Headlines such as "Attack on power line in Brandenburg 2024: Tesla plant shut down for a week, numerous households affected" highlight the increasing threat posed by targeted attacks on critical infrastructure. Cyberattacks and physical sabotage against operators of utility networks and municipalities are on the rise, and it is expected that these risks will continue to grow.

In response to EU regulations, Germany has adopted two key directives aimed at strengthening the protection of critical infrastructure and shielding operators from liability risks.

The law implementing NIS2 (Network and Information Security) and strengthening cybersecurity (“NIS2UmsuCG”) requires companies to introduce comprehensive risk management measures in the area of cybersecurity

The Critical Entities Resilience (CER) Directive, implemented through the General-Critical-Infrastructure-Statute (“KRITIS-Dachgesetz”) as agreed in the coalition agreement, introduces the first cross-sectoral requirements for the physical protection of critical infrastructure. Operators are now obliged to take appropriate technical, security-related, and organizational measures to ensure their resilience. These measures must be based on risk analyses and assessments that consider both state regulations and internal evaluations, while also adhering to current technological standards.

The presentation will examine this legal framework and demonstrate how operators of critical infrastructure, with a focus on Germany, can respond to these new challenges.

Keywords: critical infrastructure protection, NIS-2 Directive, CER Directive, cybersecurity risk management, physical security measures, resilience of critical entities