{"id":22074,"date":"2026-07-11T10:12:00","date_gmt":"2026-07-11T10:12:00","guid":{"rendered":"https:\/\/www.securitytoday.de\/2026\/07\/11\/weakest-supplier-opens-critical-facility\/"},"modified":"2026-07-13T21:21:15","modified_gmt":"2026-07-13T21:21:15","slug":"weakest-supplier-opens-critical-facility","status":"publish","type":"post","link":"https:\/\/www.securitytoday.de\/en\/2026\/07\/11\/weakest-supplier-opens-critical-facility\/","title":{"rendered":"Weakest Supplier Opens Critical Facility"},"content":{"rendered":"<p style=\"color:#69d8ed;font-size:0.9em;margin:0 0 16px;padding:0;\">7 Min. reading time<\/p>\n<p><strong>A maintenance technician with a factory ID and remote access is not a guest at a substation or wastewater treatment plant. They are part of the attack surface. Since March 17, 2026, the KRITIS umbrella law has made this view mandatory: Anyone operating a critical infrastructure is responsible for the reliability of their suppliers, just like their own.<\/strong><\/p>\n<div style=\"background:#003340;color:#fff;padding:32px 36px;margin:32px 0;border-radius:8px;\">\n<p style=\"margin:0 0 18px 0;font-size:0.95em;font-weight:800;text-transform:uppercase;letter-spacing:0.2em;color:#69d8ed;border-bottom:2px solid rgba(105,216,237,0.25);padding-bottom:12px;\">Key Takeaways<\/p>\n<ul style=\"margin:0;padding-left:22px;color:rgba(255,255,255,0.92);line-height:1.6;\">\n<li style=\"margin-bottom:12px;\"><strong style=\"color:#69d8ed;\">New framework for the physical side.<\/strong> The KRITIS umbrella law implements the EU CER directive and regulates the resilience of critical infrastructures at a federal level for the first time. It complements the IT obligations from NIS2 without replacing them.<\/li>\n<li style=\"margin-bottom:12px;\"><strong style=\"color:#69d8ed;\">The supplier is within the scope.<\/strong> Suppliers and service technicians with physical or digital access are subject to the same integrity and reliability requirements as their own employees.<\/li>\n<li style=\"margin-bottom:12px;\"><strong style=\"color:#69d8ed;\">The deadline starts in July.<\/strong> From July 17, 2026, operators will register on the joint platform of the BBK (Federal Office of Civil Protection and Disaster Assistance) and the BSI (Federal Office for Information Security), at the latest three months after being classified as a critical infrastructure.<\/li>\n<li><strong style=\"color:#69d8ed;\">Control instead of snapshot.<\/strong> A one-time supplier audit does not close the vector. Access, access rights, contracts, and restarts must continuously include the supply chain.<\/li>\n<\/ul>\n<\/div>\n<p style=\"border-top:1px solid rgba(230,227,218,0.14);border-bottom:1px solid rgba(230,227,218,0.14);padding:14px 0;margin:28px 0;font-size:0.92em;color:#b8c5ce;\"><strong style=\"color:#69d8ed;\">Related:<\/strong> <a href=\"https:\/\/www.securitytoday.de\/en\/2026\/07\/06\/the-cyber-resilience-act-also-impacts-your-existing-systems\/\">The Cyber Resilience Act also affects your inventory<\/a> &nbsp;&middot;&nbsp; <a href=\"https:\/\/www.securitytoday.de\/en\/2026\/06\/27\/supervisory-board-reporting-key-figures\/\">Five key figures that the supervisory board really understands<\/a><\/p>\n<h2 style=\"margin-top:48px;margin-bottom:18px;\">What the Critical Infrastructure Protection Act Changes in the Supply Chain<\/h2>\n<p>The KRITIS Protection Act has been in effect since March 17, 2026. The cabinet had decided on it on January 29, and the Federal Council agreed. Legally, it implements the EU Directive 2022\/2557 on the resilience of critical infrastructure, also known as the CER Directive. This creates a nationwide, cross-sectoral framework for the physical protection and resilience of critical facilities for the first time.<\/p>\n<p>Important for classification: The law is the physical complement to the IT side, which is covered by NIS2 and the BSIG (Federal Office for Information Security). Around 1,300 operators fall under the scope of the CER logic and must in the future fulfill reporting obligations, provide business continuity management, demonstrate physical security and personnel reliability, and operate a robust crisis management system. The supply chain is included in each of these areas, not as an appendix, but as part of the facility.