Further Guidance on German IT Security Act for Determination of Critical Infrastructures in the Health, Finance and Insurance as well as Transport and Traffic Sectors

Background - Critical Infrastructures in the IT Security Act

The IT-Security Act requires operators of critical infrastructure in certain industry sectors (energy, information technology and telecommunications, water, food, health, finance and insurance, transport and traffic) to implement minimum IT security measures and introduces a reporting scheme for IT security incidents. The IT Security Act only contains a generic definition of the term ‘critical infrastructure’ and empowers the Federal Ministry of the Interior to specify critical infrastructures per sector in a separate ordinance. The amendment ordinance covers the health, finance and insurance, transport and traffic sectors, affecting 918 critical infrastructures. The ordinance shall be revised 2 years after its entry into force and every 2 years thereafter.

What are Critical Infrastructures

Just like the ordinance for determination of critical infrastructures in the energy, information technology and telecommunications, water and food sectors, the amendment ordinance follows the three-step methodology set out in the IT Security Act. First, it defines services that are critical and therefore require protection against IT security threats for each sector. In a second step, it sets out facility categories that are necessary for the provision of these critical services. Third, the ordinance contains threshold values for each critical service and facility category with the aim of ensuring that only infrastructure considered ‘critical’ for the provision of the service are covered. The calculation of the threshold values and the relevant factors differ per sector (and partly also per critical services), e.g. in the health sector the threshold value for clinical health care relates to full-stationary number of cases per year, while for the supply with directly life-sustaining medical products being consumer goods it relates to the annual turnover.

The main critical services and facility categories per sector are:

Next step - Check if your company is covered

Companies in the health, finance and insurance, transport and traffic sectors that provide any of the above critical services and operate a relevant facility should carefully review the IT Security Act and the amendment ordinance, in particular the applicable threshold values and calculation models provided in the ordinance. In case the relevant threshold value is (likely, or in the future will likely be) met, they should start taking the necessary precautions to comply with the obligations under the IT Security Act (see our previous newsflash for more details).