In this article you will read about,
- which industries count as critical infrastructures (CRITIS) and what risks they are exposed to,
- what will change with the IT Security Act 2.0,
- why suppliers and service providers must also meet CRITIS requirements, and what companies need to consider.
"Critical infrastructures (CRITIS) are organizations and facilities of vital importance to the state community, the failure or impairment of which would result in lasting supply bottlenecks, significant disruptions to public safety, or other dramatic consequences." This is how the German government defines critical infrastructures in its CRITIS strategy and, in the past, it classified nine sectors as indispensable for social coexistence: food, energy, and water supply, healthcare, transport and traffic, the state and administration, IT and telecommunications, media and culture, as well as finance and insurance. The IT Security Act 2.0 (IT-SiG 2.0), which came into force in May 2021, adds the area of waste disposal. For companies and organizations from these sectors, the following applies: failures are hardly or not at all tolerable, at least as soon as the operations in question exceed defined thresholds for supplying a larger number of citizens.
For the CRITIS operators, this in turn means that their infrastructures are particularly vulnerable due to their vital importance for people and society. And that they must provide them with special protection. Among the greatest threats to critical infrastructures, the German Federal Ministry of the Interior (BMI) lists natural disasters such as storms, fires, and earthquakes, as well as technical and human failure. Attacks, crime, and war are also among the dangers that CRITIS operators must take into account in their risk analyses, as well as prevention and protection concepts.