KRITIS:
Germany's Critical Infrastructure Security Framework

KRITIS (Kritische Infrastrukturen) is Germany's framework for protecting critical infrastructure operators. Defined by the Federal Office for Information Security (BSI), KRITIS covers organizations whose failure would cause sustained supply shortages, significant disruptions to public safety, or other severe consequences. Operators are legally defined under the BSI Act (BSIG) and the BSI KRITIS Ordinance (BSI-KritisV). KRITIS is Germany's implementation of the EU NIS2 framework at the national level - similar in scope to the UK NIS Regulations or the US CISA Critical Infrastructure framework, but specifically tailored to German law.

The BSI KRITIS Ordinance defines ten sectors as critical infrastructure: (1) Energy: electricity, gas, district heating, petroleum and fuels. (2) Water: drinking water supply and wastewater disposal. (3) Food: food production and supply. (4) IT and Telecommunications: information technology and telecommunications services. (5) Transport and Traffic: aviation, rail, inland waterways, maritime and road transport. (6) Health: hospitals, laboratories, pharmacies and pharmaceutical companies. (7) Finance and Insurance: banks, stock exchanges, insurance companies and payment operators. (8) Municipal Waste Management: waste industry and disposal. (9) State and Administration: federal agencies, parliaments and judiciary. (10) Media and Culture: broadcasting and major cultural institutions.

§8a of the BSI Act (BSIG) requires critical infrastructure operators to implement appropriate organizational and technical measures to prevent disruptions to the availability, integrity, authenticity and confidentiality of their IT systems, components or processes that are essential to the functioning of their critical infrastructure. These measures must comply with the state of the art. KRITIS operators must demonstrate compliance every two years through security audits, assessments or certifications. Proof is submitted to the BSI. There is also a 72-hour mandatory reporting obligation for significant IT disruptions and a mandatory registration requirement with the BSI.

The KRITIS threshold determines from which supply capacity an operator is considered critical infrastructure. It is sector-specific and defined in the BSI KRITIS Ordinance (BSI-KritisV). Most thresholds are set at 500,000 "supply units" - depending on the sector this may be residents, customers, patients, transactions or other metrics. Examples: Energy: 3,700 GWh/year installed generation capacity; Drinking water: 500,000 supplied residents; Health: 30,000 inpatient cases per year; Finance: 15 million transactions/year; IT and telecommunications: 100,000 customers. Organizations should determine their KRITIS status through a structured self-assessment based on the BSI-KritisV.

The KRITIS Umbrella Act (KRITIS-Dachgesetz) is Germany's implementation of the EU CER Directive (EU 2022/2557) on the resilience of critical entities. While §31 BSIG addresses IT security (cybersecurity), the KRITIS Umbrella Act mandates physical security measures: perimeter protection (fences, access control, video surveillance), security concepts for critical facilities, coordination with authorities and law enforcement, and binding minimum standards for physical resilience. The act also expands the circle of regulated entities and introduces new sectors (space, media and culture).

KRITIS and NIS2 are closely interlinked but not identical. KRITIS is the German term for regulated critical infrastructure operators under the BSIG; NIS2 (Directive EU 2022/2555) is the European framework transposed into German law since October 2024. KRITIS operators automatically fall under NIS2 as "essential entities." However, NIS2 goes significantly further than KRITIS: instead of approximately 2,000 KRITIS operators, NIS2 affects up to 30,000 German companies. NIS2 expands the regulated sectors (including cloud providers, data centers, chemical industry) and tightens requirements - particularly through personal management liability. Learn more on our <a href="/en/topics/nis2/" style="color: inherit; text-decoration: underline;">NIS2 topic page</a>.

The BSI accepts various security frameworks as evidence of §31 BSIG compliance: ISO/IEC 27001 (international standard for information security management systems) is the most commonly used and explicitly recognized by the BSI. BSI IT-Grundschutz (baseline or standard protection) is the German approach with detailed control catalogs; an ISO 27001 certification based on IT-Grundschutz is possible. Sector-specific security standards (B3S) are BSI-approved sector-specific standards developed by industry associations - e.g., for hospitals (B3S Hospital) or energy suppliers. IEC 62443 is the relevant standard for OT/SCADA systems in sectors such as energy or water. A combination of these frameworks is possible and often advisable.

AWARE7 supports KRITIS operators with specialized services for the entire §8a compliance cycle: gap analysis against ISO 27001, BSI IT-Grundschutz or sector-specific B3S standards; ISMS implementation and operations; penetration tests and vulnerability scans to verify technical measures; support implementing attack detection systems (SzA/SIEM requirements); preparation for BSI audits and external assessments; NIS2 gap analysis for organizations newly regulated under the directive. Chris Wojzechowski holds the §31 BSIG audit qualification, which is required for certain audit activities in the KRITIS environment.