KRITIS: Companies should be aware of these EU directives
In this article, we have explained the importance of secure and reliable IT structures for improving the resilience of companies. In order to best protect a company against cyber attacks, cyber security must be understood as a holistic approach that includes the entire information technology (IT) and operational technology (OT).
With the EU Directives EU 2022/2557 and EU 2022/2555, the European Union launched two key decisions at the beginning of 2024. EU 2022/2557 deals with the implementation of the EU Directive EU-RCE in the so-called KRITIS umbrella law. This defines additional obligations (reporting obligations, BCM, physical security, personnel and crisis management) for operators of critical facilities. In parallel to the KRITIS Umbrella Act, the NIS2 Implementation Act implements the new EU NIS2 Directive (EU 2022/2555) for cybersecurity in Germany. The existing KRITIS regulation will be replaced; the two new laws will come into force in October 2024.
KRITIS relevant terms
What are KRITIS companies? Who is classified as a KRITIS operator?
According to the German Federal Office for Information Security (BSI): "Critical infrastructures are organizations or facilities that are important for the state community and whose failure or impairment would result in lasting supply bottlenecks, significant disruptions to public safety or other dramatic consequences."
Two terms are frequently mentioned in the context of IT security:
What is cyber resilience?
Cyber resilience encompasses all preventive measures in KRITIS companies against cyber attacks and appropriate responses to limit or avoid negative consequences. Specifically for CRITIS operators, this means all measures that help to maintain or quickly resume operations after a cyber incident. For example, companies whose logistics exceed a certain threshold (see Annex 7 KRITISV) are obliged under the IT Security Act to protect their IT systems, IT components and IT processes - and have a duty of proof to the BSI. In addition, all KRITIS operators have a reporting obligation in the event of an incident, also in order to limit it. Effective protective measures include business continuity strategies and backup and recovery systems, such as those implemented by ASTRUM IT.
What is cybersecurity?
All measures to protect network and information systems fall under the term cybersecurity. This includes organizational issues such as the harmonization of security requirements, personnel issues such as the provision of suitable IT specialists and technical issues such as hardened network architectures with secure access and patch and update management, as is standard at ASTRUM IT. These measures must be implemented in the context of corresponding compliance requirements and defined processes and responsibilities. Cybersecurity at KRITIS operators pursues an overarching goal: to protect the company and maintain its ability to act, thereby further securing the supply chain.
Why were KRITIS and NIS2 extended? The background.
Critical infrastructures (KRITIS) have fallen victim to cyber attacks more and more frequently in the past. The rising level of digitalization worldwide and increasing networking are increasing and intensifying the dynamics and complexity of cyber incidents. The BSI's report on the "State of IT security in Germany 2023" speaks of almost 70 new vulnerabilities in software products that are discovered every day (!). That is around 25 percent more than in the previous reporting period. Small and medium-sized enterprises (SMEs) and, in particular, local authorities and municipal companies were affected disproportionately often.
This is one of the reasons why the KRITIS umbrella law and the EU NIS2 implementation have now been expanded to include companies from almost all sectors, taking into account possible links in the value chain.
Is KRITIS mandatory for our company?
We are happy to advise you on Tel. 0911/81510-0.
A possible interface for such a link is also visitor management, which has long been established in research, the defense industry, the financial sector and the pharmaceutical industry. ASTRUM IT increases cyber resilience by linking the operational and physical areas of these companies using the VISIT application. It enables companies to strictly monitor visitors, records and checks their ID documents and increases cyber resilience in companies through specially developed company-specific approval procedures for particularly sensitive areas, for example.
Yard management, which many companies use to manage, monitor and control their logistics activities, is another such interface.
KRITIS creates the framework for establishing cyber resilience and cyber security in these companies. The amended conditions of the KRITIS Umbrella Act and the NIS2 Implementation Act are also significantly increasing the number of affected companies in Germany: whereas an estimated 2,000 companies were previously required to have KRITIS, this number is now rising to an estimated 30,000.
How do I increase my cyber resilience?
Call 0911/81510-0 for answers.
KRITIS: What's new in sectors, industries and companies?
According to the legislation published by the Federal Office of Justice1, the KRITIS umbrella law now affects these companies, which are clustered as follows on the independent OpenKRITIS platform:
1. KRITIS operators2 evaluate the affectedness of individual facilities according to the KRITIS Ordinance.
The sectors affected are: Energy, transportation and traffic, finance and insurance, health, drinking water and wastewater, food, IT and TC, space, waste disposal.
- 2. Particularly important facilities (by company size) in NIS2 sectors (no. 1)
- Companies with 250 or more employees or
- Companies with a turnover of € 50 million or more and a balance sheet of € 43 million or more
- Special cases (excerpt): TC providers, critical facilities, central governments
Affected are: Large companies from the energy, transport and traffic, finance and insurance, health, drinking water and waste water, IT and TC, space and special cases such as central governments or TC networks/services
- 3. Important facilities (by size of company in NIS2 sectors (1 and 2))
- Companies with 50 or more employees or
- Companies with a turnover of EUR 10 million or more and a balance sheet of EUR 10 million or more
- Trust services
Affected are: Medium-sized companies from the energy, transport and traffic, finance and insurance, health, drinking water and wastewater, IT and telecommunications, space, postal and courier, waste disposal, chemicals, food, manufacturing, digital services and research sectors.
Dependencies through digitalization
Today, digitalization stands for the increasing interdependence of different sectors. This leads to dependencies. For example, energy suppliers often determine the user's consumption via remote reading. Water suppliers work closely with energy suppliers in order to be able to distribute water at all. Such dependencies increase the risk of critical infrastructures failing. What's more, failures in one sector lead to failures in other sectors - the domino effect3 sets in. If the failure in one sector leads to far greater consequences in another sector, this is known as a cascade effect.
Against this backdrop, the KRITIS umbrella law brings all sectors together under one roof for the first time and formulates a framework for risks that can be caused by natural events, human error or sabotage in an "all-hazards approach"4.
The UP KRITIS has established a public-private cooperation between operators of critical infrastructures, associations and the responsible government agencies. Authors from various UP KRITIS committees regularly publish valuable information on the BSI website. For example, there are checklists on possible contractual arrangements and content regulations for the use of cloud services, such as those offered by IT companies like ASTRUM IT.
Would you like to find out more?
- Read how cyber security and cyber resilience can also be realized in your company with a lot of public traffic and access to many external service providers. Details here.
- Get to know the cybersecurity weak points within your logistics processes and what solutions are available. Details here.
- Find out why KRITIS is so important to us here.
Sources:
1https://www.gesetze-im-internet.de/bsi-kritisv/BJNR095800016.html
2KRITIS operators evaluate the impact of individual systems in accordance with the KRITIS Regulation. Whether a company is a KRITIS operator can be determined using the so-called KRITIS methodology.
3https://www.bbk.bund.de/DE/Themen/Kritische-Infrastrukturen/KRITIS-Gefa…
4All-hazards approach: Consideration of all types of hazards (e.g. natural hazards, technological hazards, etc.) as part of risk and crisis management.