<\/p>\n<p>The CER Directive consciously thinks of resilience in a broad sense. It does not only mean cyberattacks, but also failures in general: through sabotage, through a natural event, through the loss of a supplier, or through a combination of these. At this point, the physical world meets the digital world. A manipulated remote maintenance access is a cyber incident with physical effects, and a cut cable is a physical incident with digital effects. The operator must know both chains, as both ultimately lead to a supplier.<\/p>\n<div data-element=\"stat_row\" style=\"display:flex;flex-wrap:wrap;gap:16px;margin:32px 0;\">\n<div style=\"flex:1 1 200px;min-width:0;background:#003340;border:1px solid rgba(105,216,237,0.28);border-radius:10px;padding:22px 20px;box-sizing:border-box;\">\n<div style=\"font-size:2.1em;font-weight:800;color:#69d8ed;line-height:1.1;word-break:keep-all;\">July 17<\/div>\n<p style=\"margin:10px 0 0;font-size:0.88em;color:#e6e3da;line-height:1.5;\">Start of registration on the platform of BBK (Federal Office of Civil Protection and Disaster Assistance) and BSI (Federal Office for Information Security) (2026)<\/p>\n<\/div>\n<div style=\"flex:1 1 200px;min-width:0;background:#003340;border:1px solid rgba(105,216,237,0.28);border-radius:10px;padding:22px 20px;box-sizing:border-box;\">\n<div style=\"font-size:2.1em;font-weight:800;color:#69d8ed;line-height:1.1;word-break:keep-all;\">1,300<\/div>\n<p style=\"margin:10px 0 0;font-size:0.88em;color:#e6e3da;line-height:1.5;\">Operators within the scope of the CER implementation<\/p>\n<\/div>\n<div style=\"flex:1 1 200px;min-width:0;background:#003340;border:1px solid rgba(105,216,237,0.28);border-radius:10px;padding:22px 20px;box-sizing:border-box;\">\n<div style=\"font-size:2.1em;font-weight:800;color:#69d8ed;line-height:1.1;word-break:keep-all;\">3 months<\/div>\n<p style=\"margin:10px 0 0;font-size:0.88em;color:#e6e3da;line-height:1.5;\">Deadline for registration after being classified as a critical facility<\/p>\n<\/div>\n<\/div>\n<h2 style=\"margin-top:48px;margin-bottom:18px;\">The Supplier Suddenly Falls Under the Scope<\/h2>\n<p>The sentence that separates procurement from security is eliminated with the umbrella legislation. Suppliers and service technicians with physical or digital access to a critical facility are subject to the same integrity and reliability requirements as internal employees. The remote maintenance access of a manufacturer, the technician in the control room, the cloud service behind the process control system: all three are, from the facility&#8217;s perspective, insider-near, not external.<\/p>\n<p>For operators, this shifts a responsibility. Previously, the service provider was a procurement issue with a framework contract. Now, it is a security issue with access control, access rights, background checks, and a clear understanding of who was in which system at what time. Anyone who delegates this responsibility to the supplier and leaves it there has not fulfilled it.<\/p>\n<div data-element=\"definition_box\" style=\"background:#23261f;border:1px solid rgba(105,216,237,0.22);border-radius:10px;padding:20px 24px;margin:32px 0;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 2px 10px rgba(0,0,0,0.22);\">\n<p style=\"margin:0 0 8px;font-family:'IBM Plex Mono',ui-monospace,SFMono-Regular,monospace;font-size:0.72em;letter-spacing:0.12em;text-transform:uppercase;color:#69d8ed;\">Definition &middot; Critical Facility<\/p>\n<p style=\"margin:0;color:#e6e3da;line-height:1.6;\">A facility whose failure would significantly disrupt the supply of essential services to the population, such as energy, water, healthcare, or transportation. The umbrella legislation makes its resilience an operator&#8217;s obligation and draws its suppliers into the same obligation.<\/p>\n<\/div>\n<h2 style=\"margin-top:48px;margin-bottom:18px;\">Why an Audit List Doesn&#8217;t Close the Vector<\/h2>\n<p>A supplier can be thoroughly vetted, approved, and checked off, yet still leave the system vulnerable. The remote maintenance channel remains in place, the technician&#8217;s laptop moves from customer to customer, and the subcontractor may not even be mentioned in the contract. A snapshot in the procurement process fails to capture any of these states, creating a false sense of security and merely checking a box in the table.