Critical infrastructure protection: plenty of room for improvement in Germany

Contents

It will not be all sunshine and roses when the Federal Ministry of the Interior (BMI) holds the hearing of associations on its consolidated draft bill for the implementation of the amended EU directive on network and information security, dubbed "NIS2", on Monday. Many business representatives and experts agree that the draft presented by Interior Minister Nancy Faeser's (SPD) team at the beginning of May is not a perfect fit for the protection of critical infrastructures (Kritis) and is contradictory in itself. Ultimately, this is likely to lead to costly additional expenses for the affected institutions and a higher level of frustration.

The problems start with the fact that no one can say exactly who will fall under the German set of standards, abbreviated in technical jargon as NIS2UmsuCG. EU legislators have replaced the approach of traditional critical sectors such as energy and water supply, information and communication technologies (ICT), transport, finance, emergency services and media with a new one, in which the institutions previously classified as critical are now included as "essential". In addition, "important" institutions have been added. They are also important for social coexistence, but do not have the special character of essential institutions.

From the perspective of the eco Association of the Internet Industry, it would make sense for these definitions to be based on EU directives and the Cyber Resistance Act in all relevant legislative proposals - especially in the planned Kritis umbrella law, which has been stuck in the BMI for some time - and to adopt their wording as completely as possible. The association writes in a statement available to heise online that its own categorizations should be avoided. In general, the requirements for the economy derived from the basic terms should be "proportionate, transparent and comprehensible". The current draft does not comply with this and therefore needs to be revised.

Confusing: critical infrastructures, facilities and installations

The BMI focuses on particularly important (instead of essential) facilities and important institutions, eco explains. This deviation creates legal uncertainty. Furthermore, the classification of the various facilities does not comply with the EU requirements. It is also problematic that the additional inclusion of the "critical facility" category in the project in question would break the existing EU regulatory structure. This is because this term, which is supposed to correspond to that of classic critical systems, is not anchored in the NIS2 Directive.

With regard to the ICT services that will be included to a greater extent in the future, it is not entirely clear to eco how a data center service can be meaningfully distinguished from a cloud computing service or a content delivery network (CDN). New additions would include space-based services and ground infrastructures - presumably intended to be associated with them - which are not included in the NIS2 directive and should therefore be excluded.

Bremen-based information law expert Dennis-Kenji Kipker also complained to heise online about the chaos of terms in the national implementation and further legal uncertainties. There is a lack of clarity, especially for complex corporate structures that provide several types of services. Here - which initially appears to be advantageous - only the business activity attributable to the respective type of establishment should be taken into account. However, this leaves open the question of whether some companies have to comply with the regulations or not. The digital association Bitkom echoes this sentiment in its statement: small and medium-sized companies in particular are often unable to assess for themselves how they will be affected by the planned regulations due to their vagueness.

Poorly crafted

"The draft is poorly crafted in various places, as these indifferences to European law continue", criticizes Kipker. The best example: the newly emerging space sector. Here, the lawyer comes to the opposite conclusion to eco: the BMI is restricting the scope of application here contrary to European law by making "cascading effects" a prerequisite for application. This restriction can only be found in the explanatory memorandum of the directive and is therefore not binding.

The NIS2 adopted by the EU Parliament in 2022 is accompanied by extended minimum requirements for risk management measures in the area of cybersecurity and for reporting obligations in the event of online attacks and data breaches. In future, companies with more than 250 employees and an annual turnover of more than ten million euros will have to comply with common cybersecurity standards for audits, risk assessments, the prompt installation of updates and certifications. Competent authorities must initially be informed of cyber security incidents within 24 hours.

The initiative of the Ministry of the Interior to exempt state and local authorities from the requirements and to often rely on self-regulation for federal authorities has met with almost unanimous protests. Bitkom counters that these institutions are central to daily life in Germany. A failure of essential services would not only have a direct and significant impact on the affected population and economy, but "could also shake confidence in the ability of state structures to function in the long term". A basic security framework must therefore be introduced to protect these areas. Otherwise, the main burden of the measures would be shifted to the private sector. This would leave the public sector "the weak point for cyber security in Germany".

Extra sausage for local authorities causes outrage

Manuel Atug, founder of AG Kritis, also complains that "countless special regulations and exceptions" apply to the state and administration. This is extremely negligent in view of the many and sometimes very far-reaching cyber security incidents, for example in the district of Anhalt Bitterfeld or recently in over 100 municipalities in North Rhine-Westphalia, as well as the resulting "chain of cyber security failures and diffusion of responsibility". In an emergency, the affected population has no alternative course of action. Furthermore, there are no provisions for fines or supervisory and enforcement measures for federal authorities. Overall, there appears to have been no complete harmonization with the Kritis umbrella law. There is a risk of "fissured" regulation. This leads to an uncertain situation for all potentially affected institutions and supply chains, supervisory authorities and expert observers.

eco believes that the definition of a serious case of lack of trustworthiness, which could justify the prohibition of all critical components of a manufacturer, requires at least some explanation. In future, manufacturers of such components in the ICT sector would also have to issue guarantee declarations, even though the BMI had already revoked a corresponding order for the telecommunications sector in October 2022. The Internet industry is also unhappy that the Federal Office for Information Security (BSI) is to be able to carry out inventory data information. There are doubts about such a power, which should at least be preceded by a judicial reservation.

(mho)