Cybersecurity in Critical Infrastructure

In late 2022, the EU adopted new requirements through the NIS2 and CER directives. Germany is implementing these via two laws: the NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG) and the KRITIS Umbrella Act (KRITIS-DachG). These laws introduce:

• Expanded obligations for IT security (e.g., threat detection systems, mandatory incident reporting)

• Standardized rules for the physical protection of critical facilities (e.g., access control, redundancy)

Although the EU’s deadline for implementation was October 2024, Germany is lagging behind. However, both laws are expected to be passed by 2026 at the latest. The first effects are already being felt: Since May 2023, KRITIS operators have been required to implement a threat detection system (e.g., SIEM).

Effective security governance starts with clearly defined responsibilities. Appoint at least two Information Security Officers (ISOs) formally—this is also recommended by Germany’s Federal Office for Information Security (BSI)—to ensure redundancy in case of absence. These individuals are responsible for implementing IT security policies and serving as key points of contact for regulatory authorities.

Involve top management directly in your risk management strategy. Executives and board members must not only be held accountable but also fully understand their legal obligations. Provide targeted training to ensure leadership is aware of their duties and can respond appropriately in the event of an incident.

Implement an Information Security Management System (ISMS) to systematically structure your security processes. This includes regular risk assessments, the establishment of binding policies, and continuous monitoring. Many energy providers rely on ISO 27001 or the BSI IT-Grundschutz framework to meet regulatory requirements and demonstrate alignment with the state of the art.

Document every security-related action thoroughly. This not only fulfills legal proof requirements but also ensures that audit reports, certifications, and supporting documents are readily available when needed. The BSI may request this documentation every two years—or sooner if necessary.

Additionally, under the KRITIS Umbrella Act, you should develop a physical security concept. Coordinate incident reporting procedures with local authorities and conduct regular joint crisis drills with police and emergency services. This ensures that security is embedded not just technically, but also organizationally across your operations.

Start by conducting a gap analysis to compare your current security posture with the new requirements set out by NIS2 and the KRITIS Umbrella Act. This will help you quickly identify areas of non-compliance and implement targeted “quick wins” to meet the legal minimum standards.

Review your suppliers and service providers, particularly in light of the required supply chain security measures. Identify which external partners are critical to your IT operations. Where necessary, amend contracts to ensure these partners are held to binding security standards.

Create or update emergency plans that address specific scenarios such as power outages or cyberattacks. Regularly test your backup and recovery procedures to ensure operational continuity in the event of a crisis.

NIS2 introduces very short reporting deadlines. Establish internal processes that enable your team to report security incidents to the BSI within 24 hours. This includes early detection of potential threats, structured incident assessment, and clear communication protocols.

Define clear escalation paths: determine who is responsible for decision-making, reporting, and which information must be communicated. Prepare reporting templates in advance and document responsibilities in writing—ideally in an Incident Response Plan or your Security Policy. This ensures your organization can respond swiftly and in full legal compliance during a security event.

Adopt a defense-in-depth strategy to protect your systems across multiple layers. Focus on modern technologies that safeguard both your IT and OT infrastructures—this dual approach is especially critical for municipal utilities and energy providers.

Deploy a Security Information and Event Management (SIEM) system to collect, correlate, and analyze all security-relevant log data. This enables early detection of cyberattacks. In addition, operate or outsource a Security Operations Center (SOC) to monitor alerts around the clock and respond to incidents in real time.

Integrate your IT and OT monitoring to detect targeted attacks on SCADA and control systems. For municipal utilities, this linkage is essential to ensure the availability of critical operational systems.

Implement a strict Zero Trust architecture. Segment your networks, enforce the principle of least privilege, and require multi-factor authentication for all administrative accounts and external connections. These measures significantly reduce the risk of lateral movement by attackers.

Establish centralized patch management to ensure that critical updates are applied promptly. Maintain a complete asset inventory—undiscovered or unmanaged systems pose a serious security risk.

Secure your software development processes: adopt secure coding practices, conduct regular code reviews, and carry out penetration testing. This ensures your custom applications meet NIS2 security requirements.

Enforce strong encryption—for both data in transit and data at rest. Use robust cryptographic standards and secure communication channels to comply with the “state of the art” security requirements.

Don’t overlook physical security: control access to server rooms and substations, install surveillance cameras and alarm systems, and ensure redundant power supply and climate control. These physical safeguards are integral to your overall resilience strategy under the KRITIS Umbrella Act.

An effective emergency and crisis management program is a cornerstone of any robust security strategy. Develop a comprehensive plan that outlines clear procedures for IT outages, cyberattacks, and physical damage scenarios. Use well-established frameworks like BSI Standard 200-4 or ISO 22301 as guides for building structure and content.

