Critical infrastructure act (KRITIS DachG) aims to ensure better protection for critical infrastructures

The German critical infrastructure act will impose new obligations on the operators of critical infrastructures. Among other things, the current draft legislation will require operators to prevent unauthorised access to critical infrastructures (KRITIS in German) like airports or waterworks. What does this mean for perimeter protection?

The risk of hacker attacks and espionage is once again attracting increased attention from governments, and not just since the war in Ukraine. Other threats like natural catastrophes or unauthorised access carry the risk that infrastructure facilities could be crippled – with consequences for millions of people. With this in mind, the German Federal Ministry of the Interior and Community (BMI) published a draft of a “critical infrastructure act” on 28 July 2023.

Focus on eleven sectors, from energy to aerospace

With this draft legislation, the government aims to create nationally standardised regulations applying across sectors for the physical protection of critical infrastructures. According to Federal Minister of the Interior Nancy Faeser, the act is designed to “increase the resilience of critical infrastructures in Germany. The objective is to better protect these infrastructures from numerous risks posed by natural phenomena or human beings.” The federal states and relevant associations have now been invited to comment on the draft.

The draft proposal contains standardised rules to protect critical infrastructures in a total of eleven sectors: energy, transport and traffic, finance and insurance, public administration, health, food, drinking water, wastewater, municipal waste management, information technology and telecommunications, and aerospace. Until now, the only national regulations applying to these infrastructures were on IT security. The “all risks approach” is therefore intended to take all kinds of risks into account, whether natural catastrophes or human error.

Minimum standards for physical protection

The critical infrastructure act (KRITIS-DachG) stipulates minimum standards for physical protection and obligates operators to take certain measures if the infrastructure is of crucial importance for the supply of essential services in Germany and serves more than 500,000 people.

These measures include establishing a risk and crisis management system at the facility, conducting risk analyses and evaluations, preparing resilience plans, and implementing suitable and proportionate technical, personnel and organisational procedures for the respective facility. These include measures necessary to:

• prevent incidents occurring,
• ensure adequate physical protection of the grounds of critical infrastructure,
• react to events, ward them off, and limit their consequences,
• restore supplies and services following incidents
• ensure adequate safety management for personnel, including the staff of external service providers, and
• raise awareness among relevant personnel through information material, training and practical exercises.

Perimeter protection – technology as the key to implementation

According to the government, such steps could include the installation of fences and barriers, the use of detection devices, access controls and security checks, but also the provision of redundancies and the diversification of supply chains. Implementation of these requirements can therefore only succeed with the help of the kind of solutions and technologies for protecting perimeters that are regularly on display at the Perimeter Protection trade fair in Nuremberg. The products and services of exhibitors at the event are therefore likely to be even more in demand in future than before.

Nevertheless, experts in the field of perimeter protection and disaster control have already identified gaps in the draft legislation. The DKKV (German Committee for Disaster Risk Reduction), for example, has basically welcomed the act, but does see some room for improvement. Whereas the draft legislation is strongly focused on security aspects, the DKKV believes that it lacks important measures to increase general safety, like structural protective measures. Other criticisms by the committee are that the definition of resilience used is too narrow, and that insufficient attention has been paid to aspects like early warning and the principle of “build back better".

Professor Clemens Gause, Chief Executive of the VfS (German Association for Security Technology) also pointed to certain deficiencies in the draft critical infrastructure act. Although he welcomed the fact that the physical security of infrastructures was getting more attention in addition to concerns about IT security, he felt that a clear identification and delineation of critical infrastructures was necessary to flesh out the legislation. In addition, cross-sectoral regulations had to be developed to facilitate collaboration, as crises can often impact several sectors. According to Gause, the German Association for Security Technology, which is a partner of Perimeter Protection, is to be involved in drafting the law. He hopes to contribute his experience from various research projects to develop future-proof solutions. One such project, SPELL, is investigating the integration of artificial intelligence into control rooms and situation rooms, and according to the association chief, could be relevant for the association’s planned contribution to the critical infrastructure act. “I am curious to see what the future will bring in this respect and how the new critical infrastructure act will be implemented. At any rate, it does offer many opportunities, and above all helps us to counter crises with resilience and address the problem of ‘catastrophe amnesia’ that is so frequently observed,” emphasises Gause.