Critical Infrastructure Protection 2022: Why Operators of Critical Infrastructure Must Act Now

Energy suppliers, hospitals, water utilities – critical infrastructure is increasingly targeted by cyberattacks. The IT Security Act 2.0 tightens legal obligations. Yet many operators of critical infrastructure still fall short of the required standards.

TL;DR

IT Security Act 2.0 in force: Stricter obligations for operators of critical infrastructure have applied since May 2021.
Deadline approaching: Systems for attack detection (SzA) must be implemented by May 2023.
BSI reporting obligation: Significant disruptions must be reported to the BSI (Federal Office for Information Security) within hours.
New sectors added: Waste management and the defence industry have been designated as critical infrastructure sectors.
Underfunded: Many municipal utilities and local service providers lack a dedicated security budget.

Escalating Threat Landscape

According to the BSI’s 2021 threat assessment report, the number of cyberattacks targeting critical infrastructure doubled compared to the previous year. Particularly affected sectors include healthcare (e.g., University Hospital Düsseldorf, Wolfenbüttel Hospital), energy (e.g., the Colonial Pipeline attack in the U.S.), and local government administrations (e.g., Anhalt-Bitterfeld district). The conflict in Ukraine has further intensified this threat landscape.

What the IT Security Act 2.0 Requires

The IT Security Act 2.0 significantly expands obligations for operators of critical infrastructure. Core requirements include implementing systems for attack detection (SzA) by May 2023; expanded incident reporting duties; mandatory use of BSI-certified products in specific areas; and biennial compliance attestations submitted to the BSI. In addition, critical components from untrusted vendors may be banned.

Where Critical Infrastructure Operators Stand Today

Reality remains bleak across many municipal utility companies. Municipal utilities with just a few hundred employees often lack an in-house IT security department. Operational technology (OT) systems used in water or energy supply run on outdated software that cannot be patched. And the deadline for deploying attack-detection systems looms ever closer – yet many operators have not even begun implementation. Managed Security Service Providers (MSSPs) can offer a viable solution here.

Key Facts at a Glance

Critical Infrastructure Sectors: 11 (Energy, Water, Food, IT/Telecom, Healthcare, Finance, Transport, Media, Public Administration, Waste Management, Defence)

SzA Deadline: 1 May 2023

BSI Reporting Obligation: Immediately – and no later than 24 hours – for significant disruptions

Compliance Attestation Cycle: Every two years, submitted to the BSI

Source: IT Security Act 2.0, BSI Ordinance on Critical Infrastructure, 2022

Fact: The NIS2 Directive expands the scope of sectors subject to critical infrastructure obligations – from 7 to 18.

Fact: According to ENISA’s 2024 report, attacks on critical infrastructure rose by 38 percent year-on-year.

Frequently Asked Questions

What are systems for attack detection (SzA)?

SzA comprise technical solutions such as SIEM platforms, intrusion detection/prevention systems (IDS/IPS), and anomaly detection tools that identify and report cyberattacks in real time. The IT Security Act 2.0 mandates their deployment by May 2023. The BSI has published guidance defining three maturity levels for SzA implementation.

Which companies qualify as critical infrastructure operators?

Operators of critical infrastructure are enterprises operating in any of the 11 designated sectors that exceed defined thresholds – for example, a water utility producing at least 22 million cubic meters annually; a hospital handling at least 30,000 inpatient cases per year; or an energy supplier serving at least 420,000 customers. Exact thresholds are specified in the BSI Ordinance on Critical Infrastructure.

What happens if obligations are not met?

The IT Security Act 2.0 raises the maximum administrative fine to €2 million. For serious violations, the BSI may issue binding orders – including restrictions on operations. Moreover, executives face potential liability risks if critical infrastructure obligations remain unfulfilled.

How can small municipal utilities meet these requirements?

Managed Security Service Providers (MSSPs) offer SOC-as-a-Service and Managed Detection and Response (MDR) solutions – cost-effective alternatives to building internal security teams. Industry associations such as the BDEW also provide sector-specific standards and ready-to-use templates.

Does the IT Security Act 2.0 apply to suppliers of critical infrastructure operators?

Indirectly, yes. Critical infrastructure operators must ensure the security of their supply chains. Suppliers of critical components may be audited by the BSI. In practice, suppliers serving critical infrastructure customers must therefore meet elevated security standards – even if they themselves are not formally classified as KRITIS operators.