On 1 January 2022, an amendment to the statutory definitions of critical infrastructure in Germany will enter into force. The qualification as "critical infrastructure" entails a range of obligations for the operators of such facilities, but also serves as a trigger for mandatory FDI screening when operators are acquired by a purchaser that is based outside the EU/EFTA or has shareholders located outside the EU/EFTA.
Under German law, investments of 10% or more by a non-EU/EFTA investor in German companies that operate critical infrastructure trigger mandatory filing obligations, and it is a criminal offense to close such transactions without approval by the Federal Ministry for Economic Affairs. Any change to the definition of critical infrastructure therefore has an immediate effect on the screening of investments and the scope of the mandatory notification obligation.
The amendments in detail
There is currently a two-prong test for critical infrastructure: the activities in question must (i) fall within one of a variety of business-specific legal definitions, and (ii) meet certain thresholds, which aim to ensure that only activities which are essential for a large part of the population (the base assumption is 500,000 individuals) are caught. The amendment comprises both revised definitions in certain sectors (energy, water, nutrition, IT and telecommunications, health, finance and insurance as well as transport and traffic) and new or lower thresholds for some of the existing categories in the energy and IT sectors. The government assumes that, under the new rules, there will be approximately 1,850 operators of critical infrastructure in Germany (up from approximately 1,600 under the current regime).
For foreign investment screening, the amendment’s biggest impact will likely be in the energy sector, where most transactions will now trigger a mandatory filing. The same will likely be true for investments in larger airports and cargo ports in the transport sector. The addition of the new category “intelligent transport systems” could also have far-reaching consequences. These and the other main changes are further explained below.
Software and IT services as a part of critical infrastructure
- Software and IT services are now deemed critical infrastructure if they are required for the operation of critical infrastructure. While some software companies may be surprised to see that their services can qualify as critical infrastructure under the new rules, the acquisition of such companies was already subject to mandatory screening under the old rules if the company specifically developed or produced software for the operation of a critical infrastructure. What is new is that the acquisition of or the investment into an IT service provider who only uses (but does not develop or produce) a software that is necessary for the operation of critical infrastructure for the provision of its services may now also be subject to the mandatory filing obligation and a stand-still obligation.
- The amendments in the energy sector will lead to the biggest increase in the number of operators of critical infrastructure. For the most part this is because the threshold that facilities must meet in order to be considered critical has been lowered significantly. While the previous threshold was a net nominal power of 420 MW, the new threshold is 104 MW, a figure that is typically exceeded by an average gas power plant. An even lower threshold (36 MW) applies for facilities that provide frequency containment reserve. And certain black start facilities are now always critical, regardless of their output (the new threshold is 0 MW).
- The amendment introduces a new threshold of 3.7 TWh for facilities or systems active in energy trade, which now includes futures trading.
- The amendment also includes a new category for trading systems for gas and crucial facilities or systems for the distribution of petroleum and products made from it, e.g. fuel and heating oil, which may now qualify as critical infrastructure.
Transport and traffic sector
- Managing bodies of airports and cargo ports can now qualify as critical infrastructure. This is explained as a necessary alignment with the Directive concerning measures for a high common level of security of network and information systems across the Union (NIS Directive). The government expects this to add 23 operators of critical infrastructure (22 for port management bodies and one for airport management bodies).
- The new sector of “intelligent transport systems” is also introduced as a result of the implementation of changes to the NIS Directive. Intelligent transport systems are defined as systems in which information and communication technologies are applied in the field of road transport as well as for interfaces with other modes of transport. If taken at face value and considering the state of digitisation in transport, this amendment could cover an immense breadth of companies, including car manufacturers, shared mobility services or digital map services. The government expects – without further explanation – an additional 34 operators of critical infrastructure in this sector.
IT and telecommunications sector
- The threshold for internet exchange points (IXPs) to qualify as critical infrastructure is lowered by two thirds (under the new rules, an average of 100 connected autonomous systems suffices for the IXP to qualify as critical), and the threshold for data centres is lowered by 30 per cent (3.5 instead of 5 MW contractually agreed capacity).
- Top level domain name registries are now considered critical infrastructure if they administer at least 250,000 domains.
- Certain IT services for laboratories can now be considered critical “laboratory information networks”, even if the individual laboratories which they service do not meet the threshold for critical infrastructure.
Finance and insurance sector
- Certain preparatory activities in relation to trading in securities and derivatives can now qualify as critical infrastructure. This is an expansion of the definition of a critical infrastructure in relation to securities and derivatives trading activities; previously only the clearing or settlement of securities and derivatives were caught.
An expansion of the scope of the NIS directive and a new EU directive on the resilience of critical entities are currently being negotiated, which could have an effect on foreign investment screening mechanisms in Germany and across the EU. Moreover, the coalition agreement of the new German government explicitly questions whether the current regulatory framework sufficiently protects critical infrastructure in Germany from foreign influence, so further changes regarding the regulation of critical infrastructure are on the horizon.