The most important facts at a glance
- Critical infrastructures are subject to special IT security obligations - the IT Security Act and the NIS 2 Directive define comprehensive compliance requirements
- Reporting requirements for cybersecurity incidents are mandatory—violations can currently result in fines of up to 2 million euros; after the implementation of NIS 2, fines may reach up to 10 million euros or 2% of annual revenue
- Technical and organizational measures must comply with the state of the art - regular audits and certifications are required
What is critical infrastructure?
Critical infrastructures are organizations and facilities of vital importance to the state and public life, the failure or impairment of which would lead to long-lasting supply bottlenecks, significant disruptions to public safety, or other dramatic consequences.
The German IT Security Act (IT-SiG), particularly specified by the BSI Critical Infrastructure Ordinance (BSI-KritisV), and the European NIS 2 Directive impose special IT security requirements for critical infrastructures. Digitization and networking have significantly increased the vulnerability of critical infrastructures, which is why the legislator has established special protection obligations.
For companies in these areas, far-reaching legal obligations arise that go far beyond normal IT security measures. Non-compliance can lead to significant fines, damage to reputation, and in extreme cases, to a business ban or shutdown. An experienced Lawyer for IT law can help develop compliance strategies and minimize legal risks.
Legal Basis for IT Security in Critical Infrastructures
BSIG according to the IT Security Act (IT-SiG) 2.0
The BSIG was significantly strengthened and expanded in 2021 by the IT Security Act. It requires operators of critical infrastructure to implement comprehensive security measures and to cooperate closely with the Federal Office for Information Security (BSI). The law defines various categories of companies with differing obligations—operators of critical infrastructure are subject to the strictest requirements, while companies of special public interest and digital service providers have tiered obligations. The revised version has increased the maximum fines. The NIS 2 Directive provides for fines of up to 10 million euros or 2% of global annual revenue.
EU NIS-2 Directive
The Network and Information Security Directive 2 (NIS-2) is the successor to the original NIS Directive and had to be transposed into German law by October 2024. It significantly expands the scope and tightens cybersecurity requirements. The directive distinguishes between „essential“ and „important“ entities, with both groups generally having to meet the same security requirements. However, essential entities are subject to proactive supervision, while important entities are subject to reactive supervision. An important aspect is the expansion to include medium-sized companies with 50 or more employees or an annual turnover of 10 million euros in certain sectors.
BSI Act and official cooperation
The BSI Act regulates the tasks and powers of the Federal Office for Information Security as the federal government's central cybersecurity authority. The BSI can conduct security audits and issue directives to rectify security deficiencies. In particularly serious cases, it can also propose measures up to and including a ban on operations. Cooperation with the BSI is of essential importance for operators of critical infrastructure.
Critical Infrastructure Sectors
Energy and Water Management
The energy sector includes electricity, gas, fuel, and district heating supply and is particularly critical as modern societies are entirely dependent on a reliable energy supply. Smart grid technologies and increasing digitalization create new attack vectors that require special protective measures. The water sector encompasses both drinking water supply and wastewater disposal, where cyberattacks could not only disrupt supply but also lead to health hazards through contamination.
Information technology and telecommunications
Telecommunications companies, internet exchange points, and cloud providers form the backbone of digital infrastructure. Attacks on these systems can have cascading effects on all other areas. 5G technology and the Internet of Things (IoT) create new challenges, as increased connectivity offers more attack vectors, while at the same time dependence on these systems grows. Cloud computing is revolutionizing the IT landscape but also creates new security challenges for providers and customers.
Transportation and Traffic
The transport sector includes aviation, maritime shipping, rail transport, and road transport. Increasing digitalization and automation create new vulnerabilities, with intelligent transportation systems, autonomous vehicles, and digital logistics platforms posing potential targets for attack. Ports and airports are particularly critical hubs, as they are central to both national security and the economy.
Healthcare
Healthcare is becoming increasingly digitized, from electronic health records to networked medical devices. Hospitals have already been the target of ransomware attacks multiple times, which can lead to life-threatening situations. Telemedicine and digital health services have experienced enormous growth due to the COVID-19 pandemic and must be designed to be secure from the outset.
Finance and Insurance
Banks, insurance companies, and financial service providers manage critical economic infrastructure. Cyberattacks can shake confidence in the financial system and cause significant economic damage. The financial sector is already subject to strict regulations, which are supplemented by IT security laws. Fintech companies and digital payment services must also meet high security standards, while cryptocurrencies and blockchain technologies create new regulatory challenges.
