EFS Consulting
Home / Insights / What are Critical Infrastructures and why are they worth protecting?
search-icon
Contact DE
EFS Consulting
LinkedIn Instagram Spotify Apple Podcasts Youtube
Information Security

Wolfgang Walter

Linked In get in touch

Fabian Bohrn

Linked In get in touch
04/29/2025

What are Critical Infrastructures and why are they worth protecting?

The resilience of system-relevant infrastructure is essential for security of supply, civil protection and public safety in the EU. In the face of increasing threats from natural disasters, sabotage, cyber attacks and geopolitical tensions, disaster prevention, network security and emergency plans are moving to the center of modern risk management strategies. This insight shows which requirements arise from the NIS2 and CER directives as well as the BSI Act and the KRITIS Regulation, how many companies in Europe are affected and what role cyber defense and information security play in effective crisis management.

Introduction to the World of Critical Infrastructure

Digitalization is permeating every aspect of our lives – while also making society more vulnerable. A recent example (April 28, 2025) is the widespread power outage in Spain and Portugal. Another prominent case: cyberattacks on German seaports, which disrupted supply chains for weeks and caused significant economic damage. Such incidents underscore that Critical Infrastructures have become a prime target for cybercriminals and geopolitical actors. 

According to Section 2(10) of the German BSI Act (BSIG), Critical Infrastructures are “facilities, systems, or parts thereof belonging to the sectors of energy, information technology and telecommunications, transport and traffic, health, water, food, finance and insurance, and municipal waste disposal, which are of significant importance for the functioning of the community.” Their disruption or failure can jeopardize public safety, critical services, and societal stability. 

In this context, the protection of Critical Infrastructures is gaining increasing importance – technically, organizationally, and legally.  

What are Critical Infrastructures? 

Critical Infrastructures are organizations and facilities whose functionality is essential for societal operations. If they fail, they may cause: 

  • Supply shortages 
  • Public safety disruptions 
  • Other severe and lasting consequences 

Which Entities are Affected?

Based on publicly available data and the criteria of the BSI-Kritis Regulation (revenue, number of employees, systemic relevance, etc.; source: openkritis), the following overview illustrates how many companies in Germany are potentially classified as Critical Infrastructure operators across each sector. 

Shares of potentially relevant KRITIS companies by sector (in %):

  • Energy: 26 %
  • Health: 20 %
  • Finance and insurance: 19 %
  • Information technology and telecommunications: 11 %
  • Transport and traffic: 7 %
  • Food: 7 %
  • Municipal waste management: 5 %
  • Water: 5 %

Source: openkritis; EU-wide data is not currently available.

Note: Depending on how EU directives are implemented nationally, future relevance will depend less on company size and more on their contribution to maintaining critical supply and infrastructure services. 

 

An Escalating Threat Landscape 

Cyberattacks on Critical Infrastructures are no longer abstract threats. According to the German Federal Office for Information Security (BSI), ransomware, supply chain attacks, and targeted sabotage have increased significantly in recent years. 

Particularly vulnerable are the interfaces between information technology (IT) and operational technology (OT). A single infiltrated Trojan can not only exfiltrate data but also severely disrupt the physical control of vital infrastructure. 

Consequences of such Attacks Include:

  • Production shutdowns 
  • Supply shortages (e.g., electricity, water) 
  • Loss of trust among citizens and business partners 
  • Liability risks and regulatory penalties 

In light of these trends, both national and EU legislators are tightening security and compliance requirements for KRITIS operators. 

 

Legal Framework and Requirements 

NIS2 Directive 

The NIS2 Directive (Network and Information Security Directive 2), effective since January 2023, is the EU’s key response to the rising threat landscape. It must be transposed into national law by October 2024. 

Key Elements of NIS2: 

  • Broader scope: Compared to NIS1, it covers more sectors, including space, waste management, and food production 
  • Stricter requirements: Risk management measures, including IT security, supply chain security, and business continuity 
  • Incident reporting: Security incidents must be reported within 24 hours; detailed assessments are due within 72 hours 
  • Executive liability: Senior management is held accountable for security failings 
  • Sanctions: Fines up to €10 million or 2% of global annual turnover 

CER Directive 

In parallel, the CER Directive (Critical Entities Resilience Directive) was adopted, focusing on physical protection and resilience against natural disasters, sabotage, or terrorist attacks. 

Important: Many companies fall under both NIS2 and CER, requiring integrated protection strategies covering both cyber and physical resilience. 

BSI Requirements and National Implementation 

For companies in Germany, the existing BSI KRITIS catalogs remain relevant, setting sector-specific minimum standards for IT security. With the upcoming NIS2 implementation, these standards will be adapted – early preparation is essential. 

 

Best Practices for Companies 

How can organizations effectively strengthen their resilience against cyber threats and ensure compliance? 

  1. Establish an ISMS (Information Security Management System) aligned with ISO/IEC 27001 or sector-specific standards (e.g., ISO/IEC 27017) 
  2. Conduct regular risk analyses, including supply chain assessments 
  3. Implement technical safeguards such as Zero Trust architecture and IT/OT segmentation 
  4. Train employees in cybersecurity awareness 
  5. Develop emergency response and business continuity plans aligned with NIS2 and CER 
  6. Proof of Compliance: Document and demonstrate compliance to regulators and auditors 
  7. Ensure continuous monitoring and incident response capabilities 

Proper implementation not only ensures legal compliance but also builds long-term resilience and trust with customers and partners. 

 

Stronger Together – Securing the Critical Infrastructure!

Requirements for critical infrastructure operators are increasing rapidly – and with them, the complexity of technical and organizational implementation. EFS Consulting offers comprehensive support including: 

  • GAP analysis to identify security weaknesses 
  • Design and optimization of ISMS (e.g., ISO/IEC 27001, TISAX) 
  • Audit readiness and regulatory compliance consulting 
  • Risk assessments and business continuity planning 
  • Security awareness training for staff and management 
  • Technical consulting on Zero Trust, OT security, and supply chain resilience 

With our in-depth expertise in information security, risk, and compliance management, as well as sector-specific KRITIS requirements, we guide you confidently through the jungle of new regulations. 

Secure your critical operations – and your future.  Contact us for a non-obligation consultation! 

More about this Business Area:
Information Security

Insights

GDPR simply explained: Data privacy, cybersecurity and obligations for companies
NIS-2-Directive: A milestone for cyber security in Europe
TISAX® (Trusted Information Security Assessment Exchange): A quick Guide
What is Data Management?
All insights