Further Guidance on German IT Security Act – Ministerial Draft Ordinance for Determination of Critical Infrastructures in the Energy, IT and Communications, Water and Food Sectors

By Dr Fabian Niemann, Sven-Erik Heun, Dr Matthias Lang, Sebastian Hinzen


In July 2015 Germany enacted the IT Security Act which aims to improve IT security in certain industry sectors to prevent breakdowns of critical infrastructure facilities (please see our previous newsflash for more details). With this piece of legislation Germany forestalled the EU Network and Security Directive (“NIS” or “Cybersecurity” Directive) which also requires minimum IT security requirements and a reporting scheme for security incidents. The operators of critical infrastructure to which the Act shall apply are still to be defined in ordinances for the relevant industry sectors.

On February 5, 2016, the Federal Ministry of the Interior now published a draft ordinance for determination of critical infrastructures in the energy, information technology and communications, water and food sectors (full text can be accessed here, available only in German). Infrastructure operators in these sectors should carefully assess the draft bill which is expected to be issued without material changes in the next months and follow the legislative procedure. Once the ordinance is enacted, they will have to comply with the reporting and IT security measure implementation obligations set out in the IT Security Act.

Background - Critical Infrastructures in the IT Security Act

The IT-Security Act requires operators of critical infrastructure in certain industry sectors (energy, information technology and telecommunications, transport and traffic, health, water, food, finance and insurance) to implement minimum IT security measures and introduces a reporting scheme for IT security incidents. The IT Security Act only contains a generic definition of the term ‘critical infrastructure’ and empowers the Federal Ministry of the Interior to specify critical infrastructures per sector in a separate ordinance. The draft ordinance which has now been published covers the sectors energy, information technology and communications, water and food and shall be revised after 4 years. Ordinances for the remaining sectors are expected by the end of 2016 (health, banking and insurance) and beginning of 2017 (transport and traffic).

What are Critical Infrastructures?

The draft ordinance follows the three-step methodology set out in the IT Security Act. It first defines, per sector, services that are critical and therefore require protection against IT security threats. Most of these services had already been mentioned in the Federal Government’s reasoning to the Draft IT Security Act. In a second step, it sets out facility categories that are necessary for the provision of these critical services. The ordinance defines ‘facilities’ as ‘operating plants and other stationary facilities or machinery, equipment and other stationary technical facilities which are required to provide the critical service’. Third, the ordinance contains threshold values for each critical service and facility category with the aim of ensuring that only infrastructure considered ‘critical’ for the provision of the service are covered. The calculation of the threshold values and the relevant factors differ per sector (and partly also per critical services), e.g. in the energy sector the threshold value for power generation relates to installed capacity, while for telecommunications networks it relates to the number of network participants.

The main critical services and facility categories per sector are:

 Sector   Critical Service  Facility Categories 
Energy Power supply Power generation plants, distributed generation plants, transmission networks, storage facilities, central facilities and systems for power trading, facilities of pool providers, distribution networks, measuring systems
Gas supply Gas production installations, transmission networks, gas storage facilities, gas distribution networks
Fuel and heating oil supply Oil production installations, refineries, oil transmission networks, oil storage facilities, facilities and systems of aggregators for fuel distribution, petrol station networks
District heating supply Heating plants, thermal power stations, district heating systems
Information Technology & Communications Voice and data transmission Public telephone networks, public telecommunications networks, telecommunication lines, transmission lines, site links, Internet Exchange Points (IXPs), DNS-Resolvers outside of access networks, authoritative DNS-Servers, IP registration data bases (RIR)
Data storage and processing  Data centers, server farms, trustcenters, content delivery networks
 Food Food supply Facilities for production of agricultural products, for processing of agricultural raw materials and for production of food/groceries, for storage of food/groceries, for ordering of food and raw materials for food production, for selling of food, for distribution
 Water Sewage disposal Sewerage, purification plants, transmission facilities
Drinking water supply Extraction plants, water distribution system, water works, processing plant, transmission facilities

The reasons to the draft bill contain additional explanations on the above services and facilities.

Next step - Check if your company is covered

Companies in the energy, information technology and communications, water and food sectors that provide any of the above critical services and operates a relevant facility should carefully review the IT Security Act and the draft ordinance, in particular the applicable threshold values and calculation models provided in the ordinance. In case the relevant threshold value is (likely or in the future will likely be) met, they should start taking the necessary precautions to comply with the new obligations under the IT Security Act.

Please contact us in case you need any additional information or assistance with compliance to the new requirements.