“KRITIS Umbrella Act”: lack of clarity about practical implementation

Legal regulations for critical infrastructures

Without critical infrastructures, Sunday mornings just wouldn’t be the same for many people. The water for your shower, the electricity for your coffee machine, and the newspaper or online news website that you read are just a few examples of the services provided by critical infrastructure organisations and facilities. These also include transport and traffic, finance and insurance, public administration, health, food, sewage, wastewater and waste disposal, IT and aerospace. In a world that is increasingly interconnected and dependent on smoothly functioning infrastructures, the uninterrupted availability of these systems forms the foundation of our day-to-day lives. However, these infrastructures are exposed to a wide range of risks. Apart from the challenges due to everyday disruptions, they stand particularly in the crosshairs of extreme events – whether natural catastrophes, technical failures, or targeted attacks. 

To counter these kinds of threats, legal frameworks have been established at European and national levels that focus on identifying and protecting critical infrastructures. A milestone in this process is the German “Kritis Umbrella Act”, which goes further than the previous regulations by extending the security requirements for the operators of such services. “The aim is to give the operators organisational, personnel-related and technical (physical) guidelines for the operation of the critical infrastructures they are responsible for,” explains Wilfried Joswig, Managing Director of the VfS (German Association for Security Technology). For the first time, the KRITIS umbrella act regulates the physical protection of Germany’s critical infrastructures. “This makes sense and has certainly also been necessary for a long time,” adds Jürgen Schiller, Chair of the Working Group on Perimeter Protection at the DKE, the German Commission for Electrical, Electronic and Information Technologies. 

Associations hope for improvements to the law

The acknowledgement that physical security measures play a fundamental role marks a major step forward in the national security strategy. There is broad consensus on the legislative objective of strengthening the physical resilience of operators of critical facilities. 
But when it comes to the practical implementation, there is still a lack of clarity even after the second draft from December 2023. “To implement the requirements relating to physical security, recommendations for action, guidelines and classifications of the necessary measures are urgently required. However, these are only available in some areas. Specifically in the field of perimeter protection, the regulations required for the implementation of the KRITIS umbrella law need to be defined as a matter of urgency,” says Wilfried Joswig. The challenge lies in developing detailed and practical stipulations that provide operators with a clear direction.

When helping design the draft, the industry associations and standardisation committees emphasised the quality of the technology and services used for protection purposes. For the first draft, they therefore provided clear guidance on the possible security systems to be used and minimum standards to be applied. “Unfortunately, these have not made their way into the second draft. It is therefore to be hoped that the necessary risk analyses and the resilience standards still to be developed will provide more detailed information in this context. This is also what the operators of the critical infrastructures would like, as they want clarity regarding the legal requirements,” says Thomas Hermes, Deputy Chair of the DKE.

Lots of detail involved, from fencing systems to risk management

What is clear so far is that standardized minimum requirements for resilience measures are intended to improve the resilience of critical infrastructure operators. Critical infrastructures are to be identified and their threat situation and risk made easier to identify. In addition, binding increases in protection levels are envisaged. This is a mammoth task given the substantial number and diversity of the companies concerned. “The statutory provisions apply to a large number of companies, with initial estimates putting the figure in the lower five-digit range. It remains to be seen how the demand from these companies can be met on time,” says Thomas Hermes.

In practice, implementation depends on numerous individual measures, ranging from the detailed analysis and evaluation of specific threats and risks to the compilation and realization of the security concept. For perimeter protection, many large and small measures are necessary, and it will take time to implement them. “When designing perimeter protection, e.g. through fencing systems, the specific threat profiles of potential attackers, the tools they use and the time they need to overcome security barriers all need to be taken into account,” says Joswig. This includes protecting barriers from attempts to break through, climb over, dig under and fly over them. In addition, access roads must be designed so that they effectively prevent the passage of vehicles, whereby the precise requirements for the design of access roads and the necessary barriers are to be determined.

It is also necessary to design entrances and access roads to critical infrastructures in such a way as to ensure the secure and appropriate control of the movement of people and goods. Finally, the exterior building envelope, including doors and windows, needs to meet specific requirements to provide a comprehensive level of protection. These security measures necessitate the use of technical systems, for example, to detect and evaluate undesirable incidents and trigger a response. “This is where security systems like perimeter detection systems, burglar alarms, video surveillance equipment and risk management systems come into play,” explains Joswig.

There is therefore a lot of work set to come the way of vendors of fencing systems, and access control and monitoring systems, like those exhibiting at Perimeter Protection in Nuremberg. “Companies in the field of perimeter protection will be seeing increased demand for projects following the inevitable delay due to the necessary risk analyses. In this context, the quality and integral nature of the protection solution will hopefully play a defining role,” says Jürgen Schiller.