4 September 2023
The EU adopted the "CER" directive at the end of 2022, which is intended to contribute to the protection of critical digital infrastructure. The directive aims to strengthen the resilience of critical facilities against (non-cyber) threats. The directive will be implemented at the level of the member states, in Germany in the form of the CRITIS umbrella Act (German), which is only available as a draft so far (the “Draft CRITIS Umbrella Act”).
The law is to be passed by mid-2024, but companies have until 1 January 2026 to implement it.
The Act aims to bring together the regulations on the physical security of so-called "critical installations", "important entities" and "particularly important entities" under one roof. However, the draft currently only contains regulations for "critical installations". Which companies will actually be affected as "critical installations" remains to be seen and will be determined by a regulation yet to be issued (cf. sections 4, 15 Draft CRITIS Umbrella Act).
A central point of the draft are new requirements for resilience measures. According to Section 11 of the Draft CRITIS Umbrella Act, operators of critical installations are obliged to take appropriate and proportionate technical, security-related and organisational measures to ensure resilience. According to section 2 No. 6 Draft CRITIS Umbrella Act, this is to be understood as the ability of the operator of a critical installation to "prevent, protect against, respond to, avert, limit the consequences of, absorb, manage and recover from an incident".
These measures are based on risk analyses which are to be conducted and include, for example, the physical protection of the facilities, reactions to incidents and measures to restore the facilities after incidents. Due to the lack of detailed specifications in the draft on the design of these measures, the operators are left with a certain degree of leeway on how to implement these measures.
Operators must document all resilience measures in a resilience plan and submit it regularly to the Federal Office of Civil Protection and Disaster Assistance (BBK). The Office is authorised to check compliance with the resilience measures and to order additional measures if necessary.
The draft also provides for reporting obligations for operators of critical installations (section 12 Draft CRITIS Umbrella Act). They must report incidents that may significantly affect their critical services to a body established by the BBK and the Federal Office for Information Security. In the event of an incident, an initial report must be made within 24 hours and a detailed report within one month.
There is a catalogue of violations of the law that are subject to fines, although the exact fines have not yet been specified (section 19 Draft CRITIS Umbrella Act).
The Draft CRITIS Umbrella Act places great emphasis on risk management and the obligation to report significant security incidents. However, the draft does not (yet) contain a list of the required measures. In this respect, operators are likely to be left with a great deal of discretion. The measures to be considered in the consideration by the operator of critical installations pursuant to section 11(1) Draft CRITIS Umbrella Act may include in particular:
by Dr. Nicolai Wiegand, LL.M. (NYU) and Alexander Schmalenberger, LL.B.
by Dr. Paul Voigt, Lic. en Derecho, CIPP/E and Alexander Schmalenberger, LL.B.
Michael Tan, Julian Sun, Paul Voigt and Wiebke Reuter look at what China's new SCCs mean for businesses looking to export personal data from China to the EU.
by multiple authors