Critical infrastructure: draft law before the summer break?

The protection of critical infrastructure – for example the power grids – has so far only been insufficiently regulated by law. The Ministry of the Interior plans to present a draft law before the summer recess. Is this realistic?

Since the Nord Stream 2 pipeline was partially destroyed by several blasts in September 2022 and rail traffic in northern Germany was paralyzed by a few cut cables in October, the protection of critical infrastructure has slipped into the center of security policy considerations. In both cases, security experts assume targeted acts of sabotage. At the latest after these attacks, it became clear: Although there have been repeated attacks on critical infrastructure and its physical components such as cables in the past, there is no federal legal framework that prescribes how the systems are to be protected.

Norbert Gebbeken, founder of the RISK (Risk, Infrastructure, Security and Conflict) research center, believes that the pressure to act is now so great that a law is absolutely necessary: ​​”We have actually been demanding for decades that we have to focus more on critical infrastructures , because we have already had critical infrastructure failures due to the natural hazards that we had, but also due to sabotage,” says the security expert. “It is now the case that the risk situation is one that could affect the entire population.”

Federal Interior Minister Nancy Faeser (SPD) also seems to have recognized the urgency. The current security policy situation, the war in Ukraine and possible Russian attacks on Germany increase the need for action. Since the beginning of the war, she has emphasized: “The protection of our critical infrastructure has the highest priority.”

The KRITIS umbrella law should fix it

In order to better protect the critical infrastructure, Nancy Faeser announced the so-called KRITIS umbrella law. The drafting of the law had already been agreed in the coalition agreement in 2021. This is the first time that the physical protection of critical infrastructure is to be regulated by law nationwide.

An important step, because most of the critical infrastructure is in private hands, estimates Martina Renner, member of the Bundestag for the left and chairwoman of the interior committee. “We have experienced privatization in many parts over the past few decades under the neoliberal dictate. Not just at Deutsche Bahn, but also in telecommunications and the power supply,” said the left-wing politician. “And if the state’s task of protecting this infrastructure is now to be increased, it is of course a problem that it is in private hands in so many places and is then also difficult to control.”

So far, the operators have largely decided for themselves how much they invest in protecting and controlling the physical security of the systems. Nationwide uniform standards, legal requirements are missing. Security gaps can arise as a result of individual misjudgments by private operators of railway safety systems or the power supply. The Greens are demanding that these gaps must be closed as quickly as possible.

Konstantin von Notz, security expert for the Greens parliamentary group and chairman of the control body for the intelligence services, explains rbb24 research: “We have seen that we have problems in this area, with the sudden concerted attacks on the infrastructure of Deutsche Bahn, with the attack on the Nord Stream infrastructure. There is a war of aggression in the middle of Europe.” Reason enough to act quickly.

So far only declarations of intent

The coalition agreement still said quite vaguely: “We are bundling the physical protection of critical infrastructures in a KRITIS umbrella law.” In December 2022, general cornerstones of the law were then adopted, including goals such as mandatory risk assessments, minimum standards for operators and central fault monitoring. But when will these cornerstones become law?

On request, the Federal Ministry of the Interior announced: “The work on the KRITIS umbrella law is running at full speed and has high priority for Federal Interior Minister Nancy Faeser.” A draft law is to be introduced to the cabinet before the summer break. In view of this schedule, Konstantin von Notz and the Greens are “happy” that “the previous slumber finally seems to have come to an end”.

At the same time, von Notz considers the minister’s plan to be “ambitious”. “It remains to be seen whether, given the complexity of the matter, it can actually be complied with,” says the security expert. “We have big question marks, not least against the background of the commitment by the Federal Ministry of the Interior to want the associations to be fully involved in legislation.”

Deadline end of 2024?

The Ministry of the Interior, on the other hand, says that the planned KRITIS umbrella law will also take new EU regulations into account, which are intended to improve the security of critical infrastructure in all EU countries and harmonize the requirements across the EU. Germany actually has until the end of 2024 to implement them accordingly. According to the ministry, this should now happen earlier.

But the Federal Ministry of the Interior could have gone much further, says Manuel Atug, security expert and spokesman for the working group on critical infrastructures. Because the content of the EU guidelines has long been known: “The construction plan is actually already clear,” says the expert. “If you want to, you could push ahead with harmonization now.” For example, you could have exchanged views with the experts a long time ago. “We’re all waiting,” says Atug.