Cybersecurity alone isn’t enough – KRITIS protection must include secure data destruction.
Critical infrastructures are the invisible lifelines of our daily lives – as long as they function, we hardly notice them, but without them, everything collapses. They include facilities and systems essential for the functioning of society, such as electricity and water supply, food, healthcare, transport, finance, or telecommunications.
Large volumes of sensitive data are generated daily in these sectors. While digital security measures are now standard, physical data destruction is often underestimated. Old files, hard drives, USB sticks, or magnetic tapes contain confidential information that can pose significant risks if disposed of improperly.
Critical infrastructures face increasing pressure today – not only from natural disasters such as heavy rain or earthquakes, pandemics, or geopolitical conflicts, but particularly from cyberattacks and targeted data theft, which have become one of the greatest threats. Stolen patient records, compromised financial information, or manipulated administrative files can destabilize entire sectors of society. Acts of sabotage and hybrid threats demonstrate that protecting critical infrastructures is no longer solely a matter of physical security but primarily a matter of information security.
In many countries, there have so far been numerous regulations, standards, and norms that were sector-specific, inconsistent, and often non-binding. A coherent, internationally compatible legal framework was missing, making it difficult to defend against cyberattacks and data breaches and to demonstrate compliance to authorities or courts. Uniform rules and binding compliance requirements are therefore essential to ensure that operators and states are legally protected.
In Europe, the CER Directive (EU 2022/2557) on the resilience of critical entities and the NIS-2 Directive on network and information security set binding standards. Other countries, such as the USA, Canada, or Australia, also have laws addressing the protection of sensitive infrastructures and the handling of data breaches. Internationally, without legal obligations for risk management, reporting duties, and protective measures, the defense against critical threats remains incomplete.
Modern regulations pursue a dual goal: critical services must remain operational or be quickly restored in case of attacks or outages, and legal frameworks must clearly define responsibilities, documentation duties, and sanctions. Only in this way can operators ensure they are not only technically but also legally protected in the event of a cyberattack or data breach.
At the European level, the CER Directive (EU 2022/2557) and the NIS-2 Directive form the basis for enhancing resilience and cybersecurity in critical sectors. Member states are required to transpose these directives into national law. Many countries, such as France, the Netherlands, and Spain, have already enacted legislation to ensure the protection of critical infrastructures at the national level.
In Germany, the protection of critical infrastructures is primarily governed by the IT Security Act, the BSI Act, and the draft of the new KRITIS Framework Act. The goal of this framework is to implement European directives – particularly the CER Directive and the NIS-2 Directive – into national law while unifying previously fragmented regulations. This creates a cross-sector legal framework ensuring both physical security and cyber resilience for critical facilities, including IT security requirements, risk and emergency management, and incident reporting. It obliges operators to protect sensitive information, including physical data destruction.
In the United States, comprehensive regulations for protecting critical infrastructures were introduced shortly after the September 11 attacks in 2001. Key agencies include the Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA). Legal frameworks include the USA PATRIOT Act, which defines 16 critical infrastructure sectors, and Presidential Policy Directive 21 (PPD-21). The focus is on protection against terrorism, cyberattacks, and natural disasters. Operators of sensitive infrastructures are also required under laws such as HIPAA (healthcare), GLBA (financial sector), and FACTA to securely destroy sensitive data. Standards such as NIST SP 800-88 provide guidelines for the physical destruction of data carriers, ensuring that documents, hard drives, or other storage media cannot be misused.
Since 2009, Canada has pursued its own National Strategy for Critical Infrastructure, based on close cooperation between federal, provincial, and private operators. The focus areas are cybersecurity, disaster preparedness, and protection against terrorist threats.
Australia enacted the Security of Critical Infrastructure Act (SOCI Act) in 2018, which was further strengthened in 2021. Operators in energy, water, communications, health, and transport sectors are required to implement specific security and resilience measures.
In Japan, the Basic Act on Cybersecurity, together with other national strategies, governs the protection of critical infrastructures. Particular attention is given to energy, transport, and finance – sectors highly vulnerable to natural disasters such as earthquakes and tsunamis.
Many other countries, including the United Kingdom, Israel, and Singapore, have developed their own Critical Infrastructure Protection (CIP) programs. International organizations such as NATO and the OECD also provide guidelines and recommendations to coordinate the protection of critical infrastructures on a global level.
Even operators of critical infrastructures with state-of-the-art IT security remain vulnerable if physical data carriers are not securely and permanently destroyed. Improperly disposed documents, server hard drives, or mobile storage devices can lead to major data leaks. In KRITIS sectors such as energy, healthcare, or public administration, such incidents could have not only economic consequences but also threaten supply security, public order, and public trust.
To mitigate these risks, several methods are available:
Document Shredding: Confidential files, plans, or printed data are mechanically shredded to prevent reconstruction.
Degaussing: Strong magnetic fields irreversibly erase data on hard drives, magnetic tapes, and similar media.
Physical Destruction: Storage media such as server HDDs, SSDs, USB sticks, or optical media can be shredded or granulated to ensure complete destruction, even for damaged or encrypted devices.
In critical infrastructures, these measures prevent sensitive information on control systems, patient care, or financial flows from falling into the wrong hands.
The protection of sensitive data in KRITIS sectors is subject to strict legal requirements worldwide:
Europe: GDPR, DIN 66399, ISO/IEC 21964, as well as the NIS-2 and CER Directives.
USA: Sector-specific regulations such as HIPAA, GLBA, and CISA requirements for energy and transport.
International: Information security standards such as ISO/IEC 27001 and sector-specific compliance requirements for operators of critical infrastructures.
Mandatory incident reporting further emphasizes the need for verifiable and auditable data destruction.
Healthcare: Patient records and medical data, where misuse could endanger lives.
Energy Supply: Operational and control data critical to network stability and supply security.
Finance: Transaction data and customer information, essential for financial stability.
Transport & Administration: Protection of confidential administrative records, logistics data, and security-relevant information.
Physical data destruction is a key component of ensuring the resilience of critical infrastructures. Combined with digital safeguards such as encryption, network monitoring, and access controls, it creates a comprehensive security approach that meets both international standards and the specific requirements of KRITIS sectors.
👉 Further reading: NIS-2 Directive: Strengthening Cybersecurity Across Europe since October 17, 2024