Responsibilities of Critical Infrastructure Operators
Technical and organizational measures
Operators of critical infrastructures must implement appropriate technical and organizational measures to protect their IT systems against impairments of availability, integrity, authenticity, and confidentiality. These measures must be state-of-the-art and regularly reviewed and updated. Technical measures include firewalls, intrusion detection systems, encryption, backup systems, and redundant infrastructures, while organizational measures encompass security policies, training, access controls, and emergency plans.
Proof of IT Security
According to § 8a Paragraph 3 of the BSI Act, operators of critical infrastructures must prove, at regular intervals of at least every two years, that they have implemented the necessary IT security measures. This can be done through certification according to recognized standards such as ISO 27001, ISIS12, or the BSI's Technical Guidelines. The certification must be carried out by accredited bodies, and the BSI maintains a list of qualified certification bodies and auditors.
Reporting obligations for disruptions
Significant disruptions must be reported immediately to the BSI in accordance with § 8b BSIG, with specific regulations a notification within 24 hours may require. The report must contain information on the nature, cause, duration, and impact of the disruption. The BSI may request further information and provide recommendations for remediation.
Contact point and cooperation
Each operator must designate a 24/7 accessible contact point that serves as a central point of contact for the BSI and other authorities. This contact point must have sufficient authority and expertise and should have direct access to management. Operators are obligated to cooperate with the BSI, which includes participation in information exchange, joint exercises, and the development of industry-specific security standards.
Implementation of IT security measures
Risk Assessment and Security by Design
The implementation of effective IT security begins with a comprehensive risk analysis, identifying all relevant threats and assessing their potential impact. Security by Design means that security aspects are incorporated into the planning and development of IT systems from the outset, as subsequent security measures are often less effective and more costly. The risk analysis must be regularly updated, as both the threat landscape and one's own systems are constantly changing.
Technical Security Architecture
A robust security architecture is based on the principle of defense in depth, where multiple layers of security are implemented. Network segmentation is an important building block to prevent the spread of attacks, with critical systems being operated in separate network segments. Endpoint protection, network monitoring, and Security Information and Event Management (SIEM) systems are further important components that must be continuously monitored and maintained.
Incident Response and Business Continuity
Despite all protective measures, security incidents can occur, making an effective incident response plan essential. This plan must consider various scenarios and define specific procedures for each. Business continuity planning ensures that critical business processes can continue to run even during a security incident, requiring redundant systems, backup procedures, and alternative communication channels.
Oversight and Enforcement
Powers of supervisory authorities
The BSI and other competent authorities have extensive powers to enforce IT security requirements. They can conduct audits, demand access to all relevant documents and systems, and involve external experts. If security deficiencies are identified, the authorities can issue orders for their remediation or, in severe cases, even order the shutdown of facilities.
Fines and Penalties
Violations of IT security requirements can result in substantial fines of up to 10 million euros or 2% of global annual revenue. Various factors are taken into account when determining the amount of the fine, including the severity of the violation, the size of the company, and the company’s willingness to cooperate. In addition to fines, other sanctions, such as a ban on certain processing activities, may also be imposed.
Reputational risks and liability
Security incidents can cause significant reputational damage and permanently harm the trust of customers, partners, and the public. Civil liability claims can arise if inadequate security measures result in damages to third parties. Cyber insurance can cover some of the financial risks but does not replace the need for adequate security measures.
International Cooperation and Standards
European Cybersecurity Strategy
The European Union has developed a comprehensive cybersecurity strategy based on common standards and close cooperation. The European Union Agency for Cybersecurity (ENISA) coordinates cooperation between member states and develops common standards and best practices. The planned Cyber Solidarity Act aims to further strengthen cooperation in the detection and defense against cyberattacks.
International Standards and Frameworks
ISO 27001 is the internationally recognized standard for information security management systems and offers a systematic approach to implementing and maintaining information security. The NIST Cybersecurity Framework from the USA is also frequently used as a reference in Europe and offers a risk-based approach. The Common Criteria Framework provides standards for evaluating the security of IT products and systems.
Threat Intelligence and Information Sharing
Exchanging information about threats and attacks is essential for effective cybersecurity. The BSI operates various information platforms and warns of current threats, while private threat intelligence providers complement governmental information and offer specialized services for different industries.
