The interaction between security management in public and private organisations includes complex challenges. In particular in critical infrastructure sectors, there is a need for instruments that enable the holistic and overarching management of private and public providers. Cross-organisational structures and processes should be defined, but are difficult to establish in federal governmental structures due to different legislative levels and scopes. The paper investigates this challenge using Germany and the Free Hanseatic City of Bremen as example. The study proposes the development of an “Enterprise Architecture Framework” integrating and overarching the organizational structurers for both, a federal state, its municipalities and the (private) critical infrastructure providers in these municipalities. The main contributions of this paper are based on the results of an interview study. The interview partners were representatives of enterprises and public bodies covered by the federal IT security regulations. The contribution of the paper is the identification of security management challenges for services of general interest and how to increase the resilience of public service providers. Cybersecurity management in the context of public institutions is in focus.