The German government has adopted the new key points for the KRITIS umbrella law presented by the Federal Minister of the Interior and Home Affairs, Nancy Faeser. This sets out the key objectives and regulatory content of the coalition agreement in which this project was agreed.
Critical infrastructure operators need to strengthen their safeguards to better protect their systems against failures. The CRITIS umbrella law allows the state and the operators of these systems to better identify threats. The key points paper also sets minimum standards for operators across sectors. As a result, it gives operators more orientation and certainty of action - they can defend themselves more effectively against attacks.
A centralized incident monitoring system will also supplement the existing reporting system in the cybersecurity sector and provide an overview of potential vulnerabilities in the physical protection of critical infrastructures. The cooperation of the stakeholders involved in the area of critical infrastructures is to be more clearly elaborated by the CRITIS umbrella law.
The CRITIS umbrella law simultaneously replaces the EU Directive on Critical Entities Resilience (CER Directive), which will be adopted with foresight at the end of 2022. Embedding the law in the overall European system and cross-border cooperation will also strengthen security of supply in Germany and Europe.
The objectives of the KRITIS Umbrella Act at a glance:
Critical infrastructure is clearly identified.
- Critical infrastructure is clearly identified.
- The resilience of the overall critical infrastructure system will be strengthened through uniform minimum requirements for resilience measures in all sectors.
- The protection of critical infrastructures is a cross-departmental and cross-stakeholder task for the entire state. The operators of critical infrastructures - whether private companies or public institutions - must guarantee their ability to function. The KRITIS umbrella law supplements the cooperative approach with mandatory protection standards for physical security. This will give operators more orientation and certainty of action.
- By creating a state framework with the reporting system to be introduced for security incidents and controls, the state also assumes greater responsibility for protecting critical infrastructures. The new reporting system to be introduced in the area of physical security complements the existing reporting system in the area of cyber security of critical infrastructures. The state will also continue to support operators by providing analyses as well as guidance, advice, exercises and training.
- The impact on the overall system of all critical infrastructures must be the focus of physical protection of critical infrastructures. Greater consideration will be given to cross-sector and cross-border interdependencies and the interdependencies between sectors. The protection of critical infrastructures is not only a sector-specific task, but also a cross-sectional task that places responsibility on all departments and requires their targeted cooperation and collaboration. If there are failures in one sector, such as energy, information technology/telecommunications or transport/traffic, this can have severe effects on other sectors as well.
- The resilience of Critical Infrastructures as a whole, not just the protection of individual Critical Infrastructures, must be strengthened. Critical Infrastructures must be able to prevent, protect against, respond to, and defend against security incidents that can lead to serious and potentially cross-sector and cross-border disruptions. In addition, the consequences of such an incident must be limited, absorbed, managed, and recovery ensured.
- The interconnections and interdependencies of critical infrastructures are also taken into account at the administrative level. In a new approach, the physical protection of critical infrastructures will be addressed as a separate issue with the CRITIS umbrella law and coordinated by an overarching competent authority. Cross-border effects are also taken into account through even closer cooperation within a European framework.
(Source: bmi.bund.de/publication Cornerstones for the KRITIS Umbrella Act)
The regulatory content of the KRITIS umbrella law
These defined goals result in regulatory content that links to implementation proposals to achieve them. These regulations of the new CRITIS umbrella law are as follows:
Clearly identify CRITIS
With the BSI Critical Infrastructure Ordinance, there is already an established provision for critical infrastructures as defined by the BSI Act with a focus on possible impairments to supply security due to threats from cyberspace. The CRITIS umbrella law is intended to supplement this existing provision with a systematic and comprehensive identification of all critical infrastructures that require special protection.
Better recognize threat situation and risks
Critical infrastructure threats will be subject to periodic assessment. Government risk assessments for the critical services will provide operators with a basis for their own periodic specific risk assessments and the actions to be taken based on them.
Mandatory increase in the level of protection
The same minimum physical security requirements will be imposed on critical infrastructure operators in all sectors in order to comprehensively protect critical infrastructure against threats and become more resilient as part of the overall system.
These regulations are thus intended to supplement the existing requirements in the area of cyber security of critical infrastructures. These include
- the establishment of an operational risk and crisis management
- the performance of risk analyses and assessments
- the preparation of resilience plans and
- the implementation of appropriate and proportionate technical, personnel and organizational measures for the respective institution.
Detect and eliminate malfunctions of the overall system
The introduction of central incident monitoring as a supplement to the existing reporting system in the area of cyber security will enable an overall view of possible vulnerabilities in the physical protection of critical infrastructures. By reporting security incidents, other Critical Infrastructures affected by the security incident, including those in other Member States, can be warned.
Create an institutional framework
The cooperation of the many actors involved in the protection of critical infrastructures on the government side and among the operators of critical infrastructures is more clearly elaborated. Clear responsibilities, contact persons and priorities for issues related to the resilience of critical infrastructures will improve cooperation.
The full version of the key points for the KRITIS umbrella law can be found HERE.