KRITIS Umbrella Act
Alongside the NIS 2 Directive, the EU CER Directive (Critical Entities Resilience) came into force in January 2023. As with NIS 2, the deadlines require implementation by the EU member states by 17.10.2024, and CER is to be applied within the EU from 18.10.2024. The KRITIS Umbrella Act is the implementation law of the CER in Germany. Dated 17.07.2023, a draft bill has been published and is now going into departmental consultation. It is an independent law, i.e. not an article law like e.g. the NIS 2 Implementation Act. The primary supervisory authority will be the Federal Office of Civil Protection and Disaster Assistance (BBK).
The KRITIS Umbrella Act is intended to strengthen the resilience of critical facilities according to the all-hazards approach. In contrast to the NIS 2 Implementation Act, which is intended to strengthen the IT security of critical facilities, the KRITIS Umbrella Act is intended to strengthen the physical protection of these facilities and their resilience. It thus complements the NIS 2 Implementation Act.
Operators of critical facilities, which are defined by legal ordinance in analogy to the IT Security Act, must conduct a risk analysis and assessment for the first time 9 months after registration of a facility and every 4 years thereafter. All natural, climatic and man-made risks affecting economic stability must be taken into account. Based on these risk analyses, operators of critical facilities must implement appropriate and reasonable technical, safety-related and organisational measures to ensure their resilience in accordance with the state of the art. These measures cover the areas of BCM/emergency management, physical security, personnel and risk/crisis management, are to be documented in a resilience plan and proven to the BBK every two years.
Malfunctions must be reported immediately to the BBK by operators of critical facilities. In addition, the KRITIS Umbrella Act includes fines, which are not yet quantified in the current draft bill (as of 17.07.2023). The essential obligations for operators of critical facilities, e.g. risk analyses and implementation of measures, are not to come into force until 01.01.2026, and the provisions on fines are to come into force one year later. This means that a not inconsiderable transitional period is currently planned.
The requirements of the KRITIS Umbrella Act only apply to operators of critical facilities. However, important and particularly important facilities (cf. NIS 2) are permitted to implement these requirements voluntarily. The legal ordinance defining critical facilities is to be the same for the KRITIS Umbrella Act and the NIS 2 Implementation Act in order to create a uniform regulatory framework.