<\/p>\n<p>True resilience is only achieved when access is continuously managed. This includes implementing least privilege for external parties, time-limited access, logged remote maintenance, and an incident reporting chain that kicks in even when the incident originates with the service provider. This is not a one-time project, but an ongoing operational mode.<\/p>\n<p>The channel doesn&#8217;t end with the direct supplier, either. Their own cloud provider, remote maintenance platform, and subcontractors extend the chain with links that often aren&#8217;t even included in the contract. Those who only scrutinize the contractual partner see the risk ending one level too soon. For critical systems, it&#8217;s precisely this hidden depth of the supply chain where reliability on paper and actual operational reliability diverge.<\/p>\n<h2 style=\"margin-top:48px;margin-bottom:18px;\">Responsibility Remains at the Top<\/h2>\n<p>The umbrella legislation addresses operators, not their service providers. This direction is intentional. The responsibility for the resilience of a critical facility lies with its management and cannot be transferred by contract. An operator can purchase services, but they cannot buy liability for their security with it.<\/p>\n<p>For management, this means a duty to provide evidence. They must be able to demonstrate that supplier risks have been identified, assessed, and controlled. A register that documents this review makes all the difference in a serious case between proven due diligence and an open accusation. The regulatory authority will not ask whether a service provider has failed, but rather whether the operator had them under control.<\/p>\n<h2 style=\"margin-top:48px;margin-bottom:18px;\">What Operators Must Regulate in the Supply Chain Now<\/h2>\n<p>The first step is straightforward: creating an honest map of who has physical or digital access to the facility from the outside. This yields five levers that the law demands.<\/p>\n<ul style=\"margin:20px 0;padding-left:22px;line-height:1.7;\">\n<li style=\"margin-bottom:10px;\"><strong style=\"color:#69d8ed;\">Map Access.<\/strong> Every external individual with access or system access belongs in a current directory, including sub-contractors.<\/li>\n<li style=\"margin-bottom:10px;\"><strong style=\"color:#69d8ed;\">Pass on Obligations by Contract.<\/strong> Reliability, reporting channels, and auditing rights belong in the contract, not in a letter of intent.<\/li>\n<li style=\"margin-bottom:10px;\"><strong style=\"color:#69d8ed;\">Control Access and Authorization.<\/strong> Temporary rights, background checks for security-relevant roles, and logged remote maintenance.<\/li>\n<li style=\"margin-bottom:10px;\"><strong style=\"color:#69d8ed;\">Include Restart Procedures.<\/strong> Emergency and Business Continuity Management (BCM) plans must account for the failure of a supplier, not just one&#8217;s own.<\/li>\n<li><strong style=\"color:#69d8ed;\">Close Reporting Chains.<\/strong> The 72-hour deadline to the BSI (Federal Office for Information Security) also applies if an incident occurs via a service provider.<\/li>\n<\/ul>\n<p>The deadline is not a mere formality.<\/p>\n<div data-element=\"timeline\" style=\"margin:32px 0;\">\n<div style=\"display:flex;gap:16px;margin:0 0 14px;\">\n<div style=\"flex:0 0 auto;min-width:104px;font-family:'IBM Plex Mono',ui-monospace,SFMono-Regular,monospace;font-size:0.78em;color:#69d8ed;padding-top:2px;\">17. M\u00e4rz 2026<\/div>\n<div style=\"color:#e6e3da;line-height:1.55;\">KRITIS umbrella law comes into effect<\/div>\n<\/div>\n<div style=\"display:flex;gap:16px;margin:0 0 14px;\">\n<div style=\"flex:0 0 auto;min-width:104px;font-family:'IBM Plex Mono',ui-monospace,SFMono-Regular,monospace;font-size:0.78em;color:#69d8ed;padding-top:2px;\">17. Juli 2026<\/div>\n<div style=\"color:#e6e3da;line-height:1.55;\">Registration on the BBK and BSI platform begins<\/div>\n<\/div>\n<div style=\"display:flex;gap:16px;margin:0;\">\n<div style=\"flex:0 0 auto;min-width:104px;font-family:'IBM Plex Mono',ui-monospace,SFMono-Regular,monospace;font-size:0.78em;color:#69d8ed;padding-top:2px;\">+3 Monate<\/div>\n<div style=\"color:#e6e3da;line-height:1.55;\">Registration requirement after being classified as a critical facility<\/div>\n<\/div>\n<\/div>\n<p>The three months may seem like a buffer. In practice, the time passes with what was previously lacking: a complete picture of one&#8217;s own suppliers. Those who do not have this map today should create it before the deadline, not afterwards.