KRITIS Umbrella Act
Alongside the NIS 2 Directive, the EU CER Directive (Critical Entities Resilience) came into force in January 2023. As with NIS 2, the deadlines require implementation by the EU member states by 17.10.2024, and CER is to be applied within the EU from 18.10.2024. The KRITIS Umbrella Act is the implementation law of the CER in Germany. A draft bill was last published on 21 December 2023, but from today’s perspective it is doubtful that it will come into force on time, just as with NIS-2. It is an independent law, i.e. not an article law like the NIS-2 Implementation and Cyber Security Strengthening Act (NIS2UmsuCG). The primary supervisory authority will be the Federal Office of Civil Protection and Disaster Assistance (BBK).
The KRITIS Umbrella Act is intended to strengthen the resilience of critical facilities according to the all-hazards approach. In contrast to the NIS2UmsuCG, which is intended to strengthen the IT security of critical facilities, the KRITIS Umbrella Act is intended to strengthen the physical protection of these facilities and their resilience. It thus complements the NIS2UmsuCG. However, all legal ordinances relating to the KRITIS Umbrella Act and NIS2UmsuCG are to be coordinated.
Operators of critical facilities, which are defined by legal ordinance in analogy to the IT Security Act, must conduct a risk analysis and assessment for the first time 9 months after registration of a facility and every 4 years thereafter. This risk analysis will be based on a national risk analysis, which has to be provided by the BBK for the first time by 17 January 2026. All natural, climatic and man-made risks affecting economic stability must be taken into account. Based on these risk analyses, operators of critical facilities must implement appropriate and reasonable technical, safety-related and organisational measures to ensure their resilience in accordance with the state of the art. These measures cover the areas of BCM/emergency management, physical security, personnel and risk/crisis management and they are to be documented in a resilience plan.
Incidents must be reported immediately to the supervisory authority by the operator of critical facilities. In addition, the KRITIS Umbrella Act provides for fines, although these have not yet been quantified in the latest draft bill. Finally, the KRITIS Umbrella Act includes obligations and liability for management analogous to the NIS2UmsuCG.
The essential obligations for operators of critical facilities, e.g. risk analyses and implementation of measures, are not to come into force until 01.01.2026. This means that a not inconsiderable transitional period is currently planned.
The requirements of the KRITIS Umbrella Act only apply to operators of critical facilities. The legal ordinance in which critical facilities are defined should be the same for the KRITIS Umbrella Act and the NIS-2 Implementation Act in order to create a standardised regulatory framework.
We offer you a special range of services. Contact us.