SITTIG LAW Law Firm Blog

What is critical infrastructure? Definition and legal classification

Critical infrastructures are organizations and facilities that are important for the state community, the failure or impairment of which would result in lasting supply bottlenecks or significant disruptions to public safety. This includes nine sectors: energy, water, food, information technology and telecommunications, health, finance and insurance, transportation and traffic, media and culture as well as government agencies. These sectors are subject to special legal requirements and protection obligations under the IT Security Act.
Contents

The most important facts at a glance

Definition of critical infrastructure

Critical infrastructures are organizations and facilities of vital importance to the state and public life, the failure or impairment of which would lead to long-lasting supply bottlenecks, significant disruptions to public safety, or other dramatic consequences.

This definition is found in Section 2, Paragraph 10 of the BSI Act and is further specified by the BSI Critical Infrastructure Ordinance. The term reflects the recognition that modern societies are so dependent on certain infrastructures that their failure can have catastrophic consequences.

Digitalization and networking have significantly increased the vulnerability of critical infrastructures. An experienced IT lawyer can help understand the complex legal requirements and develop compliance strategies. At the same time, new dependencies have emerged, making the protection of these infrastructures a national security priority. An experienced Lawyer for data protection can help understand complex legal requirements and develop compliance strategies, as KRITIS operators are also subject to comprehensive data protection obligations.

Legal Basis and Definitions

IT Security Act as a Framework Law

The legal requirements for the protection of critical infrastructure in Germany are governed by the Act on Enhancing the Security of Information Technology Systems—known as the IT Security Act (IT-SiG)—and have been implemented primarily through the BSI Act (BSIG). The obligations for operators stem mainly from this law. The law first came into effect in 2015 and was significantly amended in 2021.

The amendment based on IT-SiG 2.0 has significantly expanded the scope of application and tightened the requirements for operators.

Central to this is the previously existing authorization of the Federal Ministry of the Interior, for Building and Homeland Security (BMI), in agreement with the BSI, to set the specific criteria for classification as critical infrastructure in statutory instruments.

BSI Critical Infrastructure Ordinance as a Specification

The BSI Critical Infrastructure Ordinance (BSI-KritisV) concretizes the legal requirements and defines precise threshold values and criteria. It specifies which companies in which sectors must be considered operators of critical infrastructures.

The regulation uses various criteria, such as the number of people served, technical capacity, and importance to downstream infrastructure. These quantitative approaches allow for objective delineation and provide legal certainty for the affected companies.

Regular reviews and amendments to the regulation ensure that new technological developments and changing threat landscapes are taken into account. This ensures that the protection of critical infrastructure keeps pace with evolving requirements.

European NIS 2 Directive

The European Network and Information Security Directive 2 (NIS-2) expands the understanding of critical infrastructures at the EU level. It distinguishes between „essential“ and „important“ entities and introduces new sectors that were not previously covered.

The NIS2 Directive had to be transposed into German law by October 17, 2024, and is expected to lead to a further expansion of the circle of regulated companies.

This means that more companies than before will be subject to the strict requirements of the KRITIS Act. Of particular significance is the lowering of the thresholds, which means that medium-sized companies may also be covered. These companies must have at least 50 employees and an annual revenue of 10 million euros, and both criteria must be met simultaneously.

The Nine Critical Infrastructure Sectors

Energy Sector

The energy sector comprises electricity, gas, fuel, and district heating supply, forming the backbone of modern industrial society. These areas have become indispensable for nearly all other infrastructures. Electricity supply includes power plants, transmission networks, distribution networks, and wholesale electricity markets, while gas supply encompasses pipeline networks, gas distribution networks, gas storage facilities, and LNG facilities. Fuel supply includes refineries, crude oil pipeline facilities, and tank farms, and district heating supply is ensured by corresponding supply facilities and district heating networks. All these infrastructures are interconnected and interdependent. The thresholds are mostly based on the number of connected end-consumers or the installed capacity. For example, electricity distribution networks serving 500,000 or more people are considered critical infrastructure, reflecting their special importance to society.

Water Sector

The water sector is divided into drinking water supply and wastewater disposal, both of which are essential to public health and the functioning of society and cannot be easily replaced. Drinking water supply includes water extraction facilities, water storage facilities, drinking water treatment plants, and drinking water distribution systems. The number of residents served is usually the decisive factor in classifying a facility as critical infrastructure, as this is a direct measure of its societal importance. Wastewater disposal includes wastewater treatment plants, wastewater collection systems, and wastewater conveyance systems; here, too, thresholds based on population size or treatment capacity are decisive for classification. Central water supply facilities in metropolitan areas are of particular importance, as their failure could affect millions of people. These facilities are therefore especially worthy of protection and are subject to strict security requirements.

Food Sector

The food sector is a relatively new addition to the Kritis Regulation and encompasses the food industry as well as the food supply chain. This reflects the recognition that the food supply is critical to maintaining public order. The regulation covers large food producers, central distribution centers for the food retail sector, and major processing facilities, with the thresholds based on their regional or national significance for the food supply to the population. Of particular relevance are companies that hold a dominant market position in the supply of basic necessities or whose failure would lead to regional supply shortages. These companies bear a special responsibility for food security.

