Legal Framework and Scope

IT Security Act 2.0: With the introduction of the IT Security Act 2.0, the obligations for KRITIS operators were significantly expanded. The audit in accordance with § 8a BSIG must be conducted every two years and submitted to the BSI as proof of compliance. 

§ 8a BSIG (Federal Office for Information Security Act) is a central provision within the German IT Security Act. It defines the requirements for ensuring information security within Critical Infrastructures (KRITIS). 

KRITIS refers to facilities, systems, or components that are essential for the functioning of society. A failure or disruption of these infrastructures can lead to severe supply shortages or pose significant threats to public safety. 

KRITIS sectors include: Energy, Water, Food Supply, Information Technology and Telecommunications, Healthcare, Transport and Traffic, Finance and Insurance, and Waste Management. 
The key elements of § 8a BSIG include:

Protection & Technical Security Measures 
  • KRITIS operators are required to implement appropriate organisational and technical measures to protect the IT systems, components, and processes that are essential for the functioning of critical infrastructures.
  • These precautionary measures must reflect the state of the art and are intended to prevent disruptions to availability, integrity, authenticity, and confidentiality.