Failures put critical infrastructure in the spotlight and show the need for effective regulation. But operators are struggling with this. It is not easy for them to keep an overview and comply with the numerous requirements.
Numerous failures recently drew attention to critical infrastructure (CRITIS). Recently, the mass failure of payment terminals in the retail sector caused problems for quite a few customers. In many shops, card payments were not possible for several days. The Bundesbank saw this as "a serious incident" and emphasised that a simultaneous failure of many payment terminals could damage confidence in card payments. This highlights the relevance of these components for the supply of the population.
But POS terminals, as the technical term for these devices is, are not part of the critical infrastructure. Not so their manufacturers and the back-end systems to which the terminals connect to process a payment, if they reach the specified threshold of 21.5 million euros in annual transactions. Finally, the failure of a payment terminal does not normally matter much, but when these devices fail en masse, it is a different story. This example illustrates certain fuzziness in the CRITIS regulation.
Thresholds cause for criticism
Germany’s legislation wanted to sharpen and eliminate problems with the regulation, which was revised last year as a result of the new IT Security Act. It came into force at the beginning of the year and also expands the circle of affected sectors, for example to include the waste management sector. In addition, it provides for some tightening, which goes hand in hand with stricter requirements and can mean considerable additional work for old and new CRITIS operators. According to an estimate by the responsible Federal Ministry, the new version is likely to add around 252 additional CRITIS operators. The amendment will turn the previous 1,600 companies nationwide into about 1,900. A company must decide for itself whether it is affected or not; it will not be notified accordingly.
The decisive factors are the relevance of the company for public services and threshold values, which have been lowered in many cases with the amendment. Put simply, the thresholds are intended to distinguish the large, particularly supply-relevant operators from the smaller, more locally active companies. This is done, for example, on the basis of transport volume or production quantity. In the case of electricity producers, for example, this value depends on the megawatt output delivered, and in the case of hospitals on the number of annual inpatient treatment cases. However, the determination of these threshold values repeatedly causes criticism, as is made clear, for example, in an interview with Holger Berens, CEO of the German Association for Critical Infrastructure Protection (BSKI).
Author: Uwe Sievers
