IT Security Law and KRITIS regarding information technology and telecommunications


Information and communication technologies are high critical because their failure or disruption could lead to supply constraints and/or disruptions with unpredictable consequences for the common good or public security.

The IT Security Lawtherefore requires that the operators of critical infrastructures in the information technology and telecommunications sector have to keep their IT security at the “state of the art” and establish an information security and risk management system.

The basis for such an approach should be a management system for

  • the information security management according to ISO 27001 and/or BSI standard (IT-Grundschutz) and
  • the implementation of the legal requirements for data protection according to EU GDPR
be established.

The requirements for KRITIS operators, are as follow:

  • Safety requirements of § 109 TKG
  • IT Security Catalog for Networks
  • IT Security Catalog for Energy Systems
  • B3S data center, server farm and content delivery network.

The GRC software QSEC provides comprehensive support in the development and operation of an ISMS according to ISO 27001 and a data protection management system according to GDPR, including the special requirements from the catalogs of security requirements of the Federal Network Agency (BNetzA).
The implementation of further catalogs and standards is possible through the easy catalog entry and maintenance function.

In QSEC the complete

  • Risk Management
  • Measures Management and the
  • Data Protection Requirements according to GDPR

are implemented and sustainably operated, reviewed and improved.


References & case studies


QSEC Online-Demo