According to Interior Minister Faeser, the attacks on the Nord Stream pipelines have made it clear that cyber attacks are not the only threat in the future. A new package of laws aims to better protect the financial sector, health and public administration from sabotage, terror and natural disasters.
From power supply to telephone and railway lines to all payment transactions: The critical infrastructure in Germany should be better protected than before against terrorist attacks, acts of sabotage and natural disasters. Private operators should also be made responsible for this. This is the aim of the cornerstones of a comprehensive package of laws that the Federal Cabinet has now passed.
“Overall, we have to better arm ourselves against crises,” said Interior Minister Nancy Faeser. “We will define the areas to be particularly protected, identify risks and threats better and set mandatory protection standards.” Missing and inconsistent regulations for the protection of critical infrastructures (Kritis) should be a thing of the past with the targeted Kritis umbrella law. There are already clear regulations for hacker attacks, but the most recent attack on the Nord Stream pipelines in the Baltic Sea has shown that the infrastructure not only needs to be protected against cyber attacks. “We take the current threats very seriously,” assured Faeser. The corresponding law should come into force by the summer of next year.
Since the Russian attack on Ukraine, there has also been a “changed security situation” in Germany. Above all, the Kritis umbrella law is intended to define uniform minimum standards on how operators of important systems can protect themselves better and when they have to report damage. In addition, the systems – for example from sectors such as energy, water, transport, food and telecommunications – must be regularly checked for possible risks. The Federal Office for Civil Protection and Disaster Assistance (BBK) is to play a central role in this. The Ministry of the Interior wants to expand this facility into the central supervisory authority.
The ministry counts critical infrastructure in at least eleven sectors: energy, transport, banking, the financial market, health, drinking water, waste water, digital infrastructure, public administration, space and food (production, processing and distribution). In addition, culture and media should be “appropriately included”. The conditions should include the establishment of operational risk and crisis management, the creation of risk analyzes and resilience plans and the implementation of technical, personnel and organizational measures – such as the erection of fences and barriers or access controls.
It’s not just about obligations for the public sector, “it’s also expressly about the obligation for private infrastructure,” explained Faeser. However, it is too early to be able to say what costs the private sector operators will face. However, the minister referred to an “obligation” of the sectors concerned. There are very different standards here. Operators in some sectors already meet high requirements, such as hospitals. On the other hand, she sees a need for improvements in the transport infrastructure.