<\/p>\n<h2 style=\"padding-top:64px;margin-bottom:20px;\">Frequently Asked Questions<\/h2>\n<p class=\"st-faq-hint\">Every question is locked. A tap unlocks the answer.<\/p>\n<details>\n<summary><strong>What does the KRITIS umbrella law regulate?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">It implements the EU CER (Critical Entities Resilience) Directive and creates a nationwide framework for the physical resilience of critical infrastructure: reporting requirements, Business Continuity Management, physical security, personnel reliability, and crisis management. The IT obligations under NIS2 (Network and Information Security 2) remain unaffected by this.<\/p>\n<\/details>\n<details>\n<summary><strong>When are operators required to register?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">Registration on the joint platform of BBK (Federal Office of Civil Protection and Disaster Assistance) and BSI (Federal Office for Information Security) will be possible starting July 17, 2026. It will become mandatory at the latest three months after being classified as a critical infrastructure.<\/p>\n<\/details>\n<details>\n<summary><strong>Do suppliers really fall under the same requirements?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">Suppliers and service technicians with physical or digital access to the facility are subject to the same integrity and reliability requirements as internal employees. The operator remains responsible, even if they have outsourced the service.<\/p>\n<\/details>\n<details>\n<summary><strong>How does the DACH-specific &#8220;Dachgesetz&#8221; (Roof Act) relate to NIS2, the European Union&#8217;s Network and Information Security Directive?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">NIS2 and the BSI Act (Federal Office for Information Security Act) cover IT security, while the Umbrella Act (Dachgesetz) addresses the physical aspect and organizational resilience. For many operators, both regimes apply in parallel. They should be considered as one governance system, rather than two separate projects.<\/p>\n<\/details>\n<details>\n<summary><strong>What is the first concrete step?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">A comprehensive directory of all external personnel with access to the facility, including sub-contractors. Without this register, it is not possible to properly manage contracts, control access, or regulate authorization.<\/p>\n<\/details>\n<p><!--ST-LOWER-CARDS lang=en--><\/p>\n<h3 style=\"margin:48px 0 18px;padding-left:12px;font-size:1.05em;font-weight:800;color:#e6e3da;border-left:3px solid #69d8ed;line-height:1.2;\">Editor&#8217;s Picks<\/h3>\n<p><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/06\/21\/supply-chain-risk-is-a-program-not-an-audit-list\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/tprm-lieferkettenrisiko-nis2-dora-programm-cover-hero-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#69d8ed;margin-bottom:5px;\">Editor&#8217;s Pick<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">Supply Chain Risk Is a Program, Not an Audit Checklist<\/span><\/span><\/a><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/06\/30\/what-management-must-document-under-nis2\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/geschaeftsfuehrung-nis2-dokumentationspflicht-bsig-cover-hero-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#69d8ed;margin-bottom:5px;\">Editor&#8217;s Pick<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">What Management Must Document Under