The EU adopted the "CER" directive at the end of 2022, which is intended to contribute to the protection of critical digital infrastructure. The directive aims to strengthen the resilience of critical facilities against (non-cyber) threats. The directive will be implemented at the level of the member states, in Germany in the form of the CRITIS umbrella Act (German), which is only available as a draft so far (the “Draft CRITIS Umbrella Act”).
The law is to be passed by mid-2024, but companies have until 1 January 2026 to implement it.
Scope of application - Uniform framework
The Act aims to bring together the regulations on the physical security of so-called "critical installations", "important entities" and "particularly important entities" under one roof. However, the draft currently only contains regulations for "critical installations". Which companies will actually be affected as "critical installations" remains to be seen and will be determined by a regulation yet to be issued (cf. sections 4, 15 Draft CRITIS Umbrella Act).
Resilience measures and resilience plans
A central point of the draft are new requirements for resilience measures. According to Section 11 of the Draft CRITIS Umbrella Act, operators of critical installations are obliged to take appropriate and proportionate technical, security-related and organisational measures to ensure resilience. According to section 2 No. 6 Draft CRITIS Umbrella Act, this is to be understood as the ability of the operator of a critical installation to "prevent, protect against, respond to, avert, limit the consequences of, absorb, manage and recover from an incident".
These measures are based on risk analyses which are to be conducted and include, for example, the physical protection of the facilities, reactions to incidents and measures to restore the facilities after incidents. Due to the lack of detailed specifications in the draft on the design of these measures, the operators are left with a certain degree of leeway on how to implement these measures.
Operators must document all resilience measures in a resilience plan and submit it regularly to the Federal Office of Civil Protection and Disaster Assistance (BBK). The Office is authorised to check compliance with the resilience measures and to order additional measures if necessary.
Reporting requirements
The draft also provides for reporting obligations for operators of critical installations (section 12 Draft CRITIS Umbrella Act). They must report incidents that may significantly affect their critical services to a body established by the BBK and the Federal Office for Information Security. In the event of an incident, an initial report must be made within 24 hours and a detailed report within one month.
Sanctions
There is a catalogue of violations of the law that are subject to fines, although the exact fines have not yet been specified (section 19 Draft CRITIS Umbrella Act).
What to do now - Risk management according to the Draft CRITIS Umbrella Act
The Draft CRITIS Umbrella Act places great emphasis on risk management and the obligation to report significant security incidents. However, the draft does not (yet) contain a list of the required measures. In this respect, operators are likely to be left with a great deal of discretion.
The measures to be considered in the consideration by the operator of critical installations pursuant to section 11(1) Draft CRITIS Umbrella Act may include in particular:
- To prevent the occurrence of incidents: Emergency preparedness measures, climate change adaptation measures
- To ensure adequate physical protection of their premises and critical infrastructure: physical protection measures, perimeter surveillance tools and procedures, detection devices, access controls.
- To respond to and avert incidents and limit the consequences of such incidents: Risk and crisis management procedures and protocols, predefined procedures in the event of an alarm.
- To ensure recovery after incidents: measures to maintain operations (e.g. emergency power supply), identification of alternative supply chains to resume provision of essential services.
- To ensure adequate security management with regard to staff: defining categories of staff performing critical functions, defining access rights to premises, critical infrastructure and to sensitive information, considering procedures for background checks and designating categories of staff to undergo such background checks, defining appropriate training requirements and qualifications.
- To raise the awareness of relevant staff with respect to the measures mentioned in points (a) to (e): Training, information material, exercises.