Skip to content
device42 (12)
All posts

Navigating the NIS2 Directive and KRITIS Legislation

In a world increasingly defined by digital infrastructure, cybersecurity has become an essential component of governance and infrastructure management. The Network and Information Security 2 (NIS2) directive and KRITIS legislation are two significant pieces of legislation in the European Union and Germany, respectively, that seek to enhance the security of critical infrastructure networks and systems. This blog will explore both the NIS2 directive and KRITIS legislation, their implications for operators, and their application to data centers, a critical digital asset in our modern economy.

The NIS2 Directive: EU's Cybersecurity Rulebook

The NIS2 Directive is part of legislation in the EU, the first to specifically address cybersecurity on an EU-wide level. Its main objective is to establish a uniform high level of cybersecurity across all member states. This directive regulates companies providing essential services and infrastructure within the EU, such as energy, transport, banking, and health sectors, bringing them under cyber-security supervision. In other words, the NIS2 Directive is the definitive cybersecurity rulebook for EU operators.

Data centers, the backbone of digital transactions, are subject to the NIS2 Directive if they conduct their cybersecurity decision-making within the EU. As they face a host of cybersecurity risks, from Denial-of-Service (DoS) attacks to social engineering to data theft, this Directive seeks to ensure that these vital assets are well-protected from cyber-attacks.

KRITIS: German Law Protecting Critical Infrastructures

On the national level, Germany has enacted the KRITIS legislation, a law that identifies and defines "critical infrastructure." KRITIS stands for “Kritische Infrastrukturen,” or "Critical Infrastructures" in English. The legislation sets out specific security requirements for operators managing critical infrastructure. According to the BSI Kritis Regulation, critical infrastructure refers to facilities, installations, or components deemed crucial for the functioning of society due to their importance for the supply of the population.

Examples of such critical infrastructures include but are not limited to: energy supply, water supply, food supply, transport and traffic, telecommunications and information technology, finance and insurance, healthcare, public administration, and security services. Notably, data centers, with their robust and reliable support infrastructure, are also classified as critical infrastructure. The KRITIS legislation aims to ensure that these crucial assets are adequately secured, protected, and maintained.

Cybersecurity and Data Centers

Data centers, due to their integral role in virtually all digital transactions in our economy, are often prime targets for cyber threats. They are complex systems, encompassing power subsystems, uninterruptible power supplies (UPS), backup generators, ventilation and cooling equipment, fire suppression systems, and building security systems. Rapid technological advancements can sometimes create vulnerabilities that may be exploited by malicious hackers.

Both the NIS2 Directive and the KRITIS legislation address these concerns, ensuring that data centers meet rigorous cybersecurity standards. The NIS2 Directive takes it a step further by defining jurisdiction for digital service providers. If the provider's headquarters, where cyber risk measures are executed, is located outside the EU, then the member state with the most customers will be responsible for enforcing NIS2.


In an era where cyber threats are a growing concern, the EU's NIS2 Directive and Germany's KRITIS legislation are vital tools in securing the digital landscape. By setting comprehensive standards and guidelines for managing and protecting critical infrastructure, these laws ensure that our society's digital backbone remains resilient in the face of increasing cybersecurity challenges.

Contact us for more insights.