Send message to

Do you want to send the message without a subject?
Please note that your message can be maximum 1000 characters long
Special characters '<', '>' are not allowed in subject and message
reCaptcha is invalid.
reCaptcha failed because of a problem with the server.

Your message has been sent

You can find the message in your personal profile at "My messages".

An error occured

Please try again.

Make an appointment with

So that you can make an appointment, the calendar will open in a new tab on the personal profile of your contact person.

Create an onsite appointment with

So that you can make an onsite appointment, the appointment request will open in a new tab.

Surprise Critis Roof Law
  • Industry News
  • Management, Awareness and Compliance
  • OT Security

KRITIS-Dachgesetz (CER law) aims to improve security - and throws up surprises

The Federal Office of Civil Protection and Disaster Assistance and the Federal Office for Information Security are to assume joint responsibility for the protection of critical infrastructures in the future, which is under discussion. Accordingly, the BSI is to be responsible for the cyber security of CRITIS operators. Even if the focus on the sector meets with approval, associations express concern. For example, that country-specific peculiarities will remain or about the expected costs.

The draft of the German KRITIS-Dachgesetz (CER law) causes surprises. The Federal Office of Civil Protection and Disaster Assistance (BBK) and the Federal Office for Information Security (BSI) are to assume joint responsibility in the future. 

German KRITIS-Dachgesetz aims to improve security - and causes surprises 

The draft KRITIS-Dachgesetz (CER law) is supposed to create uniform rules, but it still contains many ambiguities.  Associations fear regulatory excesses. 

The coalition agreement already provided for an improvement of the protection of critical infrastructure (CER, in German KRITIS), which was to be implemented by a separate law. With the KRITIS-Dachgesetz for critical infrastructure, it is planned to create uniform federal and cross-sectoral specifications for the first time in order to identify critical facilities and increase physical resilience through corresponding measures and minimum standards. This was taken up again in the federal government's cyber security agenda, with the aim of implementing this project by the

The responsible Federal Minister of the Interior, Nancy Faeser, described the project as follows: "With the KRITIS-Dachgesetz, we want to achieve the future strengthening of the resilience of critical infrastructures". This is by no means only about cyber security. "This will better protect critical infrastructures from all conceivable risks that can be caused by nature or humans: be it a storm, human error or an act of sabotage," Faeser explained in this regard. 

This topic was not put on the agenda of the Federal Ministry of the Interior without reason, as it also concerns the implementation of the EU directive on "Critical Entities Resilience" (CER). This directive requires all member states to develop a national strategy to strengthen the resilience of critical infrastructure and to regularly conduct a risk assessment. 

Surprising division of responsibility between BBK and BSI 

A key points paper on the KRITIS-Dachgesetz was already adopted in December. But first the responsibilities had to be clarified. A tussle between the federal and state governments was to be avoided, and the federal authorities and supervisory bodies were to be assigned clear roles and responsibilities. It came as a surprise that the Federal Office of Civil Protection and Disaster Assistance (BBK) is to assume a prominent position. Insiders doubt that the office is equipped for this task and has the necessary staff. Allegedly, the BBK does not even have an overview of which operators even belong to the critical infrastructure. The first goal in the adopted key points paper is therefore also: "Critical infrastructures are clearly identified". Furthermore, according to the current status, a division of tasks between the BSI and the BBK is planned, according to which the BBK is to be given supervision over physical security and the BSI over the cyber security of the CER operators.  

Demands of the associations 

At the end of July, a corresponding bill was published, which is now in the ministries for so-called departmental coordination.  Associations and CER operators expressed their displeasure. At an early stage, they pleaded for a consideration "between economic efficiency and probability of risk occurrence", which probably translates as "it should cost as little as possible". However, this wish is unlikely to come true. 

The Association of Municipal Enterprises (VKU), for example, criticises the lack of prioritisation of particularly relevant installations and at the same time welcomes the focus on the existing CER sector. Furthermore, it fears that it might not be possible to unify the different regulations in the federal states and at the federal level, so that state-specific adaptations remain. 

The Association of the Internet Industry, eco, is also critical and fears double regulation and legal uncertainties. Board member Klaus Landefeld said in a press release: "For the internet industry, the specifications made with the KRITIS-DachG are more likely to cause confusion than benefit". Many points are still unclear, but the schedule of the Federal Government foresees the passing of the law this year. 

Author: Uwe Sievers 


This content or feature is available to the it-sa 365 community. 
Please register or log in with your login data.