German Federal Minister of the Interior Nancy Faeser intends to encourage the companies involved in critical infrastructures (KRITIS) in Germany to adopt uniform protection standards. Tomorrow, the German Federal Cabinet will adopt key points on this: They are the first step towards a “KRITIS Umbrella Act” agreed in the coalition agreement of the SPD, the Greens and the FDP, in which the regulations for the protection of critical infrastructure are to be pooled together.
Klaus Landefeld, eco Board Member, has the following to say:
“The fact that the KRITIS Umbrella Act is intended to define holistic protection standards for critical infrastructures that go beyond the already existing protection against IT security incidents is something that we, as the Association of the Internet Industry, emphatically welcome. The intention to embed the German legal framework for critical infrastructure protection in an integrated European system is also correct and necessary. However, a sense of proportion is absolutely necessary in the concrete design of this law: Operators of KRITIS must not simply be placed under a unilateral and disproportionate obligation and burdened, for example, by numerous new, parallel reporting obligations. These can only contribute indirectly to the achievement of objectives.
In order to strengthen the ability to act and the resilience of the industry, the state and society against threats, the non-KRITIS sectors in particular must also be more strongly included in the planning and also be seen to share responsibility.”
From the point of view of eco – Association of the Internet Industry, the creation of a new coordination body at the German Federal Office of Civil Protection and Disaster Assistance (BBK) in the area of IT security, as envisaged in the policy guidelines, could lead to increased bureaucracy for companies. Since the German Federal Office for Information Security (BSI) will continue to be primarily responsible, parallel responsibilities are unavoidable.
“The policy guidelines do not yet anyway specify as to how the cooperation and division of tasks between the BBK and the BSI should look in concrete terms in the future. However, new reporting obligations and reporting requirements for companies must not under any circumstances lead to bloated bureaucratic procedures and multiple reports without achieving an actual improvement in the security situation and availability through improved precautions and procedures in the event of a crisis,” warns Landefeld.