Amendment of the BSI Critical Infrastructure Ordinance – Broadening the scope of German investment control through the back door?
With the "second ordinance amending the BSI Critical Infrastructure Ordinance", the Federal Ministry of the Interior and Community (MOI) has amended the Ordinance on the Determination of Critical Infrastructures pursuant to the BSI Act (BSI-KritisV) as of 01.01.2022, thereby increasing the number of critical infrastructure operators.
The reason for this change is an evaluation of the designation of critical infrastructures and the corresponding thresholds as required by Sec. 9 BSI-KritisV and which has to be conducted for the first time two years after the ordinance enters into force.
At the same time, the amendments also affect the German investment control. The acquisition of 10% of the voting rights in an operator of a critical infrastructure within the meaning of the BSI Act by a non-EU/EFTA investor is subject to investment control pursuant to Sec. 55a para. 1 No. 1 of the Foreign Trade and Payments Ordinance (AWV). Thus, it is advisable to familiarise oneself with the most important amendments.
I. The relevant amendments
Critical infrastructure is defined as facilities and parts thereof which are necessary for the provision of critical services in a certain sector and which exceed certain threshold values reflecting their importance for the supply of the public from the perspective of society as a whole.
The amendments to the BSI-KritisV lead to an expanded definition of the term "facilities" and a revision of the categories of facilities in the respective sectors, while at the same time considerably lower the threshold values. According to estimates by the MOI, 270 additional operators will be covered by the ordinance, which are primarily active in the energy sector. As the MOI notes this will increase the total number of operators of critical infrastructures from approx. 1,600 to approx. 1,870 who are subject to the obligations of the BSI Act. These obligations include, inter alia, the obligation to register the operated critical infrastructure with the Federal Office for Information Security according to Sec. 8b para. 3 BSI Act.
1. Software and IT-services as “facilities”
The term "facilities" in Sec. 1 No. 1 BS-KritisV is expanded to include software and IT services that are necessary for the provision of a critical service. In order for software and IT services to constitute critical infrastructure, they must correspond to a category of facilities described in the annexes and meet or exceed the threshold values specified therein.
Previously, only companies that develop or manufacture software used on a sectorspecific basis to operate critical infrastructure were subject to investment control. Now, as a result of the amendments, companies that only use software and IT services to provide a critical service may also be covered.
The changes in the energy sector have the most significant impact. The threshold for electricity power plants is reduced from a net nominal power of 420 MW to 104 MW (for primary control plants even to 36 MW), so that smaller power plants are also covered. This reflects the inevitable development of the production market, as the average output size of power plants is decreasing due to the nuclear and coal phaseout. In addition, certain black start facilities (providers of system services for grid restoration) fall under the BSi-KritisV regardless of a threshold value.
In addition, gas and mineral oil trading is included as a critical service, so that gas trading systems and facilities or systems for the central commercial control of mineral oil trading may constitute critical infrastructures.
In order to align with Directive (EU) 2016/1148 (NIS Directive), airport control bodies, airline traffic control centres, port control bodies (goods traffic only), port information systems, transhipment facilities in sea and inland ports and intelligent transport systems within the meaning of Section 2 IVSG are included as new categories of facilities.
In addition, systems for dispatching maintenance operations and personnel in local public transport, rail transport and air traffic are now included. According to the MOI, also passenger information systems are essential.
4. IT and telecommunications
In the IT sector, the threshold for "internet exchange points" (IXP) is reduced from 300 connected systems to 100. In addition, the threshold for data centres (housing) decreased from the contractually agreed 5 MW to 3.5 MW. The thresholds for server farms (hosting) are also lowered to 10,000 for user-operated physical instances and to 15,000 for virtual instances. Previously, the threshold was 25,000 instances.
In the health sector, a "laboratory information network" defines a new category of facilities. This includes IT-services such as communication for order entry and for the transmission of findings, which are provided for laboratories that are combined in a network. Relevant for the threshold value is the cumulative number of orders in the laboratory network.
6. Finance and insurance
Up to now, trading in securities and derivatives was not a critical service. The MOI has changed this due to the increased importance of securities trading for the general public. In this context, new categories for facilities with corresponding threshold values were added.
Due to the amendments, companies that were previously not covered by investment control now fall under the scope of the regulation. This trend is expected to continue in the future, as the protection of critical infrastructure is an important objective of the European Union and its Member States. This is reflected, inter alia, in proposed legislations such as the Commission's Critical Facilities Resilience Directive. Therefore, further changes are to be expected.