With the KRITIS overarching law, the German government plans to implement the CER Directive (EU 2022/2557) and additional measures for operators of critical infrastructures. The German Chamber of Commerce and Industry (DIHK) welcomes the initiative to enhance the security of critical facilities but emphasizes the need for pragmatic and clear regulations for companies. Key aspects include uniform standards, coordinated authorities' work, and comprehensible requirements to avoid duplicate regulations. The position paper highlights opportunities, challenges, and recommendations for efficient legislation from a corporate perspective.
Key Takeaways
- KRITIS umbrella law strengthens the physical and digital resilience of critical infrastructures.
- Uniform nationwide standards prevent double regulation and legal uncertainties.
- Practicable guidelines, deadlines, and supportive government processes are crucial.
- Companies require transparent risk analyses, resilience plans, and reporting channels.
- Collaboration among the state, industry, and sector associations fosters security and innovation.
Background
Critical infrastructures are essential for the provision of the economy and society. The current geopolitical situation and increasing cyber threats make their resilience particularly relevant. The KRITIS overarching law aims to strengthen physical and digital security for operators and establish clear legal frameworks. Companies require legal certainty, practical obligations, and support from public authorities. Uniform authority competencies and coordinated processes are crucial to reducing administrative burden and implementing effective security measures. Simultaneously, sector-specific characteristics must be taken into account to ensure efficient implementation and investments.
What companies need
- Clear determination of whether and which facilities are covered by the KRITIS overarching law.
- Access to uniform information and guidelines through BBK and BSI.
- Avoidance of redundant proofs and bureaucracy through coordinated authority work.
DIHK demands
- Ensure unified nationwide authority jurisdiction and avoid double administrative efforts.
- Design resilience measures in a practical manner, adjusting deadlines and requirements to business realities.
- Set sector-specific standards only after consultation with companies or associations.
- Establish a central reporting system for security incidents, including feedback channels for relevant information.
- Provide companies with continuous, needs-oriented risk analyses and transparent information.
FAQ
Frequently Asked Questions
Which facilities are covered by the KRITIS umbrella law?
Critical infrastructures in sectors such as energy, transport, finance, healthcare, water supply, IT/telecommunications, and others, depending on thresholds.
What role do BBK and BSI play?
Both authorities provide guidelines, templates, consultations, and training and act as central points of contact for risk analyses and reports.
How should incidents be reported?
Via a joint online portal of BBK and BSI; initial report within 24 hours, detailed report within one month.
What support is available to companies?
Templates, models, guidelines, training, exercises as well as a "feedback channel" for safety information regarding threat situations.
Download FAQ PDF (only available in German)
Download
DIHK Position on the implementation of the CER Directive (EU) 2022/2557 and on strengthening the resilience of critical facilities (KRITIS overarching law and further measures) (PDF, 152 KB)(only available in German)
- Relevant in topic:
- Innovation
- Key areas:
-
- Digitalisierung
- Cybersicherheit
Released 04.09.2025
Modified 12.03.2026
Contact
Dr. Katrin Sobania
Director Department for Information and Communication Technology | E-Government | Postal Services | IT Security