With the EU Directives EU 2022\/2557 and EU 2022\/2555, the European Union launched two key decisions at the beginning of 2024. EU 2022\/2557 deals with the implementation of the EU Directive EU-RCE in the so-called KRITIS umbrella law<\/strong>. This defines additional obligations (reporting obligations, BCM, physical security, personnel and crisis management) for operators of critical facilities. In parallel to the KRITIS Umbrella Act, the NIS2 Implementation Act<\/strong> implements the new EU NIS2 Directive (EU 2022\/2555) for cybersecurity in Germany. The existing KRITIS regulation will be replaced; the two new laws will come into force in October 2024.<\/p>\n<\/div> According to the German Federal Office for Information Security (BSI): “Critical infrastructures are organizations or facilities that are important for the state community and whose failure or impairment would result in lasting supply bottlenecks, significant disruptions to public safety or other dramatic consequences.”<\/em><\/p>\n Two terms are frequently mentioned in the context of IT security:<\/p>\n<\/div><\/div><\/div> Cyber resilience encompasses all preventive measures in KRITIS companies against cyber attacks and appropriate responses to limit or avoid negative consequences. Specifically for CRITIS operators, this means all measures that help to maintain or quickly resume operations after a cyber incident. For example, companies whose logistics exceed a certain threshold (see Annex 7 KRITISV) are obliged under the IT Security Act to protect their IT systems, IT components and IT processes – and have a duty of proof to the BSI. In addition, all KRITIS operators have a reporting obligation in the event of an incident, also in order to limit it. Effective protective measures include business continuity strategies and backup and recovery systems, such as those implemented by ASTRUM IT.<\/p>\n<\/div><\/div><\/div> All measures to protect network and information systems fall under the term cybersecurity. This includes organizational issues such as the harmonization of security requirements, personnel issues such as the provision of suitable IT specialists and technical issues such as hardened network architectures with secure access and patch and update management, as is standard at ASTRUM IT. These measures must be implemented in the context of corresponding compliance requirements and defined processes and responsibilities. Cybersecurity at KRITIS operators pursues an overarching goal: to protect the company and maintain its ability to act, thereby further securing the supply chain.<\/p>\n<\/div><\/div><\/div><\/div><\/div> Critical infrastructures (KRITIS) have fallen victim to cyber attacks more and more frequently in the past. The rising level of digitalization worldwide and increasing networking are increasing and intensifying the dynamics and complexity of cyber incidents. The BSI’s report on the “State of IT security in Germany 2023” speaks of almost 70 new vulnerabilities in software products that are discovered every day (!). That is around 25 percent more than in the previous reporting period. Small and medium-sized enterprises (SMEs) and, in particular, local authorities and municipal companies were affected disproportionately often.<\/p>\n This is one of the reasons why the KRITIS umbrella law and the EU NIS2 implementation have now been expanded to include companies from almost all sectors, taking into account possible links in the value chain.<\/p>\n<\/div><\/div><\/div><\/div><\/div> Is KRITIS mandatory for our company?<\/p>\n We are happy to advise you on Tel. 0911\/81510-0<\/a>.<\/span><\/strong><\/p>\n<\/div>![](\"https:\/\/visit.astrum-it.de\/wp-content\/uploads\/2025\/03\/kritis-intro-en-scaled.jpg\" "\\"kritis-intro-en\\"")
<\/span><\/div><\/div><\/div><\/div><\/div>KRITIS relevant terms<\/h2>\n
What are KRITIS companies? Who is classified as a KRITIS operator?<\/h4>\n
What is cyber resilience?<\/h3>\n
What is cybersecurity?<\/h3>\n
Why were KRITIS and NIS2 extended? The background.<\/h2>\n