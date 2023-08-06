Home page politics

Police forces at Düsseldorf Airport after activists from the Last Generation group glued themselves to the airfield on July 13, 2023. © David Young/dpa

Nord Stream, hacker attacks, climate stickers on the tarmac: political interest in protecting critical infrastructure is higher than ever.

After the EU presented 2022, the German implementation laws are now coming. However, the draft bills of the Federal Ministry of the Interior, which are now being coordinated by the departments, still offer a lot of material for discussion.

So far, only a few companies are directly obliged by law to take protective measures. And that primarily for threats from cyberspace. In the future, many more companies and authorities will have to protect what keeps the economy and society running. For this purpose, physical and digital security are now considered together by law.

The Kritis Umbrella Act and the NIS2 Implementation Act oblige operators of so-called critical infrastructure to do significantly more in the future. Not only do they have to submit resilience plans, i.e. plans on how to keep their systems running even in the event of a crisis. But also comply with specific minimum standards and specified reporting channels. In the future, this will also apply to new sectors such as armaments manufacturers and relevant space companies. Both projects were launched by the Federal Ministry of the Interior in mid-July and should quickly go into the cabinet after the summer.

Thousands of companies have an obligation

With the Kritis umbrella law, around 3,000 companies have to present their plans to the Federal Office for Civil Protection and Disaster Assistance (BBK), for example how they want to protect against unauthorized access to systems or how they want to restart as quickly as possible in the event of a natural disaster. And with the NIS2 Implementation Act (NIS2 is the name of the EU network and information security directive on which the law is based), 29,000 companies and an as yet unspecified number of federal institutions must comply with minimum IT security standards.

The federal government and the EU are also concerned with recognizing when problems are getting bigger: whenever something happens, suspicious activity reports must be submitted to the responsible authorities. These can then be evaluated centrally and also passed on to the EU institutions.

Kritis operators face enormous additional costs

The Ministry of the Interior has calculated that the new cyber security legislation alone will mean additional costs of 1.65 billion euros per year for the economy. There are also one-time investment costs, which the BMI puts at 1.37 billion euros. It has not yet been calculated what additional costs the economy will face with the Kritis umbrella law. But one thing is clear: this will not be available for free either.

For Federal Minister of the Interior Nancy Faeser, however, the operators have an obligation here. It’s about how money is distributed. “If you think about security fees at airports, for example, then that must also be put into the protection of physical security, and not just in the budget of the airport operator,” Faeser told ARD.

Critical components are yet to be regulated

One of the biggest points of contention is not yet outlined more clearly in the two legislative proposals: the question of how to deal with critical components. These are operationally relevant plant parts – hardware or software – that come from suppliers who are not considered sufficiently trustworthy. The NIS2 implementation law still only contains the so-called China clause: the Federal Ministry of the Interior can prohibit mobile phone providers from using untrustworthy components. So far, the Federal Ministry of the Interior has only inserted an empty placeholder paragraph in the draft for the Kritis umbrella law.

Most recently, Federal Interior Minister Nancy Faeser asked mobile network providers about the use of components from Chinese manufacturers Huawei and ZTE. The corresponding regulations in the BSI Act are actually supposed to be revised and expanded – but what exactly is still open. Government circles currently consider it likely that the energy sector will be affected by a similar regulation. Similar considerations are also being made in the transport and logistics sector.

High penalties for violation of rules possible

New regulations should be in place by September. Then it could also become clear what repercussions the classification as critical infrastructure will have on foreign investment projects, such as in the case of the Hamburg port terminal at Tollerort. Because the new rules are based on the criticality of individual plants and not entire companies, a new, greater blocking effect could arise here, even beyond pure safety legislation.

On the other hand, it is already clear today that if operators do not comply with the new regulations, they will face severe penalties in the future. In the case of cyber security, these can even amount to more than two percent of the previous annual turnover. Should operators permanently oppose the instructions of the responsible Federal Office for Information Technology (BSI) in Bonn, this could also temporarily prohibit managing directors or other responsible persons from performing management tasks”. The NIS2 Implementation Act is to apply from October 2024, the Kritis Umbrella Act from January 2026.