The wave of legislation on critical infrastructures has raised many questions among those affected. The Federal Ministry of the Interior recently submitted two draft laws, the KRITIS umbrella law and the NIS2 Implementation Act, to the federal government for internal vote. The KRITIS Umbrella Act introduces mandatory standards for approximately 2,000 companies on how they must protect critical infrastructures. The NIS2 Implementation Act will expand the number of affected bodies to approximately 29,000. Associations are concerned about the lack of clear regulations and short implementation deadlines.
Klaus Landefeld from the Internet industry association Eco demands clearly defined scope and target groups for those affected by the legislation. Companies that were not previously affected need legal certainty and sufficient time for implementation. The NIS2 Implementation Act is scheduled to come into force in October 2024, but crucial details are yet to be determined.
The association of municipal companies raises concerns about a systematic change in focus from cyber security systems to purchasing equipment. Currently, the focus is on systems and networks required for critical services. However, NIS2 expands the scope to include equipment purchases, potentially affecting the entire company, including non-operational critical areas. This poses a challenge for the planned KRITIS umbrella law.
The responsibility for implementing the EU NIS2 Directive lies with the central governments, while the federal states must issue their own regulations for IT security in states and municipalities. Preparatory work is already underway for this at the state level, with Hesse planning to amend its IT Security Act to meet the requirements of NIS2.
The Federal Ministry of the Interior deviates from the NIS2 Directive in its proposal for the KRITIS Umbrella Act by appointing the Federal Office for Civil Protection and Disaster Assistance (BBK) as the competent authority for large-scale cyber security incidents and crises. This choice raises questions, as the BBK is not experienced in cyber matters.
The issue of testing system-critical components for communication networks remains unresolved. The federal government expressed the need to review and potentially adapt relevant laws, but the draft laws do not provide clear details on how critical components will be monitored and potentially prohibited.
Overall, there are many unanswered questions and concerns among those affected by the KRITIS legislation. Associations and stakeholders are urging for clear regulations, defined scope, and sufficient time for implementation. The issue of testing and monitoring critical components also requires further attention and clarification.
