Menü
Request Consultation
  • Security Compliance

NIS 2 and CER: How the delayed legal implementation in Germany is putting KRITIS operators under pressure

The resilience of our critical infrastructures (KRITIS) is at stake. While other EU countries have long since created facts, Germany is lagging alarmingly behind in the crucial implementation of European requirements for KRITIS security, in particular the NIS-2 and CER directives.

This delay by the previous federal government has created an explosive vacuum of clear national legislation that manoeuvres operators of critical infrastructures into an insecure position. In this article, we shed light on this dangerous discrepancy and analyse the ‘legacy issues’ that KRITIS operators have to deal with today. Our interview with Holger Berens, Chairman of the BSKI, provides valuable insights into the omissions and pressing challenges.

European regulations on hold: a dangerous hesitation

The European Union’s NIS 2 and CER directives aim to strengthen the cyber security and physical resilience of critical infrastructures in all member states. While these directives have long since come into force and other countries are working flat out on their national implementation, Germany is dragging its feet. This hesitation on the part of the previous government has left a clear problem for the companies affected:

  • Legal grey area: Without final national legislation, KRITIS operators operate in an environment of uncertainty. Which specific requirements apply when and how?
  • Delayed security measures: The lack of a clear line from Berlin can lead to necessary investments in security measures being postponed – a dangerous gamble with resilience.
  • Competitive disadvantage: German KRITIS operators could be at a disadvantage compared to companies in other EU countries that were given clear framework conditions early on.

In the interview, Holger Berens from the BSKI emphasises the explosive nature of this situation: “The failure to implement the EU directives creates unnecessary uncertainty and harbours considerable risks for the security of our critical infrastructures. Operators now need clear and reliable framework conditions.”

The consequences of inaction: a look at the “legacy issues”

The delay in implementing European legislation is not a negligence without consequences. It has created specific ‘legacy burdens’ that KRITIS operators now have to deal with:

  • Scope for interpretation: existing German laws (IT Security Act etc.) must now be interpreted in the light of the European directives, which can lead to confusion and differing interpretations.
  • Need to catch up: When the national laws finally arrive, there is a threat of an abrupt increase in requirements, for which many companies may not have adequately prepared.
  • Complexity: The parallel existence of old and not yet fully implemented new regulations creates unnecessary complexity for those affected.

How KRITIS operators can prepare now:

Even in the absence of final national legislation, KRITIS operators must not remain in a state of shock. The European direction is clear and proactive preparation is essential:

  • Study EU directives in detail: Familiarise yourself in detail with the contents of the NIS 2 and CER directives. These will determine the future direction of national legislation.
  • Check who is affected at an early stage: Use resources such as kritis.ai or openkritis to analyse whether your company is classified as critical infrastructure or an important sector under the new EU definitions.
  • Adapt risk management: Review and expand your risk management to take into account the potential impact of the upcoming EU requirements.
  • Strengthen information security management systems (ISMS): Implement or optimise your ISMS according to international standards such as ISO 27001, already taking into account the requirements of NIS 2.
  • Intensify resilience planning: Develop comprehensive plans to maintain operations and recover quickly in the event of disruptions or cyberattacks (in accordance with CER).
  • Identify interfaces: Analyse your dependencies and interfaces with other organisations that could also be affected by the new guidelines.

Conclusion: The clock is ticking – preparation is key

Germany’s hesitation in implementing European KRITIS legislation has created a clear problem for the companies affected. The lack of a clear national line creates uncertainty and harbours risks. However, instead of waiting for the final legislation, KRITIS operators must act proactively now and familiarise themselves intensively with the content of the NIS 2 and CER guidelines. This is the only way they can overcome the ‘legacy issues’ of the past and future-proof their critical infrastructures. For a comprehensive insight, we recommend listening to the full interview with Holger Berens in our security podcast ‘Fill the Gap’.

Holger Berens

Holger Berens is your contact for all aspects of security compliance and advises our customers online and on site.
More Posts

Jetzt weiterlesen!

Alle anzeigen

Fill The Gap

Robots on patrol – How robotics and AI are changing the security industry with Severin Pfister (Ascento)

Security robots that independently monitor terrain, recognise anomalies and communicate with existing systems - what sounds like science fiction has long since become reality. In the latest episode of FILL THE GAP, the security podcast, we talk to Severin Pfister from Ascento about the use of robotics and artificial intelligence in property protection.

Fill The Gap, Security Consulting

FILL THE GAP – the new security podcast is here! 🎙

Security is complex - we help you to keep an overview. In FILL THE GAP, we talk to experts about current challenges, technological developments and real threat scenarios in the field of physical security!

Cyber Security, Management Consulting, Security Consulting

Security 2025: The top trends that no company can ignore

The security landscape is changing rapidly. To stay protected in the future, companies must focus on trends like OSINT, robotics, and Zero Trust by 2025. This article outlines the five key developments that you can’t ignore and a groundbreaking technology that could transform security.

Alternativ zum Formular können Sie uns auch eine E-Mail an info@concepture.de senden.

Instead of the form, you can also send us an email to info@concepture.de.