Critical infrastructure
Critical infrastructure (KRITIS) refers to facilities and systems in supply-relevant sectors whose failure would cause significant supply shortages or threats to public safety, and which are therefore subject to special security requirements.
Critical infrastructure (in German law: KRITIS) comprises facilities, installations and systems in the sectors defined by the legislator whose impairment or failure would lead to sustained supply shortages, serious disruptions to public safety, or other dramatic consequences for society. The German IT Security Act (BSIG), together with the BSI Critical Infrastructure Ordinance (BSI-KritisV), defines which sectors are covered and the thresholds above which a facility is classified as critical. Traditionally these include the sectors energy, water, food, information technology and telecommunications, healthcare, finance and insurance, transport and traffic, and municipal waste management; with the implementation of the NIS2 Directive and the KRITIS umbrella act, the range of affected sectors and entities is being significantly expanded.
Operators of critical infrastructure bear special obligations: they must take appropriate organisational and technical precautions in line with the state of the art to ensure the availability, integrity, authenticity and confidentiality of their IT systems (Section 8a BSIG). Compliance must be demonstrated to the BSI on a regular basis, at least every two years, through security audits, assessments or certifications. In addition, there is a duty to report significant disruptions and security incidents to the Federal Office for Information Security (BSI), as well as the obligation to designate a contact point for communication with the BSI. Industry associations may develop sector-specific security standards (B3S), which the BSI can recognise as suitable.
With the NIS2 Directive and its national transposition, the framework shifts from the pure KRITIS logic towards a broader concept of essential and important entities. Many organisations that were previously not classified as KRITIS will in future fall under comparable obligations regarding risk management, incident handling, supply chain security and management accountability. For operators this means carrying out an applicability assessment early on, establishing a systematic information security management system, and documenting the required evidence in an audit-ready manner. A structured approach along established frameworks such as ISO/IEC 27001, IT-Grundschutz or CISIS12 lays the foundation for meeting the special security requirements reliably and verifiably over the long term.
Legal Basis
Sections 8a, 8b BSIG (German IT Security Act); BSI Critical Infrastructure Ordinance (BSI-KritisV); NIS2 Directive (EU) 2022/2555
Practical Example
A regional water utility exceeds the threshold of the BSI Critical Infrastructure Ordinance based on the number of people it supplies and therefore qualifies as an operator of critical infrastructure. The information security officer first carries out an asset and protection-requirement assessment for the control and operating technology, derives appropriate state-of-the-art protective measures, and aligns them with the water industry's sector-specific security standard (B3S). The officer then sets up the contact point with the BSI, establishes a reporting process for significant disruptions, and plans the certification audit due every two years, the results of which are submitted to the BSI in an audit-ready form.