heise PlusAbo
Anzeige

Kritis umbrella law: lots of bureaucracy and documentation, little resilience

The German government aims to better protect infrastructure with the Kritis Act. Which benefits does the law offer, and what changed compared to the old draft?

listen Print view
Spider,Web,Pipeline,,Separator,Of,Geothermal,Power,Plant,In,Sumatera,

(Image: Harinnita Detta/Shutterstock.com/Bearbeit von iX)

9 min. read
iX Magazin
By
  • Manuel "HonkHase" Atug
Contents

Germany talks a lot about a turning point and an urgently needed defense capability. But when it comes to taking concrete action to make itself more stable against sabotage and natural disasters through defensive resilience, things get very thin on the ground. The deadline for the EU's CER Directive, which has stipulated defensive resilience for years, was missed, and the corresponding law was not passed in times of hybrid threats.

The government draft of the Federal Ministry of the Interior for a law to implement the CER Directive and strengthen the resilience of critical systems (KRITIS umbrella law), which was approved by the Federal Cabinet yesterday (Wednesday), is intended to introduce cross-sector regulations for the physical protection of KRITIS for the first time. The cybersecurity provided by the EU NIS2 Directive and existing BSI legislation from the former IT Security Act 2.0 is finally to be addressed more holistically to include protection against physical threats such as sabotage, terrorism, and extreme weather.

Critical operators will be obliged to implement suitable and proportionate resilience measures and report significant security incidents. National risk analyses and risk assessments are also planned. These consider at least “natural, technical, or man-made risks that may have a significant impact on the availability of critical services,” as well as “cross-sectoral and cross-border risks” and also “extreme events caused by accidents, natural hazards, and health emergencies.” In addition, they must also consider “hybrid threats, security threats, or other hostile threats, including terrorist offenses.”

The implementation of the CER Directive 2022/2557 was set by the EU with a deadline of October 17, 2024. Germany is now in the second stage of EU infringement proceedings due to the still outstanding implementation.

The content of the draft bill has remained largely unchanged compared to the draft bill of November 27, 2024. Obviously, the many comments made by the associations at the time were largely ignored.

Will everything stay the same?

On August 29, 2025, a new association participation (in accordance with Section 47 GGO) was hastily initiated with a submission deadline of September 4, 2025. A submission deadline of 6 days gross, including 4 working days net. This was justified by the fact that a cabinet referral is planned for September 10, 2025. No further explanation was given as to how several dozen new comments from the associations were to be processed by the Federal Ministry of the Interior in just three working days and how the content of the draft was to be improved, which usually entails departmental coordination with the other authorities.

Thus, the participation of associations has once again been degraded to a sham, as the Gesellschaft für Informatik e.V. (GI) criticizes in its statement. A “differentiated discussion of the draft bill” is thus made “almost impossible.” Together with other associations, 2020 had already called for “reasonable deadlines instead of sham participation.”

What is the goal?

The draft bill of the Kritis Umbrella Act introduces the objective with the following words:

“The aim of the directive is to establish uniform minimum obligations for critical facilities and to guarantee their implementation through coherent, targeted support and supervisory measures. To strengthen the resilience of these critical entities, which are crucial for the smooth functioning of the internal market, Directive (EU) 2022/2557 creates an overarching framework (“umbrella”) that considers natural or man-made, accidental or deliberate hazards in line with the all-hazards approach.”

At the same time, it remains deliberately vague in its concretization in order to “also consider the concerns of the economy”:

“The KRITIS umbrella law will not make any sector-specific or even industry-specific regulations but will stipulate in abstract terms that operators of critical facilities in all KRITIS sectors must take suitable and proportionate measures to physically protect critical facilities.”

After all, the plan is to create a “National KRITIS Resilience Strategy” by January 17, 2026, thereby updating and expanding the German government's current KRITIS strategy from June 2009. However, it is doubtful whether this deadline can be met. So far, no draft exists or is being discussed in specialist circles.

What has changed?

Compared to the traffic light draft with 1,400 operators, there is now talk of 1,700 critical installations. Section 2 explicitly lists the sectors covered in the definition of “critical services,” “the failure or impairment of which would lead to significant supply bottlenecks or threats to public safety,” for example, energy, transport and traffic, healthcare, information technology and telecommunications, space, water, food, and municipal waste disposal.

A new regulation gives priority to the determination of supervision by federal authorities (Federal Network Agency, Federal Office of Civil Protection and Disaster Assistance, and Federal Office for Information Security) over state authorities. The state authorities responsible in the federal states must be named within one month of the law coming into force. Three months after entry into force, the Federal Office of Civil Protection and Disaster Assistance (BBK) must also be notified of the designation.

The BBK must in turn inform the Federal Office for Information Security (BSI) immediately of any changes to registrations and new registrations of critical systems. In accordance with Section 14, Industry-specific standards and subsequent regulations, the industries can propose their resilience standards, which are then determined to be suitable by the BBK. What is new is that this suitability assessment is to be carried out free of charge “for reasons of public interest.” In the future, the BBK will also support Kritis operators free of charge with services such as templates for resilience plans, guidelines, advice, and training.

What needs to be done?

As part of their resilience obligations, operators of critical facilities must prevent the occurrence of incidents, ensure adequate physical protection of properties and critical facilities, respond to and mitigate incidents and limit the negative effects of such incidents, and ensure the rapid restoration of critical services after incidents.

Videos by heise

To fulfill these obligations, emergency preparedness measures, structural and technical security measures, and organizational protection (property protection), such as property demarcations and inhibiting façade elements, instruments, and procedures for monitoring the environment, the use of detection devices, and access controls must be used.

In addition, risk and crisis management procedures and protocols, as well as predefined procedures in the event of an alarm, must be considered. However, measures must also be taken to maintain operations, including emergency power supplies and the identification of alternative supply chains to resume the provision of the critical service. Employees and staff of external service providers must be familiarized with personnel safety management measures through information materials, training, and drills.

Fines and reporting obligations

The levels are set at 500,000 euros, 200,000 euros, 100,000 euros, and 50,000 euros, depending on the offense. The proposed fines are therefore hardly suitable for seriously enforcing compliance with the obligations. This is because setting up and operating a genuine resilience or protection concept through structural safeguards, emergency power supply, redundancies, staff training, and similar measures costs the Kritis operators many times these amounts. By way of comparison, the German NIS2 implementation provides for much stricter penalties of up to EUR 10 million or 2 percent of annual global turnover.

Kritis operators must also register with a joint BSI and BBK reporting platform, which is still to come. IP address changes are to be reported within two weeks.

What happens next with the Kritis umbrella law?

The cabinet has approved the virtually unchanged draft of the Kritis umbrella law and thus adopted the government draft. The law still has to pass through the Bundesrat and Bundestag. It is still expected to be promulgated and thus come into force by the end of 2025.

More significant than the very manageable changes between the traffic light draft and the current draft bill of the Kritis umbrella law are the missing changes, which have already been explained in detail in the previous hearings and statements, but also in the current versions of the expert groups and associations.

Here too, as with the NIS2 Act, preference should be given to an effective law over a quick law. Once again, this is not evident here.

Germany will experience an increase in physical security with the upcoming Kritis umbrella law, but as with NIS2, this will fall far short of the possibilities and requirements due to the acute threats and dangers. There will therefore be a lot of bureaucracy and documentation, but documents will not make critical infrastructures more resilient.

(emw)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten