Update Data Protection No. 151
The New German KRITIS Umbrella Law: Overview of the new draft bill for the “KRITIS-Dachgesetz”
There is a lot of movement in the area of information security. After a draft bill for the law implementing the NIS 2 Directive (“NIS-2-UmsuCG”) was published in May 2023, the first draft bill for the new KRITIS umbrella law (“KRITIS-DachG”) has now been published on July 17, 2023.
The KRITIS-DachG serves to implement “Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC” (“CER Directive”). The CER Directive and the NIS 2 Directive are important cornerstones of the EU cybersecurity strategy, which aims to promote the resilience and security of certain (critical) entities in the European Union.
While the NIS 2 Directive aims to strengthen the cybersecurity – i. e., the security of network and information systems – of certain entities, the CER Directive aims to strengthen the physical security of critical entities. In doing so, a so-called “all hazards approach” is intended to provide comprehensive protection against natural disasters as well as man-made hazards. This also corresponds to the goal declared in the federal government’s coalition agreement of bundling the physical protection of critical infrastructure in a KRITIS umbrella law.
According to the envisaged concept, the KRITIS-DachG is to stand alongside the German Act on the Federal Office for Information Security (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik, “BSIG”), which will be fundamentally amended by the NIS-2-UmsuCG. The aim is to create a coherent system to strengthen the resilience of critical facilities (kritische Anlagen) and other – so-called important and particularly important – entities (wichtige Einrichtungen and besonders wichtige Einrichtungen) by taking into account the interfaces between the two areas and, as far as possible and sensible, regulating them in a consistent manner.
B. Group at whom the draft is aimed
The draft of the KRITIS-DachG is primarily aimed at “operators of critical installations” (Betreiber kritischer Anlagen). In this context it is important to highlight that the term “critical installations” must be distinguished from the term “critical infrastructures” (kritische Infrastrukturen) which is defined separately in the KRITIS-DachG and the NIS-2-UmsuCG.
According to the draft, the operator of a critical installation is a natural or legal person who exerts a decisive influence on such an installation. The draft defines a critical installation as a installation that is of great importance for the functioning of the community because its failure or degradation would result in significant supply shortages or threats to economic activities, public safety or public order. Which specific installations qualify as critical installations is to be determined in accordance with a statutory ordinance that is yet to be issued. According to the will of the legislator, critical installations as well as important and particularly important entities according to the KRITIS-DachG and the BSIG are to be determined in a joint legislative decree. In this respect, the procedure is similar to the approach in the current BSIG and the German regulation for critical infrastructure under the BSIG (Verordnung zur Bestimmung Kritischer Infrastrukturen nach dem BSI-Gesetz, “KRITIS Regulation”) issued under it. The draft of the KRITIS-DachG, comparable to the current KRITIS Regulation, provides that certain types of installations are automatically classified as critical installations depending on their sector affiliation and the achievement of certain threshold values.
So-called “critical installations of particular importance for Europe” represent a special case. These should be those that are classified as critical installations in accordance with a legal regulation under Section 15, provide the same service for six or more Member States and for which the operator has received a notification from the EU Commission that the installation is of particular importance for Europe. For operators of critical installations of particular importance for Europe, special obligations apply in the KRITIS-DachG.
According to the present draft of the KRITIS-DachG, various obligations are imposed on operators of critical installations.
I. Registration obligation
Operators of critical installations are obliged to register the installations with a registration office to be set up jointly by the Federal Office for Civil Protection and Disaster Assistance (“BBK”) and the Federal Office for Information Security (“BSI”). In addition, every operator of a critical installation must designate a point of contact or an individual as a contact person.
According to the draft, the BBK is the national competent public authority and at the same time the central point of contact within the meaning of the CER Directive. In this function, the BBK is responsible for enforcing the regulations of the KRITIS-DachG and for exchanging information with other central points of contact in other Member States. The BBK is supported by the BSI and the German Federal Network Agency. These should provide the BBK with the relevant information on IT security risks, threats, incidents and other risks, threats and incidents that exist for critical installations.
II. Risk analyses and risk assessments
The federal ministry responsible for the respective sector to which the respective critical installations belongs carries out risk analyses and assessments every four years or on request. These should then be made available to the BBK for evaluation. This evaluation is, in turn, sent to the operators of the critical installations and the European Commission.
Operators of critical installations have to carry out their own risk analyses and assessments on the basis of these state risk analyses for the first nine months after registration and then every four years at the latest.
III. Resilience measures and resilience plans
Essential aspects of the draft are the specifications for the implementation of so-called resilience measures. Accordingly, operators of critical installations are obliged to take suitable and proportionate measures to ensure their resilience. The measures should be based on the state and the company’s own risk analyses and assessments (see above).
Measures in this sense include those necessary to prevent incidents from occurring, to ensure physical protection of the premises of the entity, to respond to incidents, prevent them and limit the consequences, ensure recovery after incidents, to ensure appropriate safety management with regard to employees and to familiarize the relevant personnel with such measures through informational materials, training courses and exercises.
The draft does not contain concrete specifications as to how these measures should be designed in detail. The operator is therefore entitled to a degree of discretion. However, the measures should always comply with the state-of-the-art. Annex 1 contains a non-exhaustive list of possible measures to answer the question of which measures can be taken into account in the context of the above consideration. This includes, for example, emergency preparedness measures, the erection of fences and barriers, the use of detection devices, access controls, security checks and the diversification of supply chains.
The BBK should make templates and models available to support the operator in the determination process. When evaluating the appropriateness of planned measures and the specific design of these, existing information security standards, such as ISO 27001 or the BSI IT-Grundschutz, can be used, since these also contain measures for the physical protection of certain installations (e. g. in the area of admission and access controls).
Another possibility is that operators of critical installations and their respective industry associations should be able to propose industry-specific resilience standards. Upon request, the BBK can then determine whether the proposed standards are suitable for meeting the requirements of the KRITIS-DachG.
In addition to implementing resilience measures, the operators of the critical infrastructures are also obliged to present all of these measures in a resilience plan. This must be submitted to the BBK at a time specified when registering the infrastructure and then verified every two years. Compliance with these requirements must also be proven at a time specified by the BBK during registration and then every two years.
According to the draft, the BBK is authorized, in agreement with the competent supervisory authority, to check compliance with these requirements if there are doubts about this. In this case, the BBK can also instruct operators to take necessary and proportionate resilience measures.
IV. Reporting obligations
The draft also contains regulations on reporting obligations for the operators of critical infrastructures. According to this, the operators are obliged to report incidents that can significantly disrupt the provision of their critical service. The report must be made via the point of contact set up by the operator.
A reporting office set up by the BBK in agreement with the BSI should be responsible for receiving the report. It remains to be seen to what extent the reporting body to be appointed by the BBK and the BSI will be consolidated with the registration office, which is also to be appointed jointly, in a single body.
An initial report of an incident must be made within 24 hours of becoming aware of the incident. A detailed report must then follow after one month at the latest.
The operator of “critical installations of particular importance for Europe” must also notify the BBK which critical services it offers in which Member States.
The draft contains a sanctions regime for non-compliance with certain legal requirements. In concrete terms, this applies in particular to the obligations presented, i. e., if a registration required by law is not carried out, no point of contact is named, risk analyses and assessments are not carried out, the resilience plan is not available in good time or the review by the BBK is not permitted.
The amount of the fines is not yet specifically quantified in the draft. According to the draft, fines must in any case be proportionate. In particular, this means that an operator of a critical installation must first be asked to meet their obligations. Only then can a fine be imposed.
In contrast to the draft law for the NIS2-UmsuCG, the KRITIS-DachG does not yet contain any further compliance obligations. Here, unlike there, no personal liability of the management for damage caused by inadequate implementation of the law is regulated. The draft of the KRITIS-DachG also does not specify any concrete monitoring or further training obligations for the management with regard to physical risk management.
E. Conclusion and outlook
The CER Directive is to be implemented by October 2024. The draft of the KRITIS-DachG must be approved by then. Given the early stage of the legislative process, changes are still to be expected. However, it remains to be seen how far-reaching these will be. The draft of the KRITIS-DachG itself currently provides that the law will come into force on January 1, 2026. In contrast, the fine regulations are not to come into force until January 1, 2027. This means that the addressees are given an additional “transitional period” to implement the requirements.
One thing is already clear: The new legal framework in the area of information security in Germany is taking on more and more concrete forms and poses many challenges. It is true that many of the planned specifications are based on regulations that already exist in the KRITIS area. At the same time, however, there are also a large number of new requirements for operators of critical installations. Entities and companies in particular that have not yet fallen within the scope of the currently applicable KRITIS provisions in the BSIG and the KRITIS Regulation and therefore have not yet had to deal with the previously applicable specifications must deal with the new specifications at an early stage and closely monitor further developments. After all, experience has shown that the implementation of measures in the area of information, IT or cybersecurity is regularly associated with considerable effort and requires long-term planning. However, the prerequisite here is of course that the German legislator issues the corresponding statutory ordinance, in which the respective threshold values and sector affiliation for the classification as an operator of a critical installation are specified accordingly. But even current KRITIS operators have to adapt to new requirements and should therefore also start planning and implementing the upcoming requirements at an early stage.