CRITIS Roof Law and NIS2: What you need to know now

Critical infrastructures are essential for the community. They are often interdependent. The new draft law defines standardised minimum requirements for security measures for the first time. 

Around 1,700 companies in Germany are classified as KRITIS - critical infrastructures. Sectors such as energy, food, transport and traffic are of enormous importance to the community. If they fail or are impaired, this leads to supply bottlenecks and disrupted public safety. Protecting critical infrastructures is therefore a top priority for companies and authorities. 

Natural disasters, pandemics, war and terrorism: KRITIS are increasingly jeopardised by unforeseeable events. With the KRITIS Umbrella Act, the legislator is tackling these challenges head-on. The draft law is intended to protect central supply structures and strengthen their resilience. This is because, apart from IT security, there are currently no cross-sector and cross-risk regulations in Germany. 

But what exactly is the CRITIS roof law? When does it come into force and what does it cover? What obligations for operators arise from the law and what benefits can CRITIS expect? The following overview shows what companies can expect. 

The CRITIS roof law - objectives and players 

Critical infrastructures are divided into sectors such as water, energy and health. These are largely interdependent. If there is a failure in one sector, other critical infrastructures are also affected. While there are already regulations for the IT security of critical infrastructures, there are no cross-sector and cross-risk requirements. The CRITIS umbrella law now literally brings the hazard regulations for all CRITIS sectors under one roof. The aim is to increase the security and resilience of critical infrastructures in Germany. 

From natural disasters and human error to targeted sabotage: the CRITIS umbrella law takes into account the all-hazards approach - all conceivable risks that can be caused by nature or humans. The law defines binding security standards and reporting obligations for operators of these infrastructures. It provides for regular risk analyses and security checks in order to identify and avert hazards at an early stage. 

The CRITIS umbrella law implements the EU Critical Infrastructure Resilience Directive (CER Directive).

The German legal framework for the protection of critical infrastructures is thus being integrated into a standardised European system. Harmonised minimum standards and increased cross-border cooperation will help to improve security of supply both in Germany and in Europe. The CRITIS umbrella law is due to come into force on 18 October 2024. 

The CRITIS Roof Law and NIS2 

In parallel to the CRITIS Roof Law, the NIS2 Implementation Act will implement the new EU Directive NIS 2 for cyber security in Germany. The new regulations complement each other and create a common framework to strengthen the security and resilience of critical infrastructures in Germany. The NIS2 Directive aims to strengthen cyber security and harmonise security standards in the EU, while the CRITIS roof law ensures the protection of critical infrastructures at national level against both physical and cyber threats. 

Both regulations oblige companies to report security incidents and regularly assess risks in order to be able to react quickly to new threats. The integration of the NIS2 Directive into the CRITIS roof law promotes cooperation between European and national security authorities, resulting in a unified and resilient security strategy. Both laws come into force in October 2024. Operators of critical infrastructures have 21 months to fulfil the requirements. 

Important: The NIS2 directive affects significantly more companies than the previous critical infrastructures. In future, service providers or suppliers of KRITIS companies will also be taken into account. Companies must inform themselves independently and assess whether they are affected by the new regulations. 

CRITIS roof law: Who does it apply to and what will change?  

The CRITIS roof law affects every CRITIS company. This includes all organisations that play a decisive role in the overall supply of services in Germany or are responsible for the supply of services to at least 500,000 people. According to the BSI, there are more than 1,500 KRITIS operators in Germany with a total of around 2,000 facilities in the eight sectors to date: 

  • energy
  • Water
  • Nutrition
  • IT and telecommunications
  • Healthcare
  • Finance and insurance
  • Transport and traffic
  • Waste disposal

According to experts, significantly more operators will be affected with regard to the future KRITIS sectors (public administration and space). The entry into force of the CRITIS roof law will result in new obligations for affected companies:

  1. Binding security standards: Definition of standardised security requirements for operators of critical infrastructures.
  2. Reporting obligations: Obligation to report security-related incidents to the competent authorities. 
  3. Regular risk analyses: Implementation and documentation of risk analyses to identify potential threats (at least every four years). 
  4. Security audits: Regular reviews of security measures through internal and external audits. 
  5. Cooperation between stakeholders: Promotion of cooperation between public and private stakeholders in the area of critical infrastructures. 
  6. Increasing resilience: Implementation of measures to increase resilience to disruptions and attacks. 
  7. Training and awareness-raising: Obligation to regularly train staff and raise awareness of security issues. 
  8. Reporting obligations: Regular reporting on the security status and implemented measures to the supervisory authorities. 
  9. Emergency plans: Creation and updating of emergency plans to ensure operational capability in crisis situations. 
  10. Data protection and information security: Ensuring compliance with high data protection and information security standards.

The CRITIS roof law: advantages for operators 

Although the CRITIS roof law imposes strict requirements, operators of critical infrastructures benefit from increased protection of their systems and increased resilience to threats. Binding security standards and increased cooperation at national and European level significantly improve resilience to cyber attacks and other internal and external disruptions. Their own operational capability is secured and public confidence in the reliability of essential services is strengthened. 

Good to know: What is a roof law?

A roof law is an overarching law that bundles various regulations on a specific topic into a standardised legal framework. It creates a central legal basis on which specific requirements for different areas are based. Umbrella laws are often found in areas of high social relevance where coordinated and comprehensive legal regulation is required. In the case of the CRITIS umbrella law, the various requirements and security regulations for critical infrastructure operators are thus brought together and harmonised in order to ensure a consistent and effective level of protection.

CRITIS roof law, NIS2, critical infrastructures, security measures, corporate obligations, Germany, Act 2024, supply bottlenecks, public safety, operator obligations

to top
Call us at +49 7573 9520

or arrange a callback:

close