Prepare an up-to-date emergency plan that covers all key components: alerting lists, communication protocols, and recovery procedures for critical services. Be sure to address both internal and external communications, including public relations strategies for managing public disclosure, if necessary.

Regularly conduct realistic emergency drills and penetration tests to assess the effectiveness of your preparedness efforts. Simulate industry-specific scenarios—for example, power grid blackouts or targeted attacks on control centers—to uncover vulnerabilities early and improve response capabilities in a practical way.

NIS2 explicitly requires organizations to systematically evaluate the effectiveness of their risk management practices. Apply the proven PDCA cycle (Plan-Do-Check-Act) within your ISMS to ensure continuous improvement, incorporate lessons learned, and refine your processes over time.

Additionally, actively participate in sector-specific early warning and situational awareness platforms. For example, join the Alliance for Cyber Security or the UP KRITIS public-private partnership. These networks provide valuable access to BSI early warnings and status reports—an essential information source for critical infrastructure operators.

Make sure such alerts are routed quickly to the appropriate internal channels—whether to a 24/7 monitoring inbox or directly to your SOC. Clearly define who evaluates incoming warnings and who is authorized to initiate immediate countermeasures.

Use insights gained from drills and actual incidents to systematically improve your emergency procedures. This not only ensures effective response in a real crisis but also strengthens your organization’s long-term resilience in a meaningful and sustainable way.

The human factor remains one of the most critical aspects of cybersecurity. That’s why it’s essential to build dedicated cybersecurity expertise—either by developing an in-house IT security team or by bringing in external professionals. For smaller municipal utilities, it may be more efficient to share SOC services or purchase external consulting to pool knowledge and capabilities.

Regular IT security training for all employees is equally important. Focus particularly on awareness programs that sharpen understanding of threats like phishing and social engineering—still among the most common attack vectors. Well-trained staff are your first line of defense.

Leadership and executive management must also take their responsibilities seriously. Organize targeted training for top decision-makers to ensure they understand their legal obligations. The NIS2 directive explicitly emphasizes the personal accountability of senior management—in cases of gross negligence, this may even lead to personal liability. That makes informed and prepared leadership not just advisable, but essential.

At the same time, aim to establish a security-minded company culture where everyone sees cybersecurity as a shared responsibility. Encourage employees to report vulnerabilities or security incidents without fear of blame. Only when security is embedded in day-to-day thinking can a high level of protection be sustained over the long term.

To clarify roles and responsibilities, formally designate and separate key functions, such as:

• a Data Protection Officer for GDPR-related topics
• an Information Security Officer for technical protection measures
• distinct IT and OT security teams
• an Emergency Coordinator empowered to make rapid decisions in crisis situations

Document these roles transparently in internal policies, organizational charts, or responsibility matrices. This ensures your security structure remains effective—even under pressure. And in today’s high-risk environment, that level of preparedness is more vital than ever.

The interplay between the BSI Act, NIS2, and the KRITIS Umbrella Act brings not only new obligations—but demands a fundamental strategic shift. Companies, especially energy providers and municipal utilities, must act now to set the course for the future.

Those who move early not only ensure regulatory compliance but also strengthen their resilience against an increasingly complex threat landscape. Proactive action today lays the groundwork for secure and reliable operations tomorrow.

References

• Federal Office for Information Security (BSI):
  https://www.bsi.bund.de

• BSI – “NIS2: What to Do?” (Official Guidance for Regulated Companies):
  https://www.bsi.bund.de/DE/Themen/Regulierte-Wirtschaft/NIS-2-regulierte-Unternehmen/NIS-2-was-tun/NIS-2-was-tun_node.html

• Federal Network Agency – IT Security Catalog (Energy Sector):
  https://www.bundesnetzagentur.de/DE/Fachthemen/ElektrizitaetundGas/Versorgungssicherheit/IT_Sicherheit/Sicherheitskataloge/artikel.html

• OpenKRITIS – Open Source Tools and Resources for Critical Infrastructure Operators:
  https://www.openkritis.de

• BDEW on KRITIS Legislation – “KRITIS Umbrella Law Strengthens Resilience of Critical Infrastructure”:
  https://www.bdew.de/presse/presseinformationen/kritis-dachgesetz-staerkt-resilienz-kritischer-infrastruktur

• Heise Online – “NIS2 Implementation and KRITIS Umbrella Law”:
  https://www.heise.de/en/news/NIS2-implementation-and-Kritis-umbrella-law-finally-failed-10259847.html