KRITIS and the IT Security Act

Companies that supply more than 500,000 people with their services and products and are active in the following sectors:

• Energy
• water
• Food and beverages
• Telecommunications
• Healthcare and finance
• Municipal waste disposal
• and companies in the special public interest (UBI/UNBÖFI)

The regulations on critical infrastructures (KRITIS) from the Federal Office for Information Security (BSI) supplement the IT Security Act, which has been in force since July 2015. Following the IT Security Act 2.0 in 2021, the government has now adopted BSI-KritisV 1.5 and brought it into force on 1 January. It specifies the provisions of the IT Security Act and defines thresholds, annexes and implementation requirements.

These threshold values should be checked by companies in the border area at regular intervals for updates. The obligation regarding high requirements in the area of IT security should be complied with and disruptions to IT systems should be reported directly to the BSI.

Deadlines due to the new KRITIS Regulation 1.5:

• The new regulation came into force on 1 January 2022
• New and old systems that exceed the (new) thresholds in 2021 must be registered by 1 April 2022 at the latest
• Implementation of cyber security measures in accordance with Section 8a BSIG by 1 April 2022

• Proof of implementation through KRITIS audits by 1 April 2024 at the latest

  The KRITIS sector of municipal waste disposal and the UBI/UNBÖFI will be defined in a separate KRITIS Regulation 2.0 and a UBI Regulation in 2022.

The BSI obliges operators of critical infrastructures to fulfil certain requirements. Here you will find an overview of the measures to be implemented:

• Registration

Companies must register with the BSI as soon as they are identified as a critical infrastructure operator and appoint a contact point. The BSI may independently register operators as critical infrastructure and request access to documents in certain circumstances if they do not fulfil their registration obligation.

• Attack detection

With IT-SiG 2.0, systems for attack detection are now explicitly part of the technical and organisational security precautions in KRITIS systems. These must continuously and automatically record and analyse suitable parameters and characteristics from ongoing operations. They should be able to continuously identify and prevent threats and provide suitable remedial measures for any faults that occur. This requirement can be implemented using a Security Operation Centre (SOC) or Security Information and Event Management (SIEM), for example.

The use of SOCs is mandatory from 1 May 2023 at the latest .

• Reporting obligations

KRITIS operators and companies in the special public interest are obliged to provide the BSI with information necessary for incident management in the event of significant incidents.

• Use of critical components

Companies must report the use of critical components in certain sectors. The use of such components may be prohibited. According to Section 2 IT-SiG, critical components are IT products whose failure would significantly impair the function of the system. These components are still defined for the respective sectors.

• Inventory

Operators must take an inventory of critical IT products in KRITIS systems - with up-to-date information on manufacturers and product types. Until now, this only applied to the KRITIS sector of telecommunications.

• Maintaining the critical infrastructure

The KRITIS protection objectives (availability, confidentiality, integrity and authenticity) must be defined on the basis of the operationally relevant parts, included in the risk assessment and considered throughout all processes. The impact on the functionality of the critical infrastructure and the critical service should be the point of reference for the extent of a risk to the general public.

If security precautions are possible and appropriate according to the current state of the art, the operator must implement them. As a general rule, it is not possible to transfer risks, e.g. to insurance companies, and this is no substitute for security precautions.
A purely economic risk assessment is generally not sufficient.

• Checking the security

In the form of security audits, KRITIS operators must prove to the BSI every two years that appropriate measures have been implemented and that technology standards have been met, according to Section 8a III BSIG.

The implementation of an Information Security Management System, or ISMS for short, is mandatory for operators of critical infrastructures in order to be able to implement the new security standards. An ISMS not only relates to the company's IT security, but also contributes to the optimisation of company processes and structures in order to reduce disruptions and risks with regard to information security management.

KRITIS operators can, for example, through certification in accordance with ISO 27001 with the additional aspects of the KRITIS protection goals in accordance with §8a BSIG to fulfil the requirements of the BSI.

Another way of providing evidence is to use an industry-specific security standard (B3S) recognised by the BSI or the BSI's guidance document as a basis for testing.

As a reliable partner organisation, we support you in implementing and maintaining a functioning information security management system. With certification from us, your company fulfils the requirements set out in the IT Security Act and can also prove this to the outside world with a corresponding certificate.