Send message to

Do you want to send the message without a subject?
Please note that your message can be maximum 1000 characters long
Special characters '<', '>' are not allowed in subject and message
reCaptcha is invalid.
reCaptcha failed because of a problem with the server.

Your message has been sent

You can find the message in your personal profile at "My messages".

An error occured

Please try again.

Make an appointment with

So that you can make an appointment, the calendar will open in a new tab on the personal profile of your contact person.

Create an onsite appointment with

So that you can make an onsite appointment, the appointment request will open in a new tab.

Portrait picture Holger Berens.
  • Interview
  • KRITIS
  • OT Security

Critical infrastructure umbrella act, NIS-2 and Cyber Resilience Act

Holger Berens has been advising international companies and critical infrastructures in all areas of compliance and security management for over 35 years. He is Managing Partner of Concepture Gruppe GmbH, responsible for information security and BCM. As Chairman of the Board, he works for the Federal Association for the Protection of Critical Infrastructures (BSKI) and answers questions about KRITIS in this interview.

In the IT Security Talk from February 27, 2025, Holger Berens spoke to us about critical infrastructures.

His contribution was so well received that we were able to get Berens on board for an additional interview to answer questions from our IT Security community

 

What news can you report from the legal environment?

I am very pleased that there is so much interest in the entire legal framework, which is also essential for us and for all critical infrastructures and SMEs. What's new? On March 18, there was a vote on the amendment to the Basic Law in the area of special assets. The debt brake will be relaxed if the investment exceeds 1% of the gross domestic product. However, the current Bundestag has not managed to transpose the directives on physical security (CER-2) into national law. The principle of discontinuity means that the new Bundestag cannot simply continue the work of the old one, which could lead to delays.

 

How do you assess the conditions for German companies compared to the international environment? Keyword: competitiveness of German industry.

The minimum protection standards for security are comparable within the EU. Similar standards also exist in the USA, such as the Cyber Resilience Act and the requirements of the Securities and Exchange Commission. It is important that companies avert risks and establish appropriate risk management and IT management. I see the legal requirements as positive and necessary for the security and stability of companies.

 

The next question relates to the thresholds for providers such as value-added resellers, cloud service providers and data centre providers. How do these fit in with the thresholds?

The critical infrastructure umbrella act relates to physical security and only affects operators of critical systems that reach certain thresholds. The NIS 2 Directive, on the other hand, has no thresholds, but the Size Cap Rule, which applies from 50 or more employees. Companies must also ensure the security of their supply chain, especially if they have customers from critical infrastructures.

 

Keyword Cyber Resilience Act. Are harmonised standards being sought for compliance?

Yes, harmonised standards are being sought. Products with digital elements must comply with the CRA measures, which simplifies the definition of the state of the art.

 

What would you say about the state of the art in terms of physical access protection for 60,000 kilometres of track or facilities in the track area?

It is impossible to fully monitor or fence thousands of kilometres. Operators should prioritise which routes are most important in the event of a crisis and ensure redundancies to maintain supply.

 

Are companies overwhelmed by the multitude of laws and regulations?

Many companies are overwhelmed by the multitude of laws and regulations. However, these regulations are necessary to ensure the security and survival of companies. The implementation of the laws is based on the ISO 27001 standard and requires a sound management system.

 

How are conformity assessment bodies audited?

Conformity assessment bodies such as TÜV and DEKRA are controlled by the BSI and must demonstrate appropriate qualifications. These bodies are audited for quality and expertise.

 

Can you tell us about the Commission's NIS-2 Implementing Regulation on critical facilities and networks?

The implementing regulation is in force and sets minimum risk management requirements for providers of digital infrastructures and services. You can find more information on the BSI website or at Open Critical Infrastructure.

 

Are there tools that offer cyber-attack statistics, threat analysis and risk quantification all in one?

Yes, there are such tools, especially in the field of artificial intelligence and predictive analytics. I recommend googling for such tools, as I don't want to name any specific products.

 

Do you have any final words?

My big appeal: don't be afraid of implementing the law. It's not as bad as it might look in the legal text. It can be implemented appropriately. Don't be afraid and do it. 


Securing critical infrastructure: nothing works without it

How secure are our critical infrastructures? What cyber threats do operators of critical infrastructures face? What are the security standards and which organizations are subject to the regulatory requirements?

Information and recordings of the presentations at it-sa Expo&Congress and it-sa 365 will show you how to protect your business.
close

This content or feature is available to the it-sa 365 community. 
Please register or log in with your login data.