Send message to

Do you want to send the message without a subject?
Please note that your message can be maximum 1000 characters long

Your message has been sent

You can find the message in your personal profile at "My messages".

An error occured

Please try again.

Make an appointment with

So that you can make an appointment, the calendar will open in a new tab on the personal profile of your contact person.

Create an onsite appointment with

So that you can make an onsite appointment, the appointment request will open in a new tab.

icon paragraph istockphoto/Rocco-Herrmann
  • Industry News
  • Management, Awareness and Compliance

Critical infrastructure: Stricter regulations and new requirements

At the beginning of the year, a new regulation came into force as a result of the revision of the IT Security Act. In this, the numerous requirements to be fulfilled by CRITIS operators were further tightened. While not all affected parties have implemented the current requirements by a long shot, new challenges are already appearing on the horizon at the EU level with the NIS2 and EU RCE directives.

Stricter requirements and higher penalties, the notification of new systems and new EU requirements challenge operators of critical infrastructures in terms of regulation.

At the beginning of the year, a new German regulation came into force as a result of the new version of the IT Security Act. The numerous requirements to be fulfilled by CRITIS operators were further tightened. These were already not without difficulty. For example, the companies concerned must register with the Federal Office for Information Security (BSI) and designate a contact point that is available around the clock, seven days a week. They must identify CRITIS systems in their own operations and implement special measures for their critical components. Software and IT services that are necessary for the provision of a critical service can also be counted as facilities.

In addition, there are information and reporting obligations vis-à-vis the BSI. This includes listing all IT products that are important for the functionality of critical infrastructures. Precautions must be taken for these systems to comply with minimum security standards. Fines can be imposed for violations of the requirements. Since the amendment, affected companies face significantly higher penalties, which can now amount to up to 20 million euros.


CRITIS-light and NIS2 as new challenges

The IT Security Act 2.0 also affects companies that are not typical providers of critical infrastructure but are in the special public interest. These include arms manufacturers and "companies of considerable economic importance", which are primarily larger corporations. These organisations must also register with the BSI and name a responsible contact person. In addition, they are obliged to submit a self-declaration to the BSI on the security status of their systems at least every two years. Certifications or audits can come into play here.
Otherwise, however, the requirements are not as strict as for CRITIS operators, which is why they are often referred to as CRITIS-light.

Recently, operators have had to notify the Federal Ministry of the Interior (BMI) before using new components in critical systems and submit a certification and a guarantee declaration from the supplier. This guarantee declaration must cover the entire supply chain of the manufacturer. The BMI can refuse the use of these components if it determines that public security is impaired. An impairment may exist if the manufacturer is controlled by the government of a third country, for example. This passage, known as the "Lex Huawei", was added after the debate about 5G components of this manufacturer and possible access possibilities of the Chinese government.

While not all stakeholders have implemented the current CRITIS requirements by a long shot, new challenges are already appearing on the horizon. At the EU level, NIS2 (Network and Information Security Directive) and EU RCE (Directive on the resilience of critical entities) are amendments to the previous NIS and ECI (European Critical Infrastructures) directives. It is expected that this will also result in stricter IT security requirements for the CRITIS sector. But before these regulations come into force in Germany, they must be implemented in national law.

Many more details can be found on the pages of the OpenKRITIS platform.

Author: Uwe Sievers