Increasing digitalisation and globalisation are presenting new challenges for companies and public institutions. The number and complexity of security incidents – whether cyber- or physically related – is constantly increasing and requires a rethink in the planning, monitoring and response to risks. The current white paper by the GU group, published by BKS GmbH, takes a detailed look at the implementation of the EU NIS Directive and other relevant legislation in the context of critical infrastructures (KRITIS). It shows how technical and organisational measures can be linked to increase the resilience of systems in the long term while also meeting the requirements of legal reporting obligations, emergency and recovery measures, and regular security audits.
The key terms used in the white paper – such as ‘critical infrastructure’, ‘resilience’ and the implementation of the NIS Directive – emphasise that modern security concepts are no longer just about protecting IT systems. Rather, it is essential to also integrate physical security measures into the cybersecurity strategy. Companies and operators of critical infrastructure must continuously adapt their risk management systems to adequately address both external and internal threats. In this context, legal frameworks such as the BSI Act, the BSI Kritis Ordinance and the upcoming KRITIS Umbrella Act play an important role, as they define the minimum requirements for the security and availability of essential services and infrastructure.
A key component of the white paper is the detailed presentation of the classification of facilities into different categories. Operators of critical facilities, particularly important and important facilities, are differentiated on the basis of quantitative and qualitative criteria – such as the number of residents to be supplied, number of employees, turnover and balance sheet thresholds. These classifications are not only important for meeting legal requirements, but also provide a framework for implementing targeted security measures. Companies operating in these areas must implement specific IT security measures, reporting requirements and attack detection systems to ensure continuous operation even in the event of a crisis.
With its integrated approach, exemplified by the building management and organisation system GEMOS, the GU group is presenting an innovative concept that enables the centralised monitoring and control of all security information. GEMOS combines data from various physical security and information systems – from fire alarm and video surveillance systems to access control systems and building automation systems. This integration makes it possible to create a comprehensive security overview that optimises both the detection and the response to security incidents. Particularly noteworthy is GEMOS’ ability to process real-time data from various sources and to feed it into a central risk management system using standardised interfaces. This not only enables operators of critical infrastructure to respond more quickly to alerts, but also to proactively identify and rectify security vulnerabilities.
Another important aspect is the functionality of GEMOS access, an access control system that was specially developed as part of the NIS implementation. This solution enables companies to precisely control and document access to sensitive areas. The centralised recording of access attempts and the automatic logging of changes not only supports compliance with legal reporting requirements, but also provides the basis for comprehensive audits and continuous security checks. In combination with the GEMOS Enterprise One Server, which ensures system reliability and automatic recovery, the solution offers a high level of availability – a crucial factor for the uninterrupted operation of critical infrastructures.
The training and awareness-raising measures presented in the white paper round off the solution. To establish a sustainable security culture, it is essential that all employees involved – from management to operational staff – receive regular training in the latest standards and procedures. The practice-oriented training courses, which are offered both online and on-site, enable participants to immediately transfer theoretical knowledge into daily practice and thus continuously improve the security of their facilities.
The white paper takes a critical look at the complex and multifaceted challenges involved in implementing the EU NIS Directive and other legal requirements. The increasing integration of IT and physical security measures offers enormous advantages, but also presents companies with new challenges. Technical implementation, regular system updates and ongoing employee training require significant investments and consistent organisational adjustments. In particular, small and medium-sized companies in the critical infrastructure sector face the difficult task of meeting high security standards without jeopardising their operational flexibility and economic efficiency.
It is also becoming clear that the success of such a holistic security strategy depends to a large extent on the quality of the technologies used and the efficiency of internal processes. While solutions such as GEMOS and GEMOS access already offer extensive monitoring and control functions, the question remains as to how quickly and flexibly these systems can respond to new types of threats and unexpected security incidents. The continuous further development and adaptation to constantly changing security requirements is therefore a key challenge that companies must face up to in a dynamic and globally networked market environment.
In conclusion, it can be said that the BKS GU white paper presents a comprehensive and innovative approach to implementing the EU NIS Directive and securing critical infrastructures. The integration of physical and IT security measures, central monitoring using systems such as GEMOS and targeted employee training are important building blocks of a modern security strategy. Nevertheless, the road to full resilience for companies and institutions is long and requires continuous investment in technology, processes and personnel. Only by taking a holistic and flexible approach that considers both technical and organisational aspects can the challenges of digital and physical security be sustainably overcome.
