Employment law implications of Germany‘s new KRITIS Framework Act

The KRITIS Framework Act (KRITIS-DachG) was passed into law by the German Bundestag on 17 March in response to growing threats to critical infrastructure, particularly those resulting from acts of sabotage and hybrid threat scenarios.

Through bringing KRITIS-DachG into force, Germany has implemented the requirements of the EU Directive on the resilience of critical infrastructure (Directive (EU) 2022/2557) at the national level. The aim is to establish a uniform, cross-sectoral minimum level of protection for the physical security and organisational resilience of critical infrastructure.

As well as forming a central role in Germany’s national cybersecurity strategy, the KRITIS-DachG affects a wide range of businesses and operators, thus raising a number of significant issues under employment law, which we outline below.

The new resilience obligation

Companies must meet a new comprehensive resilience obligation under the KRITIS-DachG framework. Under section 13 paragraph 1, operators of critical infrastructure are obliged to take appropriate measures to prevent incidents from occurring; to ensure adequate protection; to respond to and mitigate incidents; to limit their impact; and to ensure the rapid restoration of critical services in the event of a disruption.

The necessary measures may be of a technical, security-related or organisational nature and must be based on the national risk analysis. This makes it clear that the duty to protect is not limited to IT and cybersecurity measures, but should be understood as a holistic approach to risk mitigation.

As outlined in s13 para. 4 of the KRITIS-DachG, operators must document the measures taken in a resilience plan, implement this plan and update it as necessary, particularly following significant changes. Relevant incidents must also be reported immediately to the competent federal office.

The act applies to operators of critical infrastructure which provide services in particularly sensitive sectors. These include the energy, transport and traffic, finance, information technology and space sectors.

The prerequisite is that the service in question serves the general public. This is the case if its failure or disruption would lead to significant supply shortages or a threat to public safety. Currently, the adopted threshold is a supply serving at least 500,000 people. Federal states may also classify further facilities as critical. Overall, this results in a broad scope of application for the KRITIS-DachG.

Works council co-determination rights

It is particularly relevant to look at the role of the works council – an elected group that represents employees‘ interests in dealing with company management – in the event of a resilience crisis or emergency.

Resilience measures often have to be taken under time pressure. However, even in urgent cases, the works council’s right of co-determination generally remains in force. Without appropriate preparation, this can significantly impair or even completely block the company’s ability to act.

It is therefore strongly recommended that clear decision-making and consultation structures be established in advance. Action can only be taken in a legally compliant manner in an emergency if the works council is able to pass effective resolutions quickly.

A large proportion of the measures required in the event of a cyber attack are subject to mandatory co-determination under the Works Constitution Act (BetrVG). These include, in particular, instructions on how employees should behave in the event of a crisis, organisational adjustments to work processes, and special communication protocols.

Communication is another area that deserves special attention since hybrid attacks can cripple traditional communication channels. However, alternative technical communication solutions are generally subject to co-determination. There are also issues relating to health and safety at work in which the works council is also obliged to be involved.

Interplay with IT security and data protection law

Although the KRITIS-DachG formally focuses on the physical and organisational resilience of critical infrastructure, it is also important for companies to consider the framework’s close interplay with existing IT security and data protection obligations from the outset when implementing the requirements.

In practice, resilience measures under the KRITIS-DachG are virtually indistinguishable from IT security measures: requirements relating to emergency communication, crisis management, recovery capability and supply chain resilience are regularly linked to existing requirements under IT security law, in particular the EU-wide NIS2 directive.

At the same time, many measures involve personal data – including in crisis communication, access restrictions or the documentation of incidents – meaning that data protection law, in particular the GDPR, should be taken into account from the outset.

Companies should not adopt an isolated KRITIS-DachG approach, but rather pursue coordinated implementation in line with existing IT security and data protection governance to avoid inconsistencies and legal friction.

The KRITIS-DachG makes it clear that resilience is not merely a technical issue, but has a profound impact on a company’s work organisation, co-determination structures and existing rules governing IT security and data protection law. Forward-looking planning is essential to ensure the ability to act in an emergency.

Framework agreements with the works council can help to establish clear guidelines and avoid time-consuming individual negotiations during a crisis. This is the only way to ensure that companies can react quickly and in a legally compliant and effective manner, even in urgent situations.