Protecting Critical Infrastructure – KRITIS

Operators of critical infrastructures (KRITIS) in Germany must implement suitable, state-of-the-art measures to protect this infrastructure and have it verified every two years. TÜV Hessen is the testing organization for KRITIS certification, in line with Section 8a of the Act on the Federal Office for Information Security (BSIG). We are happy to support you.

Email

Contact

Our modern organization aims to ensure that water and energy supplies, IT and mobility all run smoothly. The Federal Office for Information Security (BSI) and the Federal Office of Civil Protection and Disaster Assistance (BBK) have identified sectors and industries that operate critical infrastructure. These include organizations that are of significant importance for public welfare and the failure or impairment of which could have significant consequences for the population. Responsibility for protecting critical infrastructures such as these lies mainly with the respective owners or operators. 

These operators must therefore take suitable measures to protect the infrastructure and prevent interruptions. These involve identifying, understanding and minimizing risks, and preparing for potential crisis scenarios. In Germany, protection for critical infrastructure is governed by the IT Security Act, the Act on the Federal Office for Information Security (BSIG) and significantly by the Regulation for Determining Critical Infrastructures as per the BSIG (BSI-KritisV). 

 

Inspection report required

The BSI does not require certification. Instead, the law states that a suitably qualified inspection organization must verify protection. TÜV Hessen can help you to obtain the necessary verification report for the BSI.

This must be submitted every two years. Once the inspection is complete, we can create the required report for you so that you can submit it to the BSI. 

The following sectors and industries are defined as critical infrastructures according to the IT Security Act. The threshold values in the BSI-KritisV indicate which companies are affected in these sectors:

 

Energy

  • Electricity
  • Mineral oil
  • Gas
  • Health

Medical care

  • Medicines and vaccines
  • Laboratories
  • State administration

Government administration

  • Parliament
  • Judicial institutions
  • Emergency response organizations including disaster protection

Food

  • Food production
  • Food retail

Transport and traffic

  • Air transport
  • Shipping
  • Internal shipping
  • Rail transport
  • Road transport
  • Logistics

Finance and insurance

  • Banks
  • Stock exchanges
  • Insurance providers
  • Financial services providers

IT and telecommunications

  • Telecommunications
  • IT

Media and culture

  • Broadcasting (TV and radio)
  • Print and digital press
  • Cultural heritage
  • Symbolically important buildings and structures

Water

  • Public water supply
  • Public wastewater treatment

Do you have any further questions about the inspection report?
Contact us by email or give us a call! We will be happy to answer your questions.

Email

Contact

Legal background

Implementation of measures must be demonstrated to the BSI in the form of an inspection by a suitable inspection organization as per Section 8a of the BSIG. The BSIG also governs specific requirements for inspectors, inspection organizations, inspection procedures, and the related competence requirements. BSIG inspections focus on the availability of the critical service and the prevention of supply shortages. The inspections are based on industry-specific security standards (known as B3S), or use B3S as guidance together with industry-specific regulations and existing standards, such as ISO 27001. ISO 27001 certification alone is not sufficient, however, and does not replace the legally mandated demonstration of compliance as per Section 8a of the BSIG. A report on this is issued to the operator after a successful inspection by the inspection organization.

 

 

* Note: TÜV Technische Überwachung Hessen GmbH accepts no liability for the content or opinions published on these pages. Please contact the site operator if you have any complaints. Thank you for your understanding.