KRITIS (Critical Infrastructures) Competence Group
Critical infrastructures (named as KRITIS in Germany) play a crucial role in many fields of societal life. Since the beginning of the year, the protection of these infrastructures has been newly regulated by the NIS2 Directive and the CER Directive. In Germany, the regulation now encompasses 18 areas of public services, as opposed to the previous eight critical infrastructure sectors.
As a result, more than 30,000 companies in Germany must adapt to the new requirements under the NIS2 Directive. The regulation primarily affects companies from critical sectors such as energy, transport, healthcare and digital infrastructure, as well as many SMEs that play an essential role in supply security or the economy. This brings new challenges and regulatory requirements for numerous German companies that were previously not considered as operators of critical infrastructure.
In view of the far-reaching changes introduced by European regulatory frameworks such as NIS2, CER and DORA, eco supported its members in 2024 with a systematic series of events.
The series kicked off with German workshops that addressed the fundamental reorientation of cybersecurity in the wake of the new regulations. Particular emphasis was placed on the impact on critical infrastructures and specific requirements for the financial sector under the DORA Regulation.
Subsequently, the significance of critical infrastructures in the context of new technologies came to the forefront. The exchange with the German Aerospace Centre (DLR) highlighted the legal implications of NIS2 Directive and the KRITIS Umbrella Act, offering insights into practical strategies for preparing for potential attacks. The event also provided an overview of the DLR’s work in security research and demonstrated how research and practice can benefit from each other. The insights shared by DLR into their security research, along with an exclusive tour of the campus, illustrated the global dimension of cybersecurity and encouraged participants to think beyond the conventional boundaries of their field.
The focus then moved to specific operational topics such as securing supply chains, outsourcing strategies and securing industrial control systems. Discussions about quality assurance with managed security service providers and the role of security culture within companies complemented this practical focus of the meeting of the German KRITIS Competence Group in May 2024.
Additional events provided specific momentum: a German Policy Breakfast offered an opportunity for direct exchange with political decision-makers, while an online policy briefing summarised the current status of the German NIS2 implementation.
The highlight of the year was a German workshop on the delayed implementation of the NIS2 Directive, which analysed the causes of the delays and developed strategies for complying with future regulations.
The series of events in 2024 highlighted the multi-layered challenges associated with implementing the NIS2 Directive. In particular, the regulatory complexity due to overlaps between different regulatory frameworks, the cross-sectoral impacts, and the new requirements for supply chain security and OT systems emerged as central themes.
The delayed implementation in Germany creates uncertainty on the one hand, but on the other, it also provides additional time for thorough preparation. Our events not only conveyed essential knowledge, but also created valuable networks between experts from various fields who can now work together on practical solutions.
Through this ongoing thematic development, the KRITIS Competence Group created a practice-oriented information offering that helped companies successfully navigate the challenges of the new cybersecurity landscape.