Information Technology and Telecommunications Sector

This sector forms the digital backbone of modern society and encompasses telecommunications, hosting, cloud computing, and digital services. Telecommunications includes public telecommunications networks, Internet nodes, data centers, and major telecommunications service providers, with the number of subscribers or the provider’s importance to the network infrastructure typically being the determining factor. Hosting and cloud computing are represented by data centers and cloud providers that deliver critical services to other infrastructures. Digital services include online marketplaces, online search engines, and cloud computing services of significant social or economic importance.

Healthcare Sector

The healthcare sector includes hospitals, pharmaceutical supply, and medical care. Hospitals are considered critical infrastructure when they have a certain number of beds or fulfill special service mandates – university hospitals and maximum care providers are typically included. Pharmaceutical supply encompasses pharmaceutical manufacturers, pharmaceutical wholesalers, and central pharmacies with significant market positions. Medical care also includes specialized facilities such as blood donation services or central laboratories that cannot be quickly replaced.

Financial and insurance sector

The finance and insurance sector includes credit institutions, stock exchanges, insurance companies, and financial service providers. Credit institutions are generally classified as critical once they reach a certain total assets threshold or number of customers. Stock exchanges and trading venues are typically classified as critical infrastructure due to their central role in the financial system; the same applies to central clearing and settlement systems. Insurance companies are included if they meet certain thresholds for premium volume or the number of policyholders, particularly if they provide essential services.

Transport and Traffic Sector

The transportation sector includes aviation, maritime shipping, rail transport, and road transport. Aviation encompasses airports, air traffic control facilities, and major airlines, with passenger numbers or the importance of national connectivity typically serving as the determining factors. Maritime shipping includes seaports and shipping companies—large container ports are typically classified as critical infrastructure. Rail transport includes railway infrastructure, train stations, and rail operators, with Deutsche Bahn AG and its subsidiaries largely covered.

Media and Culture Sector

This sector reflects the importance of information provision for a democratic society and includes broadcasting, the press, and symbolic structures. Broadcasting encompasses public service broadcasters and private broadcasters with a significant reach. The press includes major print and online media outlets, as well as news agencies that are relevant to shaping public opinion. Symbolic structures are culturally or historically significant institutions whose destruction would have considerable societal consequences.

Government and Public Administration Sector

With the revision of the KRITIS regime by the IT Security Act 2.0, government bodies are considered as a distinct sector. This includes central authorities, critical administrative services, and sovereign tasks such as registration offices, tax administration, or judicial institutions. Facilities for internal and external security can also be classified as critical infrastructure depending on their area of responsibility.

Thresholds and Classification Criteria

Quantitative Criteria

The German ordinance on critical infrastructure (BSI-Kritisverordnung) predominantly uses quantitative criteria for classifying critical infrastructure. Typical threshold values include, for example, 500,000 supplied persons for electricity distribution networks, 500,000 connected participants for telecommunications networks, or more than 30,000 inpatient cases per year for hospitals. These quantitative approaches offer objectivity and legal certainty, but can lead to unfair results in individual cases.

Qualitative Aspects

In addition, the classification takes into account qualitative aspects such as the particular importance to downstream infrastructure or the substitutability of the service. Even smaller facilities can be classified as critical if they occupy a key position in the supply chain or if no alternatives are available. Regional concentration and potential cascade effects in the event of outages are also factored into the assessment.

Dynamic Adjustment

The thresholds and criteria are regularly reviewed and adjusted to take into account technological developments, changing market structures, and new threat landscapes. This allows companies to be newly classified as critical infrastructure or to fall out of regulation, which necessitates continuous monitoring of legal developments.

Legal obligations for operators

IT security measures

Operators of critical infrastructure must take appropriate technical and organizational measures to protect their IT systems against impairments. These measures must comply with the state of the art and include safeguards against disruptions to availability, integrity, authenticity, and confidentiality, as well as incident response capabilities. The measures must be documented and regularly reviewed, with adjustments to be made in the event of changes in the threat landscape (§ 8a(1) BSIG).

Proof and certification requirements

Every two years, operators of critical infrastructures must provide proof to the BSI that they have implemented the required security measures (§ 8a para. 3 BSIG). This can be done through a qualified audit or certification. Recognized standards include, in particular, ISO 27001, ISIS12, or industry-specific standards, whereby the choice must correspond to the specific requirements. The BSI maintains a list of qualified auditors and auditing bodies.

Reporting obligations

Significant disruptions to IT systems must be reported to the BSI immediately. Disruptions that lead to a failure or significant impairment of functionality are considered significant. The report must include information on the nature, cause, duration, and impact of the disruption. Delayed or omitted reports may be subject to fines.

