- 07/17/2022
- Industry News
- Management, Awareness and Compliance
- OT Security
Critical infrastructure: Stricter regulations and new requirements
At the beginning of the year, a new regulation came into force as a result of the revision of the IT Security Act. In this, the numerous requirements to be fulfilled by CRITIS operators were further tightened. While not all affected parties have implemented the current requirements by a long shot, new challenges are already appearing on the horizon at the EU level with the NIS2 and EU RCE directives.
Written by Thomas Philipp Haas
Stricter requirements and higher penalties, the notification of new systems and new EU requirements challenge operators of critical infrastructures in terms of regulation.
At the beginning of the year, a new German regulation came into force as a result of the new version of the IT Security Act. The numerous requirements to be fulfilled by CRITIS operators were further tightened. These were already not without difficulty. For example, the companies concerned must register with the Federal Office for Information Security (BSI) and designate a contact point that is available around the clock, seven days a week. They must identify CRITIS systems in their own operations and implement special measures for their critical components. Software and IT services that are necessary for the provision of a critical service can also be counted as facilities.
In addition, there are information and reporting obligations vis-à-vis the BSI. This includes listing all IT products that are important for the functionality of critical infrastructures. Precautions must be taken for these systems to comply with minimum security standards. Fines can be imposed for violations of the requirements. Since the amendment, affected companies face significantly higher penalties, which can now amount to up to 20 million euros.
Otherwise, however, the requirements are not as strict as for CRITIS operators, which is why they are often referred to as CRITIS-light.
Recently, operators have had to notify the Federal Ministry of the Interior (BMI) before using new components in critical systems and submit a certification and a guarantee declaration from the supplier. This guarantee declaration must cover the entire supply chain of the manufacturer. The BMI can refuse the use of these components if it determines that public security is impaired. An impairment may exist if the manufacturer is controlled by the government of a third country, for example. This passage, known as the "Lex Huawei", was added after the debate about 5G components of this manufacturer and possible access possibilities of the Chinese government.
While not all stakeholders have implemented the current CRITIS requirements by a long shot, new challenges are already appearing on the horizon. At the EU level, NIS2 (Network and Information Security Directive) and EU RCE (Directive on the resilience of critical entities) are amendments to the previous NIS and ECI (European Critical Infrastructures) directives. It is expected that this will also result in stricter IT security requirements for the CRITIS sector. But before these regulations come into force in Germany, they must be implemented in national law.
Many more details can be found on the pages of the OpenKRITIS platform.
Author: Uwe Sievers
At the beginning of the year, a new German regulation came into force as a result of the new version of the IT Security Act. The numerous requirements to be fulfilled by CRITIS operators were further tightened. These were already not without difficulty. For example, the companies concerned must register with the Federal Office for Information Security (BSI) and designate a contact point that is available around the clock, seven days a week. They must identify CRITIS systems in their own operations and implement special measures for their critical components. Software and IT services that are necessary for the provision of a critical service can also be counted as facilities.
In addition, there are information and reporting obligations vis-à-vis the BSI. This includes listing all IT products that are important for the functionality of critical infrastructures. Precautions must be taken for these systems to comply with minimum security standards. Fines can be imposed for violations of the requirements. Since the amendment, affected companies face significantly higher penalties, which can now amount to up to 20 million euros.
CRITIS-light and NIS2 as new challenges
The IT Security Act 2.0 also affects companies that are not typical providers of critical infrastructure but are in the special public interest. These include arms manufacturers and "companies of considerable economic importance", which are primarily larger corporations. These organisations must also register with the BSI and name a responsible contact person. In addition, they are obliged to submit a self-declaration to the BSI on the security status of their systems at least every two years. Certifications or audits can come into play here.Otherwise, however, the requirements are not as strict as for CRITIS operators, which is why they are often referred to as CRITIS-light.
Recently, operators have had to notify the Federal Ministry of the Interior (BMI) before using new components in critical systems and submit a certification and a guarantee declaration from the supplier. This guarantee declaration must cover the entire supply chain of the manufacturer. The BMI can refuse the use of these components if it determines that public security is impaired. An impairment may exist if the manufacturer is controlled by the government of a third country, for example. This passage, known as the "Lex Huawei", was added after the debate about 5G components of this manufacturer and possible access possibilities of the Chinese government.
While not all stakeholders have implemented the current CRITIS requirements by a long shot, new challenges are already appearing on the horizon. At the EU level, NIS2 (Network and Information Security Directive) and EU RCE (Directive on the resilience of critical entities) are amendments to the previous NIS and ECI (European Critical Infrastructures) directives. It is expected that this will also result in stricter IT security requirements for the CRITIS sector. But before these regulations come into force in Germany, they must be implemented in national law.
Many more details can be found on the pages of the OpenKRITIS platform.
Author: Uwe Sievers