The Kritis regulation 2.0 sees an expansion of the affected sectors, stricter requirements for the operators and an even stronger role for the Federal Office for Information Security (BSI). The amendment means considerable additional work for old and new Kritis operators.
As always, the aim of the BSI is to protect the country’s critical structures against the growing threat from cyberspace. passesaway is to be achieved, among other things, by adjusting the threshold values, which many previously non-critical systems 2021 to Kritis operators. The energy, transport, information technology and telecommunications sectors, as well as finance and insurance, are particularly badly affected. The number of existing 1.600 According to current estimates, Kritis operator grows by further due to the change in the law .
Critical Regulation 2.0 defines new sectors
The BSI does not stop at adjusting the threshold values for the previous Kritis operators, but incorporates two further sectors: municipal waste disposal and the so-called „companies of particular public interest“ (UBI/UNBÖFI). In addition to the armaments industry, the latter also includes companies that process hazardous substances and are subject to the Major Accidents Ordinance. In addition, those companies in which disruptions (e.g. due to a passaway interruption in the supply chain) would have an impact on society as a whole also count from 2021 to the critical infrastructures.
While the exact definition of the threshold values for the municipal waste disposal sector is still pending, the UBI/UNBÖFI are currently considered „Kritis Light“. This means that operators depending on the group from 2021, 2023 and 2024 are obliged to identify themselves at the BSI, to submit a self-declaration on IT security and to report faults immediately.
Stricter requirements and more obligations for operators
Kritis 2.0 establishes a new reporting obligation for so-called „critical components“, likewise software and hardware products, the failure of which would have a significant impact on a system. In the future, critical components may only be used with a guarantee of trustworthiness from the manufacturer.
The amendment now explicitly supplements the specification of “appropriate security” with the use of systems for attack detection. In this way, threats are to be detected during operation with the help of appropriate software solutions and eliminated in good time (Security Information & Event Management, SIEM for short).
The stricter requirements come with stronger sanctions. Kritis operators who do not comply with their obligation to provide information, do not report faults immediately, or do not implement the prescribed measures to protect their infrastructure, have had to
since January 1 with fines of up to 20 Calculate millions of euros.
BSI gains more powers
The updated Kritis regulation has not gone unchallenged. In particular, the passaway expansion of the BSI’s competencies caused resentment among the operators of the affected systems. As the central reporting point for security in information technology, the BSI will in future not only be able to collect and evaluate extensive data on incidents and attacks, but also to insist on the release of documents and the disclosure of sensitive information.
In addition, the Kritis Ordinance 2.0 makes the BSI the national authority for cyber security certification. From now on, the Ministry has the right (and the obligation) to check IT products for compliance with European standards, taking into account all supply chains, and to certify them accordingly or to prohibit their use.
How operators protect themselves
Despite all the dissatisfaction with the strict requirements: Kritis 2.0 is the federal government’s necessary answer to the growing Cybercrime threat and attacks on critical infrastructure elements. For operators, the amendment has also made it clear that more new regulations are to be expected in the future. In addition, it cannot be ruled out that more and more systems will fall under critical infrastructure in the future as a result of a renewed adjustment of the threshold values.
In order to be able to meet the strict requirements of the BSI, automated solutions will play an even more important role in the future. With SIEM solutions, supply chain controls and extensive reporting and information obligations, the new obligations provide for security precautions at a significantly higher level than before. For Kritis operators, in many cases, passesaway means additional personnel expenditure that can only be compensated for with the help of automated solutions for basic IT protection.
Identity and rights management as basic protection
Automated solutions that lay a stable foundation for the IT security of critical infrastructures are often used for identity – and rights management. With the help of identity and access management, also known as IAM, Kritis operators can manage many of the threats and vulnerabilities defined by the BSI (such as data misuse by employees or unauthorized access) without great human effort.
IAM solutions like Tenfold serve as a central platform for managing users and access rights. They reduce both the manual effort and the error rate enormously, since both the assignment and the withdrawal of authorizations are role-based and therefore automatic. Automated documentation also makes it possible to trace at any time which employees had access to sensitive data and when.
The complete protection of the identities also gives Kritis operators a decisive advantage with regard to the new regulation, as it facilitates the implementation of security concepts and software applications based on these identities. Following the amendment, the BSI is currently developing specific recommendations for the security of procedures for implementing IAM solutions.
NachrichtenJetRead MoreSicherheit, 2.0, change, for, kritis, Nachrichten, operators?, ordinance, what, will?