Berlin At least since the explosions on the Nord Stream pipelines, the protection of the so-called critical infrastructure (Kritis) has received new attention. The Federal Cabinet wants to discuss key points for a draft law this Wednesday, which should ensure improvements here.
However, it is questionable whether this can be achieved as desired. Because the implementation of the key points developed in the Federal Ministry of the Interior by department head Nancy Faeser (SPD) was made subject to general funding reservations in the course of internal government coordination between the ministries – contrary to what the minister originally intended.
“Insofar as concrete measures or future measures linked to them lead to expenditure in the federal budget, they are subject to available budget funds or established posts/jobs and do not prejudice current or future budget negotiations,” says the paper that is available to the Handelsblatt.
This also applies to Faeser’s plan to expand the Federal Office for Civil Protection and Disaster Assistance (BBK) into the “overarching competent authority for the physical protection of critical infrastructure”. The key issues paper states that this should be done “within the limits of available budgetary resources”.
Top jobs of the day
Find the best jobs now and
be notified by email.
The cornerstones are the first step towards a “Kritis umbrella law” agreed in the coalition agreement between the SPD, the Greens and the FDP. The regulations for the protection of critical infrastructures are to be bundled in it. The topic has become much more important because of the Russian war of aggression against Ukraine.
Saboteurs paralyzed rail traffic in northern Germany for several hours
The current crises such as the Covid-19 pandemic or the effects of the Ukraine war and acts of sabotage, such as those recently affecting Deutsche Bahn and the Nord Stream gas pipelines, have “clarified the importance and vulnerability of critical infrastructure and the associated impact on society as a whole,” it says it in the key issues paper. Therefore, the protective regulations for Kritis operators are now to be significantly tightened.
>> Read also: Small and medium-sized businesses are demanding government emergency programs to protect critical infrastructure
In concrete terms, uniform protection standards should apply to companies in critical areas such as energy, transport or health in the future. “The same minimum requirements in the area of physical security are imposed on the operators of critical infrastructures in all sectors in order to comprehensively protect critical infrastructures against dangers and to become more resilient as part of the overall system,” the paper says. “This gives the operators orientation for their actions and the supervisory authorities the task of explicitly considering measures to protect critical infrastructures.”
According to the paper, Kritis operators should, for example, be obliged to set up “operational risk and crisis management”, carry out risk analyzes and assessments and create resilience plans. The implementation of “suitable and proportionate technical, personnel and organizational measures for the respective institution” should also be prescribed.
The Interior Minister is tightening the requirements for critical areas such as energy, transport and banking.
(Photo: dpa)
This can be, for example, the erection of fences and barriers, access controls, security checks, but also the diversification of supply chains and the provision of redundancies. Something like double floors, so that acts of sabotage don’t immediately paralyze entire systems.
In the case of the act of sabotage against Deutsche Bahn in early October, there was no double protection. Unknown persons had cut an important radio network in two places in North Rhine-Westphalia and Berlin, so that rail traffic in northern Germany came to a complete standstill for several hours.
A total of eleven areas are classified as critical infrastructures
In the seven-page key issues paper, a total of eleven sectors are classified as critical infrastructure: in addition to transport, energy, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, public administration, space and food (production, processing and distribution).
The operators of the critical infrastructures – whether private companies or public institutions – would have to ensure the functionality of the individual areas by requiring “uniform minimum requirements for resilience measures”. According to the key issues paper, this is linked to the goal of strengthening the resilience of the entire system of critical infrastructures in all sectors.
>> Read also: Greens see massive deficits in the protection of critical infrastructures
However, the conditions also affect financing issues. The Greens have already promised state aid to the Kritis operators so that they can meet the tightened protection regulations. The first parliamentary director of the Greens parliamentary group, Irene Mihalic, suggested in the Handelsblatt that the planned “Kritis umbrella law” also include “clever funding and financing options”.
The advance can now also be found in the key issues paper, albeit only vaguely and unspecifically. “Support from the operators is being checked,” it says there only.
What is certain, however, is that the civil protection authority BBK should play a central role in the future when it comes to the physical protection of critical infrastructure and the reporting of risks and damage. Security incidents should be reported to the BBK.
The aim is to introduce “central fault monitoring” to enable a general overview of weak points in the physical protection of critical infrastructures. By reporting security incidents, other critical infrastructures affected by the security incident, including those in other EU member states, could be alerted, the paper said.
The plans for the protection of critical infrastructures should also be closely embedded in the European framework. This refers to the EU directive on the resilience of critical entities (Critical Entities Resilience, CER directive), which is expected to be adopted at the end of 2022.
More: Despite the changed threat situation, the traffic light gives less money for internal security