Further Guidance on German IT Security Act for Determination of Critical Infrastructures in the Health, Finance and Insurance as well as Transport and Traffic Sectors

By Dr Fabian Niemann, Natallia Karniyevich


On 25 July 2015, Germany enacted the IT Security Act which aims to improve IT security and to prevent breakdowns of critical infrastructure facilities (see our previous newsflash for more details). The determination of critical infrastructures in the energy, information technology and telecommunications, water and food sectors in the ordinance, which has been in force since 3 May 2016, was the first step towards the specification of critical infrastructures (see our previous newsflash for more details). On 30 June 2017, a long awaited amendment ordinance (“Erste Verordnung zur Änderung der BSI-Kritisverordnung”) came into force, defining operators of critical infrastructures to which the Act shall apply in the health, finance and insurance, transport and traffic sectors (full text can be accessed here, available only in German). Infrastructure operators should carefully assess whether they fall under the scope of this amendment ordinance to be able to comply with the reporting and IT security measure implementation obligations set out in the IT Security Act. 

Background - Critical Infrastructures in the IT Security Act

The IT-Security Act requires operators of critical infrastructure in certain industry sectors (energy, information technology and telecommunications, water, food, health, finance and insurance, transport and traffic) to implement minimum IT security measures and introduces a reporting scheme for IT security incidents. The IT Security Act only contains a generic definition of the term ‘critical infrastructure’ and empowers the Federal Ministry of the Interior to specify critical infrastructures per sector in a separate ordinance. The amendment ordinance covers the health, finance and insurance, transport and traffic sectors, affecting 918 critical infrastructures. The ordinance shall be revised 2 years after its entry into force and every 2 years thereafter.

What are Critical Infrastructures

Just like the ordinance for determination of critical infrastructures in the energy, information technology and telecommunications, water and food sectors, the amendment ordinance follows the three-step methodology set out in the IT Security Act. First, it defines services that are critical and therefore require protection against IT security threats for each sector. In a second step, it sets out facility categories that are necessary for the provision of these critical services. Third, the ordinance contains threshold values for each critical service and facility category with the aim of ensuring that only infrastructure considered ‘critical’ for the provision of the service are covered. The calculation of the threshold values and the relevant factors differ per sector (and partly also per critical services), e.g. in the health sector the threshold value for clinical health care relates to full-stationary number of cases per year, while for the supply with directly life-sustaining medical products being consumer goods it relates to the annual turnover.

The main critical services and facility categories per sector are:

Next step - Check if your company is covered

Companies in the health, finance and insurance, transport and traffic sectors that provide any of the above critical services and operate a relevant facility should carefully review the IT Security Act and the amendment ordinance, in particular the applicable threshold values and calculation models provided in the ordinance. In case the relevant threshold value is (likely, or in the future will likely be) met, they should start taking the necessary precautions to comply with the obligations under the IT Security Act (see our previous newsflash for more details).