Critical infrastructures (KRITIS)

According to the structure of the Federal Office for Civil Protection and Disaster Relief, critical infrastructures are divided into nine sectors with the following industries

  • Energy network operator
  • Nutrition (food trade)
  • Finance and insurance
  • Public Health
  • Information technology and telecommunications
  • Media and culture
  • State and administration
  • Transport and traffic
  • Water supply

Operators of critical infrastructures (KRITIS operators) in these sectors are obliged under the IT Security Regulations to comply with certain minimum IT standards in order to avoid related incidents.

The critical infrastructure is

  • a plant,
  • one system
  • or part thereof

which is essential for the maintenance of important social functions and whose disruption/destruction has a significant impact on

  • health,
  • the safety and
  • economic and/or social well-being

of the population.

KRITIS companies must report IT infrastructure faults to the Federal Office for Information Security (BSI) and appoint a contact person for the BSI.
According to BSIG §8a Security in the Information Technology of Critical Infrastructures and the IT Security Regulations valid since 2015, KRITIS operators must guarantee the requirements for the technical status of the systems they operate and for information security.
The further development of the IT Security Regulations (2.0) in the BMI’s draft of 27.3.2019 indicates further/new requirements for the areas.

These are for example

  • Infrastructures in special public interest

    • Military industry
    • Culture and media
    • Investments and systems of companies from the DAX classifications
  • Increase of financial penalties for violations of legal requirements
  • Minimum standards for KRITIS core competencies
  • Installation of systems for the detection of attacks
  • Extended BSI authorizations

For the implementation of the requirements from §8a of the BSI law and the IT security law, KRITIS operators and their associations can develop industry-specific security standards (B3S) and have them reviewed and approved by the BSI.

Critical infrastructure operators – what is to be done in practice?

All these requirements and specifications require the establishment and sustainable operation of an information security management system.

The GRC, data protection & ISMS software QSECsupports the development and operation of an information security management system following the requirements of

  • ISO/IEC 27001, and
  • BSI (IT-Grundschutz) (replacement of GS-Tool), including
  • sector-specific B3S standards applicable to the relevant KRITIS sector

The analysis and identification of vulnerabilities and risks, including risk assessment, risk response and the implementation of appropriate measures, is supported and simplified by QSEC for KRITIS operators. QSEC provides in complete compliance with the requirements of legal regulations and applicable standards comfortably via workflow, wizard and task functionalities.

In addition, extensive content such as sample documents, proposals for measures based on best practice, facilitate work and the cost and resource-optimized implementation of tasks for KRITIS operators.


B3S with QSEC


QSEC Online-Demo