Financial Crime World

Germany Enacts Sweeping Reforms to Critical Infrastructure Protection

Berlin, Germany - In a bid to strengthen national cybersecurity, Germany has enacted sweeping reforms to its critical infrastructure protection regime. The second amendment to the BSI-KritisV regulation has expanded the list of critical infrastructures, effectively increasing the scope of organizations required to take robust security measures.

New Requirements for Critical Infrastructure Operators

According to the new regulations, operators of critical infrastructures must:

  • Implement state-of-the-art security measures to prevent disruptions to their IT systems and components
  • Conduct regular security audits, reviews, or certifications
  • Register with the Federal Office for Information Security (BSI)
  • Notify the BSI of any incidents and provide evidence of compliance with the new regulations

Enhanced Risk Assessments and Reporting Obligations

The reforms have significant implications for organizations operating in Germany, particularly those in the financial sector. Under the revised Directive on Risk Assessment and Incident Reporting for Critical Entities (RCE), critical entities will be subject to:

  • Enhanced risk assessments
  • Reporting obligations for incidents

A government spokesperson emphasized: “We take cybersecurity very seriously in Germany. These reforms are designed to ensure that our critical infrastructure is protected from cyber threats, and we are committed to working with industry stakeholders to implement these measures effectively.”

Additional Reporting Obligations

The new regulations have triggered additional reporting obligations for organizations experiencing significant incidents. Under Article 23 of the NIS Directive:

  • Essential or important entities must report incidents to the competent authority within 24 hours
  • Operators of critical infrastructure must notify the BSI immediately in cases where the availability, integrity, authenticity, and confidentiality of their IT systems are compromised

Incident Reporting for Financial Institutions and Data Controllers

Financial institutions under the DORA regime will be required to:

  • Classify incidents and report major ICT-related incidents to the relevant competent authority
  • Report significant cyber threats on a voluntary basis

Data controllers who experience personal data breaches must notify the relevant Data Protection Authority without undue delay and provide detailed information about the incident, including measures taken to remedy or mitigate negative effects.

Providers of Public Telecommunications Networks or Services

Providers of public telecommunications networks or services are required to notify any impairments of their networks or services that may lead to significant security breaches immediately to the Federal Network Agency and the BSI.

Conclusion

The reforms demonstrate Germany’s commitment to strengthening its national cybersecurity posture and ensuring the protection of its critical infrastructure. The measures are designed to provide an additional layer of security for organizations operating in Germany, while also enhancing cooperation with international partners to combat cyber threats.