Send message to

Do you want to send the message without a subject?
Please note that your message can be maximum 1000 characters long
Special characters '<', '>' are not allowed in subject and message
reCaptcha is invalid.
reCaptcha failed because of a problem with the server.

Your message has been sent

You can find the message in your personal profile at "My messages".

An error occured

Please try again.

Make an appointment with

So that you can make an appointment, the calendar will open in a new tab on the personal profile of your contact person.

Create an onsite appointment with

So that you can make an onsite appointment, the appointment request will open in a new tab.

Requirements-Criticism-Roof Law
  • Industry News
  • Management, Awareness and Compliance

KRITIS Dachgesetz (CER law) brings new duties, measures and consequences

The German KRITIS-Dachgesetz (CER law) imposes new obligations on operators of critical infrastructures, such as risk analysis, uniform registration with a central body or the appointment of a central contact person. According to a current draft law, the Federal Office of Civil Protection and Disaster Assistance and the Federal Office for Information Security will be jointly responsible in the future.

The German KRITIS-Dachgesetz (CER law) imposes new obligations on CER operators, such as uniform registration with a central office. According to a current draft law, the Federal Office of Civil Protection and Disaster Assistance and the Federal Office for Information Security will be jointly responsible for this. 

 

KRITIS Dachgesetz (CER law) brings new duties, measures and consequences 

CRITIS operators face various challenges with the German KRITIS-Dachgesetz (CER law). Fines are looming, but their amount is still completely unclear. 

Electricity and water supply, hospitals, banks and payment transactions as well as public transport or waste disposal all belong to the critical infrastructure (CER, in German KRITIS). Here, in addition to cyber attacks, various other dangers such as natural disasters, sabotage or fire outbreaks threaten. The federal government wants to strengthen resilience in this sector through an umbrella law, which at the same time is to standardise different rules of different sectors and federal states. This is to be achieved or flanked by additional measures. The responsible Federal Ministry of the Interior (BMI) works with threshold values and sets as a prerequisite that operators supply at least 500,000 inhabitants with their services.

First of all, however, the BMI, which is in charge, secures extensive powers to issue ordinances in the law. For example, under certain conditions, the BMI can exempt operators from certain obligations of the planned CER law by issuing exemption notices.

 

Registration, risk analysis and assessment 

The law is only available as a draft. However, it is already clear that operators will be subject to new obligations. For example, an obligation to register with a new registration office, which is to be maintained jointly by the authorities responsible in future, the Federal Office of Civil Protection and Disaster Assistance (BBK) and the Federal Office for Information Security (BSI). 

Further obligations arise with the registration. For example, every operator of a critical installation has the obligation to carry out its own risk analyses and assessments. This is to be done for the first time nine months after registration and then periodically every four years. However, this is not intended to apply to all CER sectors; operators from the "finance and insurance" or "information technology and telecommunications" sectors, for example, are exempt from the obligation. However, both are already regulated by other laws. 

The draft law still contains many uncertainties. Operators of critical installations are obliged to take "appropriate and proportionate technical, security-related and organisational measures to ensure the necessary resilience". These measures are to correspond to the state of the art. More precise details are therefore still to be determined. Critical incidents must be reported to the competent authorities. This must include how many people are affected by the disruption, how long it is expected to last and the geographical area it covers. Furthermore, operators must name responsible contact persons to the BBK. 

 

New sanctions, new fines 

In case of violations of the requirements, the BBK can impose fines on the operators. However, the amount of the fines has not yet been determined. First of all, coordination with the Federal Ministry of Justice is necessary. Before a fine is imposed, the operator concerned is to be given a period of time to remedy the violations and comply with the obligations. The main obligations of the law are to come into force on 1 January 2026, the provision on fines only one year later. 

Author: Uwe Sievers 

close

This content or feature is available to the it-sa 365 community. 
Please register or log in with your login data.