Germany Broadens Definition of ‘Critical Infrastructures’

The second amendment of the Ordinance on the Designation of Critical Infrastructures under the BSI Act entered into effect on January 1, 2022. Such amendment broadens the definition of “critical infrastructures,” which are of particular relevance for Germany’s foreign direct investment screening regime.

This amendment follows the latest update (the 17th amendment) to the Foreign Trade and Payments Ordinance (Außenwirtschaftsverordnung, AWV) which entered into effect on May 1, 2021. Such amendment materially expanded the catalogue of sectors of particular relevance to Germany’s order and security[1] and introduced more differentiated thresholds.

In addition, since May 28, 2021, a mandatory foreign direct investment (FDI) filing is triggered if the German target business develops or manufactures certain IT components which are used in critical infrastructures (so-called critical components).

The second amendment of the Ordinance on the Designation of Critical Infrastructures under the BSI Act (BSI-KritisV or Law) comprehensively revises the definitions and thresholds required to designate critical infrastructures (energy, water, nutrition, IT and telecommunication, health, finance and insurance, and transport and traffic). The following amendments of the Law will likely have the most significant impact on German FDI screening, further increasing the number of notifications to the German Ministry of Economics and Climate Action:

Definition of a “Facility”: The concept of a “facility” is generally an essential prerequisite for the assumption of a critical infrastructure under the BSI-KritisV. In addition to premises and other fixed installations, machinery, equipment, and other mobile installations, the updated “facility” definition now also explicitly includes software and IT services necessary for the provision of a critical service for the operation of a critical infrastructure. Relevant software and IT services do not need to be specially developed for the operation of critical infrastructures to fall in the scope of the updated “facility” definition. This may result in third-party IT and software service providers being designated as operators of a critical infrastructure.
Energy Sector: The thresholds for power plants to be considered a critical infrastructure were lowered from 420 megawatts to 104 megawatts. Further, the updated BSI-KritisV introduces new categories of facilities (trading systems and facilities relevant for the trade of gas or petroleum) and also lowers the existing threshold for trading systems and facilities relevant for the trade of electricity from 200 terawatt-hours to 3.7 terawatt-hours per year.
IT and Telecommunication Sector: The Law reduces the existing thresholds for internet exchange points (IXPs)—number of connected autonomous systems (annual average)—from 300 to 100, as well as the thresholds for computer centers/housing—contractually agreed installed power in megawatts—from 5 megawatts to 3.5 megawatts.
Health Sector: The Law introduces a new facility category, the so-called “laboratory information network”. A laboratory information network is a network of facilities or systems that provide IT services for diagnosis and therapy control in human medicine for at least one laboratory.
Finance and Insurance Sector: The Law introduces new facility categories related to the trading in securities and derivatives. These concern systems for generating orders for trading securities and derivatives and forwarding them to a trading venue exceeding 6,750,000 transactions per year; trading systems (as defined in Article 4 number 24 of Directive 2014/65/EU) exceeding 850,000 transactions per year; and other depository management systems exceeding 6,750,000 transactions per year.
Transport Sector: The Law introduces new facility categories—for instance, air and port traffic control centers, port information systems, and others.

The amendment of the Law will increase the number of businesses designated to be operators of a critical infrastructure. The Federal Ministry of Interior and Community estimated in this respect that the number of operators of critical infrastructures will increase from a total of approximately 1,600 to a total of approximately 1,870.

Operators of critical infrastructures are primarily subject to the obligations of the BSI-KritisV, in particular, notification of IT security breaches. In addition, the broadened definition of critical infrastructures may increase the number of mandatory notifiable transactions under the German FDI provisions. Foreign investors should therefore factor this into their diligence efforts when considering the acquisition of voting rights in German domiciled companies.

[Source: Morgan Lewis]

Leave a Reply