Critical Infrastructures and KRITIS in Germany
German Critical Infrastructure Protection legislation regulates operators of critical infrastructures and facilities in Germany (KRITIS). The BSI law (BSI-Gesetz) requires operators to implement cybersecurity in their regulated critical facilities (Anlagen) in critical sectors. The IT security law has been updated several times since 2014.
This regulation will change in Germany in 2024 with the KRITIS Framework law (DE) and NIS2 Implementation (EN) – both will implement EU regulations from NIS2 and RCE directives. The number of affected German companies will increase from 2,000 to around 30,000 – with more sectors, company sizes and new security requirements.
Workshop: German Critical Infrastructures in English
An introduction to German KRITIS and NIS2 regulation. (S24.2)
Summer School ∙ Module S24.2 ∙ English ∙ 11 June 2024 online
This is the English version of the page on German Critical Infrastructures and German NIS2.
Who is affected?
KRITIS until 2024
German critical infrastructure regulation consists of three layers to identify affected companies – in the German CIP (KRITIS) context valid until ~2024.
- Sectors and services: Defined by law to contain critical operators
- Infrastructure (facilities): Specific infrastructure used for providing critical services
- Operators (KRITIS): Identified by owning critical infrastructure facilities for critical services
The definitions (1 and 2) as well as the method (3) are documented in German law. With them, operators have to identify their own infrastructures and register their facilities with authorities. This will be changed with NIS2 from 2024 onward.
Sectors
Germany defines eight critical (KRITIS) sectors, in which critical operators provide legally defined critical services to the general public:
Infrastructure
The critical services are provided by operators on critical infrastructures (KRITIS-Anlagen), specific facilities defined by German KRITIS regulation in the KRITIS ordinance. Operators use these assets (and their definitions) to identify their own scope of applicability in their company and registration to authorities.
Operators
Companies that operate infrastructure facilities above legally defined thresholds will become regulated operators of Critical Infrastructures (KRITIS). These operators will need to comply with security requirements of German KRITIS regulation within their affected infrastructure.
- Registration with authorities and setting up a contact point
- Appropriate, state of the art IT security
- Management of risk – ISMS and BCMS
- Incident reporting to authorities
- Cyber attack detection (and response)
- Regular audits by independent auditors
Existing certifications (ISO 27001 and C5) help but usually do not cover the whole KRITIS scope of the infrastructure and mandated requirements.
NIS2 and KRITIS from 2024
Critical infrastructure regulation will change significantly from 2024 on in Germany with the German NIS2 implementation as well as other addition to KRITIS (RCE, Dachgesetz).
Sectors
The German NIS2 implementation (EN) and KRITIS Framework law (DE) increases the number of affected sectors and companies – operators and entities. Both laws will lead to thousands of new entities of medium and large companies, the majority of Germany’s economy.
- Energy
- Water
- Health
- Transport
- IT and telco
- Finance and insurance
- Space
- Food
- Waste
- Post and courier
- Chemicals
- Industry
- Digital services
- Research
- Central government*
- critical assets - very important (essential) - important
Entities
The NIS2 implementation in Germany defines three (four) groups of company types in scope:
- Very important (essential) entities based on company size in NIS sectors (#1)
companies with ≥ 250 staff or
companies with ≥ 50m EUR revenue und assets ≥ 43m EUR
special cases: qTSP, TLD, DNS, telco, critical facilities, central government - Important entities based on company size in NIS sectors (#1 and #2)
companies with ≥ 50 staff or
companies with ≥ 10m EUR revenue und assets ≥ 10m EUR
trust services - Operators of critical facilities (KRITIS) are still regulated based on KRITIS methods with individual infrastructure assets
Critical facilities above threshold (usually ≥ 500k supplied persons) - Some federal entities are also regulated with separate requirements
Companies in these groups become regulated entities (NIS2) and will need to comply with security requirements of German NIS2 regulation – throughout their company.
- Registration with authorities and setting up a contact point
- Risk management governance and measures (IT-RM, ISMS, BCMS)
- Appropriate, effective, state of the art IT security
- Several specific IT security measures, including MFA, SSO
- Incident reporting to authorities
- Cyber attack detection (SOC, SIEM, for some operators)
Existing certifications (ISO 27001 and C5) will probably help but will not necessaritly cover the whole NIS2 scope in that company and mandated requirements.
Regulation
Germany
Critical infrastructure protection (CIP) regulation in Germany is based on IT Security Acts since 2015 and separate KRITIS ordinances that define the legal framework and requirements for operators. There were two IT Security Acts in 2015 and 2021, both of which changed existing German laws for critical infrastructure protection.
- IT Security Act (IT-Sicherheitsgesetz): Changes to existing laws for CIP
- KRITIS Ordinance (KRITIS-Verordnung): Detailed definitions of critical infrastructures
- BSI Law (BSI-Gesetz): Requirements of operators and state authority
The existing IT Security Act 2.0 has been in force since 2021 and will be superseded by German EU NIS2 and RCE implementations from 2024 on.
| KRITIS | NIS2 Implementation | KRITIS Framework | |
|---|---|---|---|
| Focus | Cybersecurity | Cybersecurity | Resilience |
| Name | IT Security Act 2.0 | NIS2UmsuCG | KRITIS-DachG |
| Law | changes BSIG | changes BSIG | own law |
| Changes to | Energy, telcos, etc. | Energy, telcos, etc. | none |
| Companies | Operators critical facilities | Operators critical facilities Entities Federal administration |
Operators critical facilities some Federal administration |
| Drafts | Final | 3 | 2 |
| In force | Since 2021 | Oct 2024 (plan) | Oct 2024 (plan) |
| Regulator | BSI | BSI | BBK |
| Based on | extended earlier law | EU NIS2 | EU RCE |
Several federal German agencies are responsible for regulating and supervising critical operators with increased formal authorities:
- BSI, the federal cybersecurity agency, is the main critical infrastructures/KRITIS regulator
- BBK, the federal crisis prevention agency, is (newly) responsible for resilience
- BNetzA, the federal network agency, will stay responsible for some regulated industries
- BMI, the federal ministry of the interior, has (most of) the overall responsibility for KRITIS
References
Sources
- Gesetz zur Erhöhung der Sicherheit informationstechnischer Systeme vom 17. Juli 2015 (IT-Sicherheitsgesetz), Bundesgesetzblatt Jahrgang 2015 Teil I Nr. 31, ausgegeben zu Bonn am 24. Juli 2015
- Verordnung zur Bestimmung Kritischer Infrastrukturen nach dem BSI-Gesetz (BSI-Kritisverordnung - BSI-KritisV), vom 22. April 2016 (BGBl. I S. 958), die durch Artikel 1 der Verordnung vom 21. Juni 2017 (BGBl. I S. 1903) geändert worden ist
- Gesetz über das Bundesamt für Sicherheit in der Informationstechnik (BSI-Gesetz - BSIG) vom 14. August 2009 (BGBl. I S. 2821), das zuletzt durch Artikel 73 der Verordnung vom 19. Juni 2020 (BGBl. I S. 1328) geändert worden ist