KRITIS & NIS2: Security for critical infrastructures

The NIS2 Directive applies to organisations, including companies and suppliers, that play a crucial role in the maintenance of the European economy and society by providing essential or important services. If your organization falls under one of the following categories and meets the criteria of more than 50 employees and a turnover of more than 10 million euros, compliance with the NIS2 Directive is mandatory.

Public and private entities in specific sectors:

• Postal and courier services
• Waste management
• Chemistry
• Food
• Medical Device Manufacturing
• Computers and Electronics
• Machines
• Automobiles
• Energy
• Transportation
• Banking
• Financial Market Infrastructures
• Health service
• Drinking water supply and distribution
• Digital infrastructures
• Online marketplaces
• Online search engines
• Cloud Computing Services

The KRITIS framework law applies to organizations, including companies and suppliers, that play a decisive role in maintaining the German economy and society by providing services. The standard threshold was set for the supply of 500,000 inhabitants. Specific regulations apply to individual sectors.

The KRITIS umbrella law creates the legal framework for the protection of critical infrastructures in Germany. The focus here is on physical security and considers all conceivable risks that can arise from technical failures or targeted attacks.

The law first specifies which sectors and industries are considered critical infrastructures, such as energy, water, transport, health, information technology and telecommunications. For these areas, the KRITIS umbrella law defines minimum standards and protection requirements that operators must meet in order to ensure functionality in the event of a crisis.

In addition, the law regulates reporting obligations: operators of critical infrastructures are obliged to report disruptions and failures that can lead to significant supply bottlenecks to the competent authorities.

Last but not least, the law also provides for sanctions for violations of the protection requirements, for example in the form of fines. Overall, the KRITIS umbrella law aims to better protect Germany's vital infrastructures from failures, disruptions and attacks and thus ensure the security of supply for the population.

The Network and Information Security Directive 2 (NIS2) is a revised EU directive that was adopted in 2022. It aims to strengthen cybersecurity measures in companies and public institutions within the EU, with the aim of increasing the resilience and security requirements of critical infrastructures and key companies in order to better protect themselves against cyberattacks.

The NIS2 Implementation Act (NIS2-UmsuCG) transposes the requirements of the NIS2 Directive into national law and specifies which companies and institutions must comply with these requirements. It also determines the security measures that must be taken to improve cybersecurity. These requirements are to be applied in particular in critical infrastructures, essential and important sectors in order to be better equipped against risks and threats to the digital infrastructure.

Need help meeting the requirements of the NIS2 Directive? A gap assessment helps to identify possible security gaps and helps to meet legal requirements such as NIS 2 or KRITIS.

The new EU directive NIS2 supplements the KRITIS umbrella law and is implemented by the NIS2 Implementation Act. While the German law focuses primarily on classic critical infrastructures such as energy, water or transport, the EU directive NIS2 goes much further.

Basically, it can be said that KRITIS operators must always comply with the NIS2 Directive. However, it is not only the traditional critical sectors that are covered by the new EU-wide control system, but also a large number of other companies and service providers that are defined as "essential" or "important" entities. These include, for example, drinking water and wastewater supply, food production, the computer and electronics industry or the automotive industry.

Originally, it was planned that both laws would come into force in mid-October 2024. The draft for the KRITIS umbrella law was adopted by the Federal Cabinet on 6 November 2024. The subsequent legislative process in the Bundestag and Bundesrat will follow at the beginning of 2025. The situation is similar for the NIS2 Implementation Act: The current status is that the NIS2 Implementation Act is expected to come into force at the beginning of 2025. The exact dates have not yet been finalized, as the coordination process between the parties involved is ongoing. As soon as a concrete date for the entry into force is set, this will be announced by the federal government.

Hospitals are generally part of the KRITIS if they reach or exceed the threshold values provided for them or/and also meet other parameters. More details can only be said after the final adoption of the law, as the information so far is based on the published draft bills. The level of care, i.e. the importance of a service for care, must be determined on the basis of industry-specific thresholds. This applies to all services that are classified as critical.

Within the framework of the KRITIS umbrella law and the NIS2 Directive, a so-called effectiveness test must be carried out. What is checked?

During the effectiveness test, the current safety status is assessed and compared with the situation before the measures were implemented. It is checked whether the defined protection objective has been achieved by the defined protective and defensive measures.

The objective of the effectiveness test is to ensure that all affected organisations – regardless of whether they belong to KRITIS or NIS2 – have adequately implemented their security measures.

An "attack" includes acts of sabotage that affect physical security. Social engineering, i.e. the targeted attempt at manipulation to obtain confidential information, should be prevented by measures such as education and training on data security within companies. If an attack on the IT infrastructure is carried out based on information from social engineering, the potentially significant impact must also be repo

The effectiveness test evaluates the current security status and compares it with the status prior to the implementation of the measures. It checks whether the specified protection goal has been achieved by the defined protection and defense measures. The aim of the effectiveness test is to ensure that all affected organizations—regardless of whether they belong to KRITIS or NIS2—have implemented their security measures appropriately.

NIS2 sets out a minimum list of administrative sanctions that Member States can impose for breaches of cybersecurity risk management and reporting obligations. These include binding instructions, orders to implement the recommendations of a security audit, orders to align cybersecurity measures with NIS2 requirements, and administrative sanctions.

For "essential entities" that do not comply with the rules, member states must impose fines of at least €10,000,000 or 2 percent of their total annual global turnover – whichever is greater. For "essential companies", Member States must provide for fines of at least €7,000,000 or at least 1.4% of their total annual global turnover, whichever is higher.

BSI certification by the Federal Office for Information Security in Germany ensures that IT products and processes meet certain security standards. In the context of the KRITIS Umbrella Act and the NIS2 Directive, BSI certification plays an important role, as it ensures compliance with cybersecurity standards for operators of critical infrastructures and essential services. For companies that are part of critical infrastructures, BSI certification can be important proof of compliance with legal and regulatory security requirements.

The NIS2UmsuCG sets out the requirements, which are defined by the government by law. It "only" describes the goal that must be achieved – but not how this goal is to be implemented in concrete terms. Therefore, the law does not contain any prescribed solutions. ISO 27001:2022 provides general requirements for information security management systems

(ISMS) that are applicable to any type of organization. It can therefore serve as a possible approach and tool to meet the legal requirements.

The Cyber Resilience Act (CRA) is the first European regulation to set cybersecurity requirements for both connected and non-connected products. The prerequisite is that the products have an interface. The regulation came into force on December 10, 2024. Initial reporting obligations must be fulfilled from 11 September 2026, while the CRA will apply in full from 11 December 2027. Manufacturers of hardware and software products are particularly affected, as they have to prove that their systems meet the specified requirements.

The Federal Office of Civil Protection and Disaster Assistance (BBK) is a German federal agency responsible for civil protection and disaster control. Its tasks include the preparation and coordination of measures to protect and support the population in the event of major dangerous situations and disasters.

For KRITS and NIS2, the BBK is important because it deals with the resilience and protection of critical infrastructures. Critical infrastructures are essential for the functioning of society and the economy, and their disruption can have serious consequences. The BBK works to make these infrastructures more resilient to threats and attacks by developing security strategies.