies are the classic “core CRITIS sectors”
  o Energy
  o Water
  o ITC
  o Transport & Traffic
  o Healthcare
  o Finance
  o Food
• and other essential, important, system-critical companies (of public interest for national security and security of supply)

Many questions of detail and implementation still open
The various definitions, classifications and demarcations on the “EU paper” will, in reality and in national implementation, lead to overlaps or multiple effects, or to difficulties of demarcation and questions about the precedence of individual provisions, and will still leave exciting questions of detail to be resolved by the respective national legislators or competent national authorities.

The CRITIS security officer’s task TOMORROW:

• Prepare for EU regulation (NIS2/RCE Directive) from 2023 and check whether you or your customers will be affected.
• Independently identify and comply with the applicable national laws in your EU country, which will be amended or new laws introduced by NIS2/RCE by 10/2024.
• If you are affected, strengthen your cybersecurity, resilience and physical security (e.g. through video surveillance).

Info 3 / Tip 3: External independent source of information

• The topics of Critis EU legal framework and NIS2 and RCE/CER are explained in detail and clearly with the help of comparisons on the very good and specialised CRITIS online platform “www.openkritis.de” (only available in German language).
• Our recommendation: the condensed presentation by Mr. Weissmann (editor OpenKritis)
• It also answers the fundamental question: “Who will be among the new companies affected by NIS2 and RCE/CER in the EU from 2024/2025?”
• Links:
  • English presentation (02_2023):
    EU NIS2 and RCE Security and Resilience for Critical Infrastructures
  • German presentation (04_2023):
    KRITIS Betreiber und nun? EU NIS2, CER und KRITIS-Dachgesetz

Do you have any questions? Or would you like to share your thoughts on this subject with us?
We welcome you to post your comments and remarks!