Legal Framework and Scope

IT Security Act 2.0: With the introduction of the IT Security Act 2.0, the obligations for KRITIS operators were significantly expanded. The audit in accordance with § 8a BSIG must be conducted every two years and submitted to the BSI as proof of compliance. 

§ 8a BSIG (Federal Office for Information Security Act) is a central provision within the German IT Security Act. It defines the requirements for ensuring information security within Critical Infrastructures (KRITIS). 

KRITIS refers to facilities, systems, or components that are essential for the functioning of society. A failure or disruption of these infrastructures can lead to severe supply shortages or pose significant threats to public safety. 

KRITIS sectors include: Energy, Water, Food Supply, Information Technology and Telecommunications, Healthcare, Transport and Traffic, Finance and Insurance, and Waste Management. 
The key elements of § 8a BSIG include:

Protection & Technical Security Measures 
  • KRITIS operators are required to implement appropriate organisational and technical measures to protect the IT systems, components, and processes that are essential for the functioning of critical infrastructures.
  • These precautionary measures must reflect the state of the art and are intended to prevent disruptions to availability, integrity, authenticity, and confidentiality.
Certivation geschlossenes Schloss-Symbol
Certivation Arbeiten an einer Neon-Computertastatur
Attack Detection & Continuous Evidence 
  • Since May 2023, the use of automated attack detection systems has become mandatory.
  • Operators must provide proof to the Federal Office for Information Security (BSI) of the implementation of the required security measures no later than two years after the respective regulation enters into force - and every two years thereafter.

Patrick Rischar

Head of Audit Service Management

prischar@certivation.com+49 5908 9344 204

Check our other services

DIN EN ISO 27001

Always secure with an ISO/IEC 27001 certified ISMS.

Read more

DIN ISO 45001

Occupational health and safety management system with DIN ISO 45001 certification.

Read more
Related Content Item Component