Which rules operators of critical infrastructures have to follow in the context of Gaia-X, is discussed in the new Gaia-X Federation Services (GXFS-DE) whitepaper “Information Security of Critical Infrastructures – Law and Regulation for Gaia-X and the Gaia-X Federation Services”.
The whitepaper aims to clarify which IT infrastructures and services are to be classified as so-called “critical infrastructure”. Critical infrastructures are services, organisations or companies whose failure or impairment would result in lasting supply bottlenecks, significant disruptions to public safety or other dramatic effects to society.
Especially in the Gaia-X environment, this topic has not been discussed much so far. This is despite the fact, that many Gaia-X use cases are in critical sectors, such as healthcare, banking or energy.
- When are the operating bases of a company’s own platform and its services to be classified as so-called “critical infrastructure” and thus subject to government regulation?
- What criteria and benchmarks apply?
- What legal obligations and regulatory measures result, when the operation of a service is considered “critical”?
- What technical and organizational standards relating to information security must then be complied with?
These and other questions are discussed in this whitepaper.
“It is important to carefully examine which requirements will apply to the operators of Gaia-X ecosystems. The application of the KRITIS regulation is primarily derived from the classification of the users.” says Andreas Weiss, GXFS-DE project lead at eco Association of the Internet Industry.