The German KRITIS-Dachgesetz (CER law) imposes new obligations on CER operators, such as uniform registration with a central office. According to a current draft law, the Federal Office of Civil Protection and Disaster Assistance and the Federal Office for Information Security will be jointly responsible for this.
KRITIS Dachgesetz (CER law) brings new duties, measures and consequences
CRITIS operators face various challenges with the German KRITIS-Dachgesetz (CER law). Fines are looming, but their amount is still completely unclear.
Electricity and water supply, hospitals, banks and payment transactions as well as public transport or waste disposal all belong to the critical infrastructure (CER, in German KRITIS). Here, in addition to cyber attacks, various other dangers such as natural disasters, sabotage or fire outbreaks threaten. The federal government wants to strengthen resilience in this sector through an umbrella law, which at the same time is to standardise different rules of different sectors and federal states. This is to be achieved or flanked by additional measures. The responsible Federal Ministry of the Interior (BMI) works with threshold values and sets as a prerequisite that operators supply at least 500,000 inhabitants with their services.
First of all, however, the BMI, which is in charge, secures extensive powers to issue ordinances in the law. For example, under certain conditions, the BMI can exempt operators from certain obligations of the planned CER law by issuing exemption notices.
Registration, risk analysis and assessment
The law is only available as a draft. However, it is already clear that operators will be subject to new obligations. For example, an obligation to register with a new registration office, which is to be maintained jointly by the authorities responsible in future, the Federal Office of Civil Protection and Disaster Assistance (BBK) and the Federal Office for Information Security (BSI).
Further obligations arise with the registration. For example, every operator of a critical installation has the obligation to carry out its own risk analyses and assessments. This is to be done for the first time nine months after registration and then periodically every four years. However, this is not intended to apply to all CER sectors; operators from the "finance and insurance" or "information technology and telecommunications" sectors, for example, are exempt from the obligation. However, both are already regulated by other laws.
The draft law still contains many uncertainties. Operators of critical installations are obliged to take "appropriate and proportionate technical, security-related and organisational measures to ensure the necessary resilience". These measures are to correspond to the state of the art. More precise details are therefore still to be determined. Critical incidents must be reported to the competent authorities. This must include how many people are affected by the disruption, how long it is expected to last and the geographical area it covers. Furthermore, operators must name responsible contact persons to the BBK.
New sanctions, new fines
In case of violations of the requirements, the BBK can impose fines on the operators. However, the amount of the fines has not yet been determined. First of all, coordination with the Federal Ministry of Justice is necessary. Before a fine is imposed, the operator concerned is to be given a period of time to remedy the violations and comply with the obligations. The main obligations of the law are to come into force on 1 January 2026, the provision on fines only one year later.
Author: Uwe Sievers