For the eco – Association of the Internet Industry, today’s decision by the German federal government on the KRITIS Umbrella Act (KRITISDachG) is an important step towards further strengthening the protection of critical infrastructures in Germany. Having passed the Federal Cabinet, the law introduces new requirements for physical protection of important and critical facilities. However, since the NIS2 Implementation Act (NIS2UmsuCG) was already passed in July and is currently moving through the parliamentary process, the Internet industry emphasises the need for clear delimitations and calls for regulation without overlaps in order to avoid duplicate structures.
Klaus Landefeld, eco Board Member, commented: “It must be ensured that providers that are already regulated by other laws are not subject to additional obligations or double supervision as a result of the KRITIS Umbrella Act. However, the current draft act does not completely eliminate this risk, as the telecommunications and IT sector remains partially covered by the law.”
For the Internet industry, including data centre operators and cloud service providers, comprehensive legal requirements already exist under the NIS2UmsuCG, as well as for the telecommunications sector under the German Telecommunications Act (TKG). Companies in the industry are concerned that the responsibilities specified in the law, such as those related to the joint operation of a reporting portal, are not clearly enough distributed and could lead to overlaps between the Federal Office of Civil Protection and Disaster Assistance (BBK), the Federal Office for Information Security (BSI) and the German Federal Network Agency (BNetzA).
“The Internet industry needs a clearly defined and coherent regulatory framework to provide services efficiently,” added Landefeld. “We expressly welcome the alignment between the NIS2 Implementation Act to strengthen cybersecurity and the Critical Infrastructures (KRITIS) Umbrella Act to establish industry-specific security standards. However, uniform and transparent supervisory structures are also essential here – after all, this is a declared goal of European harmonisation, which is the aim of the NIS2 Directive and will also be achieved by the recently published implementing act, at least for digital service providers.”
eco therefore continues to advocate a regulatory strategy that sets clear boundaries between existing and new regulations in order to avoid uncertainty for companies and to sustainably strengthen the protection of critical infrastructures in Germany.