Digital Fronts

The Federal Office for Information Security (BSI) is primarily responsible for this area. It is Germany’s central cybersecurity authority, monitoring IT security in critical sectors, issuing warnings, coordinating preventive measures, and developing technical standards and recommendations for KRITIS operators. Each year, the office also publishes a report on the state of IT security, most recently on November 11 last year. The assessment remains the same: “The overall situation remains tense,” said BSI President Claudia Plattner when presenting the report. “With regard to improving cybersecurity in Germany, we still have a long way to go.”

However, there is also positive news to report. At long last, the legal framework for KRITIS protection is currently being fundamentally reorganized. Not only do the first measures of the Cyber Resilience Act (CRA) have to be applied starting this year. With the NIS2 Implementation Act and the KRITIS Umbrella Act, the German government also launched two key legislative projects in the summer of 2025 that are expected to fundamentally improve the level of cybersecurity in Germany (although at the editorial deadline they had not yet been passed by the Bundestag and Bundesrat).

With the transposition of the NIS2 Directive into national law, the BSI will become the supervisory authority for significantly more companies than before. Until now, only around 4,500 entities were covered: operators of Critical Infrastructures, providers of digital services, and companies of special public interest. With the expansion, the agency will in the future oversee an additional 25,000 companies, for whom new legal IT security obligations will apply. These companies will be required to register, report significant security incidents, and implement technical and organizational risk management measures. These include, among others, risk analyses, concepts for handling security incidents, supply chain security, training and awareness-raising measures, multi-factor authentication, and secure communication. In addition, the NIS2 Directive elevates cybersecurity to a top management responsibility: executive leadership of affected entities is required to implement risk management measures, oversee their implementation, and receive training on assessing and managing cyber risks.

While the legal framework is becoming increasingly clear, the real challenge remains in practice: the organizational and cultural transformation within companies themselves. This is highlighted by Paul Weissmann from OpenKRITIS, an initiative focused on protecting Critical Infrastructures and fostering exchange between government, industry, and research. Many companies, he says, still rely on short-term measures or only take action after an incident, instead of understanding cybersecurity as an ongoing process. “The biggest weakness at the moment is implementation. It’s not about doing something for your cyber defense once and then being done. Cyber defense is a permanent task that requires structures to be changed and regularly adapted,” Weissmann emphasizes.

With this, he addresses a key issue: although laws and regulations like NIS2 or the IT Security Act 2.0 now require operators to introduce an Information Security Management System (ISMS) and a Business Continuity Management System (BCMS), companies often lack resources, expertise, or sufficient prioritization at the management level. Weissmann therefore calls for more decisive action on both sides — companies, which must adapt their processes and responsibilities, and policymakers, who must implement regulations more consistently while also supporting them in a more practical manner. Only then can formal compliance develop into genuine cyber resilience.

That KRITIS cybersecurity is no longer seen solely as the responsibility of the respective operators is perhaps the most important aspect of the new legal regulations, says Weissmann — and Andreas Harner, Head of the CERT@VDE and DKE Cybersecurity departments, agrees. This is because cybersecurity begins wherever the technical foundations of such systems are created: in industry, with the manufacturers and suppliers who provide components, control systems, and software.

“For a long time, many companies believed they could simply pass this responsibility on to the operators,” says Harner. But this way of thinking simply no longer works today. “Everyone is part of a supply chain — and therefore also part of the responsibility for cybersecurity.” Critical infrastructures consist of highly complex, tightly interconnected systems made up of countless digital building blocks. If even a single component contains a vulnerability, it can have far-reaching consequences for the entire supply chain — including at the very end of that chain, within KRITIS itself.

It is precisely at this intersection between technology and responsibility that the Cyber Resilience Act (CRA) comes into play, explains Prof. Dr. Dennis-Kenji Kipker, Legal Advisor at CERT@VDE. It obliges manufacturers to disclose security vulnerabilities and maintain their products throughout their entire life cycle. “In many cases, it is exactly this digital supply chain that is increasingly and deliberately compromised during attacks,” says Kipker. Because: “Why would I choose a highly regulated critical infrastructure as my attack target when I can achieve the same effect with a much less complex attack on a supplier somewhere in its digital supply chain?”

And this is by no means limited to classic IT components, but also includes what is known as Operational Technology (OT) — systems that control or monitor physical processes, such as in energy plants, factories, chemical parks, or waterworks. “Every system is built differently, with a wide variety of manufacturers, components, and long life cycles,” Harner explains. “This diversity makes securing them particularly challenging, because unlike in classic IT, patches and updates cannot simply be rolled out.” This is why CERT@VDE was founded around ten years ago as a joint project by VDE, BSI, and industrial companies. When a security vulnerability is discovered and reported in an OT system, VDE experts examine the report, assess the affected components, and prepare structured warnings — so-called advisories. These are prepared in a way that enables manufacturers, operators, and other stakeholders to act quickly and in a targeted manner. The system thus creates a standardized flow of information that prevents critical vulnerabilities from remaining unnoticed or being fixed too late. “The goal is to ensure that cybersecurity is not left to chance, but established as an integral part of industrial responsibility,” says Harner.