Emerging Technologies and New Challenges
Artificial Intelligence and Machine Learning
AI and Machine Learning offer great potential for cybersecurity, but also create new risks. AI-based attacks are becoming increasingly sophisticated, while Adversarial AI aims to deceive or manipulate AI systems. The explainability of AI decisions is becoming increasingly important, especially in regulated areas.
Quantum Computing and Post-Quantum Cryptography
Quantum computing will make many currently used encryption methods obsolete in the coming years. Critical infrastructures must prepare for this development early and migrate to post-quantum cryptography. The BSI is already working on recommendations for the transition to quantum-safe cryptography.
5G and Edge Computing
5G networks offer new possibilities for critical infrastructures, but also create new security challenges. Edge computing brings data processing closer to the endpoints, which reduces latency but also creates new security challenges. Network slicing in 5G networks allows for the isolation of different services, but requires new security concepts.
Practical implementation recommendations
Building a Cybersecurity Program
Building a comprehensive cybersecurity program requires a systematic approach with a governance structure that defines clear responsibilities. A Chief Information Security Officer (CISO) should have overall responsibility and sufficient authority. The cybersecurity strategy must be closely aligned with the business strategy and support business objectives.
Employee Qualification and Awareness
Human factors are often the weakest link in the security chain, which is why regular training and awareness programs are essential. The training must take different target groups into account, as each group has different roles and responsibilities. Phishing simulations and practical exercises can sharpen security awareness.
Continuous improvement
Cybersecurity is a continuous process that requires regular audits, penetration testing, and vulnerability scans. Metrics and KPIs are important for measuring the success of security measures. Lessons learned from security incidents must be systematically recorded and incorporated into the improvement of security measures.
Future Outlook and Trends
Regulatory Developments
Cybersecurity regulation will continue to tighten, with new laws and regulations introducing additional requirements. The Cyber Resilience Act will introduce security requirements for IoT devices, while product liability for software and IT services will increase.
Technological Trends
Zero Trust architectures are becoming the new standard for network security, with the „never trust, always verify“ principle requiring a fundamental redesign of network architecture. Security Orchestration, Automation and Response (SOAR) platforms will help manage growing complexity, while Extended Detection and Response (XDR) solutions offer a holistic view of security.
Challenges of the future
The shortage of cybersecurity professionals will continue to worsen, while the complexity of IT landscapes continuously increases. Geopolitical tensions are leading to an increase in state-sponsored cyberattacks, which critical infrastructures must prepare for.
Strategic Approach for Resilient IT Security
IT security for critical infrastructures is a strategic task that encompasses technical, organizational, legal, and business aspects. Regulatory requirements are continuously tightening, and the threat landscape is rapidly evolving. Close cooperation between various stakeholders is essential to ensure the resilience of critical infrastructures.
We support operators of critical infrastructures in developing legally compliant strategies. With our expertise in IT law and an understanding of technical contexts, we develop customized solutions that meet specific requirements, fulfilling regulatory obligations while also supporting business objectives.
Frequently asked questions
Fines can currently amount to up to 2 million euros (Section 14 BSIG). Once the NIS 2 Directive is transposed into German law, fines of up to 10 million euros or 2% of global annual revenue will be possible.
Operators of critical infrastructure must demonstrate every two years through certification or a qualified audit that they have implemented appropriate IT security measures.
Significant disruptions must be reported to the BSI immediately, and no later than within 24 hours. In the case of particularly severe incidents, immediate reporting may be required.
The state of the art should be understood dynamically and includes the latest technical developments and best practices. It must be regularly reviewed and adapted.
Yes, the NIS2 directive expands the scope to medium-sized enterprises with 50 or more employees or €10 million in annual turnover in certain sectors.
The BSI is the central cybersecurity authority and works closely with operators. It can conduct reviews, issue orders, and in extreme cases, prohibit operations.
International standards like ISO 27001 are often used as proof of IT security. However, for complete proof in accordance with Section 8a of the BSIG, these must be supplemented with national requirements where applicable and explicitly accepted by the BSI.
Companies should check if they are covered by the scope of application, assess their current security measures, and, if necessary, develop compliance programs.
Cyber insurance can cover some of the risks, but it does not replace adequate security measures. Insurers are increasingly imposing stricter requirements on IT security.
German 
English