Contact points and cooperation

Every operator must designate a contact point that is reachable 24/7 and serves as the central point of contact for authorities. This contact point must have sufficient authority and expertise and should have direct access to management. Operators are obligated to cooperate with the BSI and other authorities, which may also include participation in information exchange and exercises.

International Perspectives

The EU is working on harmonizing standards for critical infrastructure. The NIS2 Directive is an important step towards aligning national definitions and standards to achieve a uniform level of protection. There is intensive cooperation with the US and other partners on protecting critical infrastructure, with a focus on common standards and information exchange.

Globally, a trend towards stricter regulations for critical infrastructure is being observed. Countries such as Australia, Canada, and Japan have enacted or tightened similar laws. Cybersecurity aspects and physical security both play an important role, while geopolitical tensions are leading to increased protective measures.

Challenges and Future Trends

The ongoing digitalization is creating new dependencies and vulnerabilities. The Internet of Things (IoT), artificial intelligence, and 5G technology significantly expand the attack surface for cyber threats. At the same time, new forms of critical infrastructure are emerging, for example, in the area of digital identities or in platform economies with systemic significance. 

Climate change presents critical infrastructures with additional challenges. Extreme weather events can lead to widespread outages, making resilience a central concept. It's not just about protection against attacks, but also the ability to withstand disruptions and recover quickly. 

The shortage of skilled workers in IT security also affects KRITIS operators, while the dependence on international supply chains creates new vulnerabilities. The COVID-19 pandemic and geopolitical tensions have made these risks glaringly apparent.

Practical implementation recommendations

Companies should first assess whether they are affected by the KRITIS regulation. This requires a detailed analysis of business operations and the relevant thresholds. Even for companies falling just under the thresholds, voluntary orientation towards KRITIS standards can be useful, as the criteria may change. 

Affected companies must establish comprehensive compliance structures, encompassing governance structures, processes, technologies, and qualified personnel. A Chief Information Security Officer (CISO) should bear overall responsibility, with clear accountability and escalation paths being essential. 

Constructive cooperation with the BSI and other authorities is essential. This includes regular information exchange, participation in industry meetings, and joint exercises. Transparency and proactive communication are viewed positively by the authorities.

Strategic importance and legal complexity

Critical infrastructures form the backbone of modern societies and are essential for the functioning of the economy and the state. Their protection is therefore a national priority, reflected in comprehensive legal regulations. 

The definition and delimitation of critical infrastructures are complex and subject to continuous adjustments. Companies must closely monitor developments and align their compliance strategies accordingly. 

The legal requirements go far beyond technical security measures and include governance, documentation, reporting, and regulatory cooperation. This requires significant investment and specialized expertise. 

We support operators of critical infrastructures in developing legally compliant strategies. With our expertise in IT law and understanding of technical correlations, we develop tailor-made solutions for the complex requirements of KRITIS law.

Frequently asked questions

Critical infrastructures are organizations and facilities of great importance to the state's well-being, whose failure would result in significant supply shortages or disruptions to public safety.

There are nine sectors: energy, water, food, information technology and telecommunications, health, financial and insurance services, transport and traffic, media and culture, and government agencies.

The classification is based on the criteria of the BSI Kritis Ordinance. Companies are themselves obliged to check whether they are operators of critical infrastructures. The BSI receives notifications and registers the corresponding operators.

You must implement appropriate IT security measures, provide proof every two years, report disruptions, and establish a contact point. Cooperation with the BSI is mandatory.

Violations are currently punishable by fines of up to 2 million euros (Section 14(6) of the BSIG). Once the NIS 2 Directive is implemented, fines of up to 10 million euros or 2% of global annual revenue are expected to be permitted.

Yes, if they hold a key position or if no alternatives exist. The NIS2 directive will also be able to cover medium-sized companies with 50 or more employees.

The BSI Criticality Ordinance is regularly reviewed and adjusted. This can result in companies being newly covered or falling out of regulation.

The measures must comply with the state of the art. Recognized standards include ISO 27001, ISIS12, or industry-specific standards accepted by the BSI.

It will significantly expand the circle of regulated companies and introduce stricter requirements. Implementation into German law will take place by October 2024.

Through analysis of business operations, establishment of IT security structures, implementation of standards, and legal advice for correct assessment of affected status.

Hamburg location
Head office
Martinistrasse 11
20251 Hamburg
Phone: +49 (0) 40 808 125 550
Fax: +49 (0) 40 808 125 559
Kassel location
Branch office
Motzstrasse 1
34117 Kassel
Phone: +49 (0) 561 510 053 80
Fax: +49 (0) 561 510 053 99
Frankfurt location
Branch office
Oeder Weg 11
60318 Frankfurt am Main
Phone: +49 (0) 69 710 471 070
Fax: +49 (0) 69 710 471 079
SITTIG LAW
Lawyer.
Specialist lawyer for criminal law.
Specialist lawyer for IT law.

[email protected]
Hamburg location
Head office
Martinistr. 11
20251 Hamburg
Tel: +49 (0) 40 808 125 550
Fax: +49 (0) 40 808 125 559

Contact form