Skip to content

KRITIS and the IT Security Act

The new IT Security Act 2.0

In a digitally connected world, a secure IT infrastructure is more important than ever. Companies classified as "critical infrastructures" (KRITIS) are considered particularly worthy of protection. If a KRITIS company experiences a failure, it can lead to significant supply shortages and potentially endanger public safety.

Until recently, seven different sectors were classified as KRITIS in Germany. These include industries such as energy, water, food, telecommunications, healthcare, and finance. With the introduction of the IT Security Act 2.0 (IT-SIG 2.0), the sectors of municipal waste disposal and companies of special public interest (UBI/UNBÖFI) have been added.

The IT-SiG 2.0, by lowering the thresholds in the KRITIS regulation, now requires significantly more organizations to implement effective measures to enhance their IT security. The fundamental aim is to encompass all companies that provide services and products to more than 500,000 people.

Contact

Establish Contact

The KRITIS Regulation 2021

The regulations concerning Critical Infrastructures (KRITIS) by the Federal Office for Information Security (BSI) complement the IT Security Act, which has been in effect since July 2015. Following the IT Security Act 2.0, the government enacted the BSI-KritisV 1.5 in 2021, which came into force on January 1st. It specifies the provisions of the IT Security Act and defines thresholds, facilities, and implementation requirements.

These thresholds should be regularly reviewed for updates by companies operating near the limits. The obligation to meet high IT security requirements must be fulfilled, and disruptions to IT systems must be reported directly to the BSI.

Deadlines under the new KRITIS Regulation 1.5:

  • The new regulation came into effect on January 1, 2022.
  • New and existing facilities that exceed the (new) thresholds of 2021 must be registered by April 1, 2022.
  • Implementation of cybersecurity measures according to §8a BSIG by April 1, 2022.
  • Proof of implementation through KRITIS audits by April 1, 2024.

The KRITIS sector for municipal waste disposal and the UBI/UNBÖFI will be defined in a separate KRITIS Regulation 2.0 and a UBI Regulation in 2022.

New Obligations for KRITIS Operators

Companies must register with the BSI immediately upon identifying themselves as KRITIS operators and designate a point of contact. The BSI is authorized to independently register operators as critical infrastructure and request access to documents in certain situations if they fail to fulfill their registration obligation.

With IT-SiG 2.0, systems for attack detection (SzA) are now explicitly part of the technical and organizational security measures in KRITIS facilities. These systems must continuously and automatically capture and evaluate appropriate parameters and characteristics from ongoing operations. They should be capable of continuously identifying and preventing threats, as well as providing suitable remediation measures for any disruptions that occur. The implementation of this requirement can be achieved through solutions such as a Security Operation Center (SOC) or Security Information and Event Management (SIEM).

The use of SzA is mandatory starting from May 1, 2023.

KRITIS operators and companies of special public interest are required to provide the BSI with information upon request in the event of significant disruptions, which is necessary for managing the disturbance.

Companies must report the use of critical components in certain sectors. The use of such components may be prohibited. According to §2 IT-SiG, critical components are IT products whose failure would significantly impair the function of the facility. These components are yet to be defined for the respective sectors.

Operators must inventory critical IT products in KRITIS facilities, including current information on manufacturers and product types. Previously, this requirement applied only to the KRITIS telecommunications sector.

The KRITIS protection goals (availability, confidentiality, integrity, and authenticity) must be established based on the operationally relevant parts, included in the risk assessment, and consistently considered in all processes. The extent of a risk to the public should be gauged by its impact on the functionality of the critical infrastructure and critical services.

If security measures according to the current state of technology are possible and appropriate, the operator must implement them. Fundamentally, transferring risks, such as to insurance, is not possible and does not substitute for security measures. A purely economic risk assessment is generally insufficient.

In the form of security audits, KRITIS operators must demonstrate to the BSI every two years the implementation of appropriate measures and compliance with technical standards, as per § 8a III BSIG.

How can compliance with measures according to the state of the art be demonstrated?

The implementation of an Information Security Management System (ISMS) is mandatory for operators of critical infrastructures to meet the new security standards. An ISMS not only addresses the IT security of the company but also contributes to optimizing business processes and structures to reduce disruptions and risks related to information security management.

KRITIS operators can fulfill the BSI requirements by obtaining certification according to ISO 27001, incorporating the additional aspects of KRITIS protection goals as per §8a BSIG.

Another way to demonstrate compliance is by using a BSI-recognized sector-specific security standard (B3S) or the BSI's guidelines as a basis for assessment.

Brochure on KRITIS and the new IT Security Act 2.0

In a digitally connected world, a secure IT infrastructure is more important than ever. Companies classified as "critical infrastructures" (KRITIS) are considered particularly worthy of protection. If a KRITIS company experiences a failure, it can lead to significant supply shortages and potentially endanger public safety. In our brochure, we provide you with initial information and share experiences regarding implementation and certification.

Here you will find the key information at a glance:

With TÜV NORD on the Safe Side

As a reliable partner organization, we support you in the implementation and maintenance of a functioning information security management system. With certification from us, your company meets the requirements set forth in the IT Security Act and can demonstrate this externally with the appropriate certificate.