The German Ordinance of Critical Infrastructure under the Act on the Federal Office for Information Security (Verordnung zur Bestimmung Kritischer Infrastrukturen nach dem BSI-Gesetz – BSI-KritisV) is the regulation that determines which facilities qualify as critical infrastructure in Germany. Classification as “critical infrastructure” provides for two requirements: Firstly, the infrastructure in question must fall into a certain category of the energy, water, food, IT and telecommunications, health, finance and insurance, or transport and traffic sectors. Secondly, the facilities in question must meet certain thresholds in terms of size and importance. The BSI-KritisV defines both categories and thresholds.
Effects on Investment Control
Classification as critical infrastructure not only leads to a number of obligations for operators from an IT security perspective, but also to mandatory filing requirements pursuant to investment control under the Foreign Trade and Payments Act (Außenwirtschaftsgesetz – AWG) and Foreign Trade and Payments Ordinance (Außenwirtschaftsverordnung – AWV), if the investors are from non-EU/EFTA countries and acquire at least 10% of the shares.
The number of companies falling into the scope of critical infrastructure in Germany is expected to increase by around 15% as a result of the expanded scope of the Ordinance. Regarding critical infrastructure, the scope of investment control will consequently expand to the same extent. In this respect, the reform goes hand in hand with earlier amendments to the AWV, which led to a significant expansion of the German investment control regime.
Main changes in the Ordinance
The changes introduced via the reform affect the following areas in particular:
- Software and IT services: Companies that only use software required for the operation of critical infrastructure now fall within the scope of the AWV. Before the reform, only developers and producers, but not users of such software were covered. Now, importantly also mere IT service providers, which previously did not fall within the scope, will be covered.
- IT and telecommunications: The threshold for internet exchange points (IXPs) drops from 300 to 100 connected autonomous systems on an annual average. The threshold for data centres drops from 5 to 3.5 MW (contracted capacity). The threshold for server farms (hosting) now starts at 10,000 physical or 15,000 virtual instead of 25,000 total users. Top-level domain name registries that manage or operate more than 250,000 domains are additionally considered critical infrastructure.
- Energy: The threshold for power generation plants drops from 420 to 104 MW net installed capacity. This corresponds to the average of all conventional gas-fired power plants operating in Germany. The threshold for facilities providing Frequency Containment Reserve decreases to 36 MW net installed capacity. Thresholds for energy trading facilities or systems decrease from 200 TWh/year to 3.7 TWh/year. A new Category for natural gas trading is introduced with a threshold of 5,190 GWh/year and a new category for facilities or systems engaged in the centralised commercial control (i.e., distribution) of mineral oil trading, including petroleum and (aviation) fuel, is introduced.
- Health: The reform introduces a new category of laboratory information networks. The amended ordinance defines those as “a network of facilities or systems that provide IT services for diagnosis and therapy control in human medicine for more than one laboratory.”
- Finance and Insurance: The reform newly covers systems for generating and forwarding of orders for trading in securities and derivatives on a trading venue as well as trading venues within the scope of Directive (EU) 2014/65.
- Transport and Traffic: The catalogue expands to include several new categories. For logistics companies, consignments are now also a threshold. For ports, airports and airlines, new facilities are added, especially in the area of transportation/traffic management. Finally, in road transport so-called intelligent transport system are added. Some of the qualitative thresholds are adjusted as well.
- Shared Facilities: As an important innovation for calculating the thresholds, the reform expands the concept of “shared facilities”. Several infrastructure facilities are considered as one if they are jointly necessary for the provision of the same critical service.
The reform once again expands the scope of the German FDI regime – albeit this time indirectly. Parties to M&A transactions should keep the reforms and implications for potential transactions in the area in mind if infrastructure that could be considered critical is affected. The reform makes it even clearer that critical infrastructure protection is currently a priority for the EU and its Member States. Further changes can be expected in the future, such as the European Commission's planned legislative proposal for a directive on the resilience of critical facilities.
The new rules come at a time where the German government has only taken office for a few weeks. It hasn’t yet become clear whether the new decision-makers have a different approach to using the FDI regime as a political instrument. There is no indication that the tough scrutiny of foreign investments that we encountered in the last years would be relaxed. Quite the opposite, tensions with China or Russia only seem to make it even more unpredictable which transactions raise concerns from the government’s perspective, and which could require remedies or might even be blocked.
Lasse Heber, a trainee in our Brussels office, contributed to this article.
Read our previous blogs on related topics here:
Authored by Falk Schöning and Stefan Kirwitzke.