NIS2<\/span><\/span><\/a><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/06\/23\/which-decision-rights-of-the-ciso-must-be-documented-in-writing\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/ciso-mandat-entscheidungsrechte-eskalation-cover-hero-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#69d8ed;margin-bottom:5px;\">Editor&#8217;s Pick<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">Which CISO Decision Rights Must Be Set Out in Writing<\/span><\/span><\/a><\/p>\n<h3 style=\"margin:48px 0 18px;padding-left:12px;font-size:1.05em;font-weight:800;color:#e6e3da;border-left:3px solid #69d8ed;line-height:1.2;\">More from the MBF Media Network<\/h3>\n<p><a href=\"https:\/\/www.digital-chiefs.de\/en\/geopolitics-meets-the-data-center-roadmap-what-cios-must-secure-now\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/net-geopolitik-datacenter-roadmap-lieferkett-8054517-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#e8828d;margin-bottom:5px;\">Digital Chiefs<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">Geopolitics Meets the Data Center Roadmap: What CIOs Must Secure Now<\/span><\/span><\/a><a href=\"https:\/\/mybusinessfuture.com\/en\/eu-requires-labeling-obligations-for-sme-2026\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/net-eu-ai-act-2026-kennzeichnungspflichten-m-35346140-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#aa8ac2;margin-bottom:5px;\">MyBusinessFuture<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">EU AI Act from August 2026: What labelling obligations really affect SMEs<\/span><\/span><\/a><a href=\"https:\/\/www.cloudmagazin.com\/en\/2026\/06\/16\/xfs4iot-meets-the-cloud-the-atm-becomes-a-platform\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/net-xfs4iot-cloud-geldautomat-plattform-syna-61345494.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#0bb7fd;margin-bottom:5px;\">cloudmagazin<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">XFS4IoT Meets the Cloud: The ATM Becomes a Platform<\/span><\/span><\/a><!--\/ST-LOWER-CARDS--><\/p>\n","protected":false},"excerpt":{"rendered":"The KRITIS roof law makes supplier reliability a mandatory duty for operators. Governance roadmap to registration.","protected":false},"author":50,"featured_media":22055,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_yoast_wpseo_focuskw":"KRITIS supply chain","_yoast_wpseo_title":"Weakest Supplier Opens Critical Facility","_yoast_wpseo_metadesc":"The KRITIS roof law holds suppliers with access to critical facilities accountable. What operators must regulate by July 2026 for registration.","_yoast_wpseo_meta-robots-noindex":"","_yoast_wpseo_meta-robots-nofollow":"","_yoast_wpseo_meta-robots-adv":"","_yoast_wpseo_canonical":"","_yoast_wpseo_opengraph-title":"","_yoast_wpseo_opengraph-description":"","_yoast_wpseo_opengraph-image":"","_yoast_wpseo_opengraph-image-id":0,"_yoast_wpseo_twitter-title":"","_yoast_wpseo_twitter-description":"","_yoast_wpseo_twitter-image":"","_yoast_wpseo_twitter-image-id":0,"evm_cvss":0,"evm_risk":0,"evm_casefile":"","evm_primary_cve":"","evm_external_preview_token":"","evm_external_preview_expires":"","_evm_translation_lang":"en","featured_post":0,"featured_post_sortierung":0,"_wp_old_slug":[],"footnotes":""},"categories":[259],"tags":[],"class_list":["post-22074","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-strategie-governance-en"],"evm_reading_time_minutes":9,"wpml_language":"en","wpml_translation_of":22054,"_links":{"self":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/22074","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/users\/50"}],"replies":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/comments?post=22074"}],"version-history":[{"count":1,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/22074\/revisions"}],"predecessor-version":[{"id":22077,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/22074\/revisions\/22077"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media\/22055"}],"wp:attachment":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media?parent=22074"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/categories?post=22074"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/tags?post=22074"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}