The German KRITIS umbrella act: strengthening physical infrastructure resilience

German law regarding critical infrastructure has entered the next round with the goal of increasing the physical resilience of critical facilities (the CER-Directive uses the word "entities", but, as the wording of the KRITIS Act states, the German legislator has expressly chosen to use a word that translates as "facilities": hereinafter, the term “critical facility” or “operators of critical facilities” will be used instead of “critical entities”). A first draft for the German umbrella act for critical infrastructure protection (KRITIS-Dachgesetz – the “KRITIS Umbrella Act”) (available for example here in German only) issued by the Federal Ministry of the Interior to implement the EU Critical Entities Resilience Directive (CER Directive) was made public. Its primary objective is to mitigate non-cyber-related risks. Figuratively speaking, the KRITIS Act focusses on the outer “shell” of critical systems. If this outer “shell” is fragile, digital IT security measures are practically useless. The KRITIS Act governs eleven sectors such as energy, including sectors like transport, health care and information technology.

This article is to provide answers to the most important questions regarding this new law.

What is the KRITIS Umbrella Act?

The KRITIS Umbrella Act is a supplement to the German Act on the Federal Office for Information Security (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik – “Cybersecurity Act”), which governs cybersecurity in Germany and is currently being extensively amended due to the NIS-2-Directive. As a supplement to the Cybersecurity Act’s wide-ranging requirements for protection from digital dangers such as hacker attacks, the KRITIS Umbrella Act has several measures to strengthen analogue security.

The draft KRITIS Umbrella Act has an “all-danger approach” intended to protect German infrastructure from all hazards of a physical nature, whether natural disasters or danger due to human acts - whether they are due to unintentional or intentional behavior. The goal of the KRITIS Umbrella Act is to make operators of critical facilities more resilient, i.e. strengthen their ability to prevent or avert an incident or mitigate its impact (section 2 no. 5).

Operators of critical facilities must take “resilience measures”, which are monitored by the German Federal Office of Civil Protection and Disaster Assistance (Bundesamt für Bevölkerungsschutz und Katastrophenhilfe – “Federal Civil Protection Office” (section 3(2)) or other competent authorities such as BSI, BaFin or BNetzA. In its capacity as an interface with IT security law, the KRITIS Umbrella Act also includes a number of legal definitions for parties to which the NIS-2 Directive applies and whose obligations will soon be included in the revised version of the Cybersecurity Act.

Who is affected?

The KRITIS Act is aimed primarily at operators of “critical facilities”. Applicability of the law, which will especially be subject to a Ordinance that is still to be published, to a particular party is determined based on two criteria: whether the facility is used in a particular sector (energy, transport and traffic, financing and insurance, health care, water, food, information technology and telecommunications, outer space, public administration or municipal waste disposal) and whether it functions at or above a particular threshold (section 4). The threshold value will be determined according to whether the operator supplies at least 500,000 inhabitants with its facility. Critical facilities thus largely correspond to the definition of critical infrastructure as defined in the BSIG today. However, the competent supervisory authority can also qualify additional companies as operators of critical facilities. If an operator runs the critical facility in or for at least six member states, it is identified as a critical facility of particular importance for Europe and is subject to special measures.

As an interface with IT security law, the KRITIS Umbrella Act also defines additional entities and facilities that will be subject to more detailed provisions in the (future version of the) Cybersecurity Act, including “Critical Facility” (section 2 no. 3) and “Critical Services” (section 2 no. 4).

The approach found in the draft KRITIS Umbrella Act, i.e. an overarching means to address digital and analogue dangers, is to be seen as positive. Compared to the previous drafts of this Act, the present draft already appears much “tidier” and more harmonized with the future version of the Cybersecurity Act.

What must affected entities do?

The draft KRITIS Umbrella Act places operators of critical facilities under several obligations that are strikingly similar in form to the requirements for operators of critical facilities according to the Cybersecurity Act (see particularly section 8a of the Cybersecurity Act).

• First, operators of critical facilities must register with the competent authority (section 6(1)). If an operator does not comply with this obligation, the authority can perform the registration itself (section 8(3)).
• Operators also must designate a point of contact that must be available around the clock (section 6(1)(1)).
• Based on this registration, the authorities are then to conduct government risk assessments and evaluations (section 8), which the operators of critical facilities are also obliged to conduct (section 9).
• However, operators’ key task is to implement suitable and appropriate technical, security-related and organisational measures to ensure resilience. This is a requirement in the KRITIS Umbrella Act that is similarly abstract to that found in the Cybersecurity Act – with the distinction that the measures must now also be “security-related”. The draft KRITIS Act does not include any detailed requirements regarding the measures, but merely gives examples. The list of examples in Annex 1 does not provide any reference points that would not already arise from general reasonable consideration. Physically protecting premises and controlling access rights should actually be a general matter of course. The Federal Ministries can issue Ordinances to specify the resilience measures for the areas for which they are responsible.
• The measures must be documented in a “resilience plan” (section 10).
• Proof of compliance with the requirements is to be provided at regular intervals (section 11).

Another component that will probably sound familiar to operators is the “sector-specific resilience standards” (section 10 (6)). In a manner similar to that of the sector-specific security standards found in section 8a(2) of the Cybersecurity Act, operators of critical facilities and their sector associations can develop their own standards to make the KRITIS Umbrella Act’s abstract requirements more concrete and then have Federal Civil Protection Office certify their suitability.

Operators must immediately report any security incidents to a joint notification center operated by the BSI and the Federal Civil Protection Office (section 12(1)). The deadlines for this are extremely strict. The authorities must be notified within 24 hours of awareness of the incident, and a detailed report is due by one month thereafter (section 12(3)).

What are the consequences of non-compliance with the KRITIS Umbrella Act?

There are also many parallels to the Cybersecurity Act in the application and enforcement of the KRITIS Umbrella Act. The competent authority is authorised to check compliance with all of the legal requirements. To facilitate this, operators of critical facilities must permit the authority to enter their business and operations premises during normal operating hours and provide records and the necessary support (section 11(5)).

If and to the extent that the competent authority is of the opinion that the measures taken are insufficient, it can order an operator to take the necessary measures (section 11(10). Violations of the KRITIS Umbrella Act are punishable by a fine in many cases, including failure to register or complete a risk assessment in a timely manner or insufficient support of the competent authority Federal Civil Protection Office (section 19). However, the current draft KRITIS Umbrella Act does not yet set the exact amount of such fines.

When will the Act come into force?

The KRITIS Umbrella Act implements the CER Directive, which requires member states to transpose the requirements into national law by 17 October 2024. According to the wording of the current draft, the KRITIS Umbrella Act is to be introduced in several stages. The most important obligations are set to enter into force on 17 July 2026. These time periods are intended to provide the relevant facilities with sufficient time to comply with the new requirements and implement the necessary resilience measures.

So far, the KRITIS Umbrella Act is only a draft. Many changes may still come before it is adopted. However, the essential core content of the KRITIS Umbrella Act is prescribed by European law.