The first draft bill of the Federal Ministry of the Interior (BMI) for the CRITIS umbrella law was sharply criticised by both business associations and society. The BMI responded to this at the end of 2023 with the publication of a new, heavily revised draft bill, which is intended to implement the EU’s CER Directive and better protect critical infrastructures from analogue threats. The new draft addresses many of the points criticised in the first version. By the end of January, it was possible to comment again, which has now resulted in a much more positive judgement than for the previous version.
Among other things, the decision to no longer use the Federal Office of Civil Protection and Disaster Assistance (BBK) as the sole central supervisory authority was generally well received. Instead, in addition to the BBK, various federal and state authorities such as the Federal Network Agency (BNetzA), the Federal Financial Supervisory Authority (BaFin) and the Federal Office for Information Security (BSI) will assume sector-specific tasks. Although this is seen as a relief on the one hand, industry associations fear a confusion of responsibilities that could lead to duplication of regulation and additional work.
Furthermore, some associations have warned against overburdening operators of critical infrastructures with the implementation of the requirements of the CRITIS umbrella law. The Association of German Transport Companies (VDV) criticises, among other things, unreasonable measures, which in the worst case could lead to the shutdown of entire systems, as the implementation of the required measures would not at all be economical.
In addition, there is a lack of harmonisation of the requirements of the CRITIS Umbrella Act with those of the NIS-2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG), with which the requirements regarding IT security in important facilities and critical infrastructures are to be adapted to EU law in parallel. However, as this is not yet available, the effects of the CRITIS umbrella law, particularly with regard to specific areas of application and the distribution of roles of the supervisory authorities, are not yet foreseeable. Yet there are already some inconsistencies between the two laws, such as differently defined terms or contradictory obligations. Business organisations are therefore calling for a joint legislative procedure. In order to meet the deadlines set by the EU, both laws must come into force by October 2024. So far, the BMI has only published a discussion paper for the NIS2UmsuCG, but a new, complete draft bill is currently expected, which was distributed to the ministries in January 2024 and is expected to be submitted to the associations and federal states shortly.