Internal Security: New Rules for Better Protection of Critical Infrastructure?

In order to ensure that the population is supplied with electricity, drinking water and other essential goods at all times, stricter legal protective regulations are to apply in future for facilities of the so-called critical infrastructure. This affects both state institutions and private companies of a certain size, such as energy suppliers or airport operators.

The draft for the so-called KRITIS umbrella law sent by the Federal Ministry of the Interior to the other government departments also provides for fines for operators of critical infrastructure who do not meet their obligations to secure systems and business operations in good time. A very broad concept of security is used as a basis, ranging from alarm chains and protecting systems against heavy rain or forest fires to the purchase of emergency power generators.

Critical infrastructure within the meaning of the law includes eleven sectors: energy, transport and traffic, finance and insurance, public administration, health, nutrition, drinking water, waste water, municipal waste disposal, information technology, telecommunications and space.

law serves as a supplement

All major operators of critical infrastructure must meet the requirements of the planned new law once the KRITIS umbrella law has been passed. Specifically, these are facilities that are needed to care for at least 500,000 people, such as large hospitals or mobile phone network operators.

The Federal Office for Civil Protection and Disaster Assistance (BBK) in Bonn is intended to play a central role in registration and advice. A picture of the situation should also be created here. This would then, for example, be noticed if there were failures or acts of sabotage in a certain sector or in several regions.

The new law supplements existing regulations such as the Drinking Water Ordinance or certain DIN standards. It applies to a slightly larger group of companies than the IT Security Act, which already obliges companies in critical infrastructure to report attacks on their IT systems to the Federal Office for Information Security (BSI).

The draft law only contains general but no precise specifications on specific security issues, such as preventing unknown persons from accessing KRITIS systems such as airports or waterworks. For example, the operators can decide for themselves how high they want their fences and walls to be, or whether they prefer to use video cameras and security guards.

Also adaptation to climate change

After the airport blockades by activists from the Last Generation group last week, Federal Interior Minister Nancy Faeser (SPD) said that there would soon be standards for the operators of critical infrastructure. “This also includes the airports, and that will continue to lead to a special level of security at the airports.”

Measures to adapt to climate change are part of the specifications provided for in the draft law. In order to avert incidents and limit the consequences of such incidents, the KRITIS companies are also required to establish fixed procedures for the event of an alarm.

much to clarify

The law, which would also implement an EU directive on the protection of critical infrastructure, is to be passed in the cabinet before the end of this year. Until then, however, some gaps in the draft still have to be closed.

For example, the compliance costs for the economy, i.e. a qualified estimate of the additional costs this will incur for the companies concerned, are not yet quantified. The amount of the fines is also still open.

The specifications for the “use of critical components” have not yet been spelled out. This involves components and products for which faults or a lack of availability can lead to significant impairments in the functionality of the critical infrastructure or even endanger public safety.

In 2020, the EU Commission recommended keeping providers that it considered risky, such as the Chinese company Huawei, out of core areas of telecommunications networks. As can be seen from a letter from the Federal Ministry of the Interior to the network operators that became known in March, the ministry believes that components from Huawei and ZTE may affect public order and security in Germany.

Therefore, all critical – i.e. safety-relevant – parts that are already installed in the mobile network should be subjected to an inspection. So far, this obligation to test only referred to critical parts that were newly installed.

In order to meet the EU requirements (CER Directive), the KRITIS umbrella law would have to come into force by October 2024 at the latest. The measures mentioned in the draft, which are intended to make critical infrastructure facilities more resilient, should therefore be implemented by January 1, 2026. According to the draft, the fine regulations would then come into force one year later.

The deputy chairman of the Greens parliamentary group, Konstantin von Notz, criticized the fact that the draft for the law is already circulating, but the parliamentary groups have not yet received it. He explained: “For us, it is imperative, among other things, to finally resolve the existing confusion of responsibilities for the protection of our critical infrastructures, to create clear responsibilities and to avoid that there is even more ambiguity caused by more actors.” In addition, it is imperative to coordinate with the EU directives presented at the same time.