Bundesnetzagentur determines critical functions in the energy sector
Klaus Müller: "Determination closes a security gap for Germany
"
Year of issue 2025
Date of issue 2025.06.25
The Bundesnetzagentur has today published its determination on critical functions for the operation of energy supply networks and energy facilities.
"Our determination of critical functions creates the basis for possible preventive action with respect to critical components of critical infrastructure in the energy sector,
" said Klaus Müller, President of the Bundesnetzagentur.
Determination proceedings for critical functions
The Bundesnetzagentur identified critical functions in cooperation with the Federal Ministry of the Interior (BMI), in agreement with the Federal Office for Information Security (BSI) and in expert group discussions. The critical functions comprise key aspects of the control of energy networks and energy facilities, such as operation control systems and systems for the implementation of congestion management measures. On the basis of the determination, operators of critical infrastructure in the energy sector must now notify the BMI of the installation of IT components in critical areas. The BMI can prohibit the use of components under certain conditions and can ban components from untrustworthy manufacturers.
Background
Modern society is greatly dependent on a functional supply of energy. The increasing spread of digital technology in critical infrastructure and changing geopolitical threats are leading to higher security-related requirements for the expansion and conversion of critical infrastructure in the electricity and gas sectors.
The Bundesnetzagentur’s IT security requirements catalogues published in August 2015 and December 2018 set out minimum requirements for telecommunications and electronic data processing systems in energy supply networks and energy facilities to ensure safe and secure operations, which was the focus of the security requirements catalogues. The focus of the determination published today is on safe and secure use of components. Critical components that are to be used for the first time must be subject to prior checks to determine whether they lead to a threat to public safety and security and whether they could pose a threat to the availability, integrity and confidentiality of the critical infrastructure. Critical components that are already in use can be banned under the determination, in particular if the critical component manufacturer is not trustworthy. This determination supplements the Bundesnetzagentur’s IT security requirements catalogues.
Further information about the determination is available on the Bundesnetzagentur’s website at www.bundesnetzagentur.de/krifu (in German).