Breach of contract: EU pushes to protect critical infrastructure

The fact that the former "traffic light" government failed to make progress on two key legislative projects to improve the protection of critical infrastructures (Kritis) is now taking its toll. On Thursday, the EU Commission asked Germany and 22 other EU member states to provide it with information on the status of implementation of the new EU directive on network and information security, known as NIS2. This is the first stage of an infringement procedure that could prove costly. NIS2 is intended to ensure a high level of cyber security throughout the EU in sectors such as energy and water supply, information and communication technologies (ICT), transport, finance and media. The EU countries should have transposed the directive into national law by October 17.

At the same time, the Brussels government institution has launched further infringement proceedings against 24 member states, including Germany, because they have not notified it of national measures to implement the directive on the resilience of critical facilities. This is effectively the analog version of NIS2. This second directive is intended to make operators of facilities and systems in significantly expanded critical sectors more accountable. For example, they must carry out risk assessments to increase resilience to disruptions and hazards and comply with minimum standards. The implementation deadline here also ended in mid-October. The countries concerned now have two months to complete the relevant legislative projects and inform the Commission. Failure to do so could result in the second stage of the infringement procedure.

NIS2 is stuck in the legislature

In Germany, the federal government has now initiated relevant projects. However, they both still have to pass through the Bundestag and the Bundesrat. The first reading of the NIS2 Implementation Act took place in October. The executive wants to transpose the second directive into national law with the Kritis Umbrella Act. It only agreed on the corresponding government draft at the beginning of November. The future of the plans is uncertain after the traffic light system's exit. Thorsten Frei, deputy leader of the CDU/CSU parliamentary group in the Bundestag, recently criticized the Kritis umbrella law, saying that the draft contained "far too many errors and inconsistencies". It could not be supported. Konstantin von Notz, deputy leader of the Greens parliamentary group, countered in Die Welt: "It is simply irresponsible for the CDU/CSU to adopt a fundamental opposition for party tactical reasons despite the most blatant threats and numerous attacks on our critical infrastructure in recent months."

(nie)