CRITIS Umbrella Act and NIS2: What You Need To Know Now

Critical infrastructures are essential for the community. They are often interdependent. The new draft law defines standardised minimum requirements for security measures in Germany for the first time.

Around 1,700 companies in Germany are classified as CRITIS – critical infrastructures. Sectors such as energy, food, transport and traffic are of enormous importance to the community. If they fail or are impaired, this leads to supply bottlenecks and disrupted public safety. Protecting critical infrastructures is therefore a top priority for companies and authorities. 

Natural disasters, pandemics, war and terrorism: CRITIS are increasingly jeopardised by unforeseeable events. With the CRITIS Umbrella Act, the legislator is tackling these challenges head-on. The draft law is intended to protect central supply structures and strengthen their resilience. This is because, apart from IT security, there are currently no cross-sector and cross-risk regulations in Germany. 

But what exactly is the German CRITIS umbrella act? When does it come into force and what does it cover? What obligations for operators arise from the law and what benefits can CRITIS expect? The following overview shows what companies can expect. 

The German CRITIS Umbrella Act – objectives and parties involved

Critical infrastructures are divided into sectors such as water, energy or health. These are largely interdependent. If there is a failure in one sector, other critical infrastructures are also affected. While there are already regulations for the IT security of CRITIS, there are no cross-sector and cross-hazard requirements. The CRITIS Umbrella Act now literally brings the hazard regulations for all CRITIS sectors under one roof. The aim is to increase the security and resilience of critical infrastructures in Germany. 

From natural disasters and human error to targeted sabotage: the CRITIS Umbrella Act takes into account the all-hazards approach – all conceivable risks that can be caused by nature or humans. The law defines binding security standards and reporting obligations for operators of these infrastructures. It provides for regular risk analyses and security checks in order to identify and avert hazards at an early stage. 

The CRITIS Umbrella Act implements the EU Critical Infrastructure Resilience Directive (CER Directive).

The German legal framework for the protection of critical infrastructures is thus being integrated into a standardised European system. Harmonised minimum standards and increased cross-border cooperation will help to improve security of supply both in Germany and in Europe. The CRITIS Umbrella Act is due to enter into force on 18 October 2024.

The CRITIS Umbrella Act and NIS2 

The NIS2 Implementation Act will implement the new EU Directive NIS2 for cyber security in Germany in parallel to the CRITIS Umbrella Act. The new regulations complement each other and create a common framework to strengthen the security and resilience of critical infrastructures in Germany. The NIS2 Directive aims to strengthen cyber security and harmonise security standards in the EU, while the CRITIS Umbrella Act ensures the protection of critical infrastructures at national level against both physical and cyber threats. 

Both regulations oblige companies to report security incidents and regularly assess risks in order to be able to react quickly to new threats. The integration of the NIS2 Directive into the CRITIS Umbrella Act promotes cooperation between European and national security authorities, resulting in a unified and resilient security strategy. Both laws come into force in October 2024. Operators of critical infrastructures have 21 months to fulfil the requirements. 

Important: The NIS2 directive affects significantly more companies than the previous critical infrastructures. In future, service providers or suppliers of CRITIS companies will also be taken into account. Companies must inform themselves on their own responsibility and assess whether they are affected by the new regulations.

Good to know: What is an umbrella act?

An umbrella act is an overarching law that bundles various regulations on a specific topic into a standardised legal framework. It creates a central legal basis on which specific regulations for different areas are based. Umbrella laws are often found in areas of high social relevance where coordinated and comprehensive legal regulation is required. In the case of the CRITIS Umbrella Act, the different requirements and security regulations for critical infrastructure operators are thus brought together and harmonised in order to ensure a consistent and effective level of protection.

CRITIS Umbrella Act: Who does it apply to and what will change?

Every CRITIS company is affected by the CRITIS Umbrella Act. This includes all organisations that play a decisive role in the overall supply of services in Germany or are responsible for the supply of services to at least 500,000 people. According to the German Federal Office for IT Security, there are more than 1,500 critical infrastructure operators in Germany with a total of around 2,000 facilities in the current eight sectors: 

  • Energy
  • Water
  • Food
  • IT and telecommunications
  • Healthcare
  • Finance and insurance
  • Transport and traffic
  • Waste disposal

According to experts, significantly more operators will be affected with regard to the future CRITIS sectors (public administration and space). The entry into force of the CRITIS Umbrella Act will result in new obligations for affected companies:

  1. Binding security standards: Establishment of standardised security requirements for operators of critical infrastructures.
     
  2. Reporting obligations: Obligation to report security-related incidents to the competent authorities. 
     
  3. Regular risk analyses: Implementation and documentation of risk analyses to identify potential threats (at least every four years). 
     
  4. Security audits: Regular reviews of security measures through internal and external audits. 
     
  5. Cooperation between stakeholders: Promotion of cooperation between public and private stakeholders in the area of critical infrastructures. 
     
  6. Increasing resilience: Implementation of measures to increase resilience to disruptions and attacks. 
     
  7. Training and awareness-raising: Obligation to regularly train staff and raise awareness of security issues. 
     
  8. Reporting obligations: Regular reporting on the security status and implemented measures to the supervisory authorities. 
     
  9. Emergency plans: Creation and updating of emergency plans to ensure operational capability in crisis situations. 
     
  10. Data protection and information security: Ensuring compliance with high data protection and information security standards.

 

The CRITIS Umbrella Act: advantages for operators 

Although the CRITIS Umbrella Act imposes strict requirements, operators of critical infrastructures benefit from increased protection of their systems and increased resilience to threats. Binding security standards and increased cooperation at national and European level significantly improve resilience to cyber attacks and other internal and external disruptions. Their own operational capability is secured and public confidence in the reliability of essential services is strengthened.

Related blog posts

to top

or arrange a callback:

close