In a nutshell: The CritInfra Ordinance draft contains definitional gaps and relies on a 20-year-old, methodologically disputed threshold of 500,000 persons that does not adequately reflect actual critical infrastructure risks.
At the end of May, the Federal Interior Ministry released a draft of the Critical Infrastructure Ordinance (CritisV), which is intended to determine which infrastructure in Germany will be classified as critical. In a statement, the IT security association TeleTrust raises fundamental criticism of the implementation and points out semantic, methodological and editorial weaknesses.
The new CritisV is meant to replace the previous BSI Critical Infrastructure Ordinance and serve as a unified legal ordinance for physical resilience and IT security. While TeleTrust generally supports the goal of greater uniformity and legal certainty, the association criticizes significant deficiencies in design. A central problem is already found in Section 1: the term “facility” is used as a reference point without being defined. In Section 7, the same word appears with a completely different meaning, relating to credit transactions, which only becomes clear from later paragraphs.
The appendices of the ordinance contain further technical errors that are problematic for compliance officers: cross-references lead nowhere, numbers are assigned twice, and jump without explanation from 2.12 to 2.16. A particularly serious example concerns computerized reservation services: Annex 7 specifies a threshold of 20 million flight bookings per year, while the rationale assumes 200,000. TeleTrust further criticizes that affected companies would be materially obligated without a transition period, even though the draft remains unratified after an “unusually long preparation period.”
The cornerstone of the ordinance is a standard threshold of 500,000 persons served, which was already applied in the IT Security Act of 2015 and goes back to a power outage in Münsterland in November 2005. More than 20 years later, this figure is applied unchanged to all sectors—from power supply to space and telecommunications. TeleTrust chairman Karsten U. Bartels explains: “The threshold method in its traditional form is in no way suitable for bringing actual risks into an appropriate relationship with the application framework of the law. The reference value of 500,000 persons served is methodologically refuted and represents a risk.”
That significantly smaller outages can cause considerable disruptions was demonstrated by the blackout in Berlin-Köpenick in 2019 and another in Berlin’s southwest in 2026. The Bundesrat has already proposed reducing it to 150,000 persons. The CritisV draft also fails to account for cascade effects—scenarios in which the failure of one facility triggers further failures.
The CER Directive, which the CritisV is meant to implement, requires in Article 7 consideration of cross-sectoral dependencies, geographic impacts, substitutability and possible disruption duration—beyond mere headcount figures. However, the draft focuses almost exclusively on persons served. TeleTrust calls for event-driven evaluations for digital infrastructure, as the planned five-year cycle is too rigid given rapidly evolving cloud architectures and threat landscapes.
Source: www.it-daily.net · Published 15 June 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.