Cookie consent(s)
We use cookies to personalize content and ads, provide social media features, and analyze traffic. This is done only with your explicit consent. By clicking "ACCEPT ALL," you agree to the processing and sharing of your data with our partners for social media, advertising, and analytics, including in third countries in accordance with Art. 49(1)(a) GDPR and Art. 17(1)(a) FADP (Switzerland). There is a risk that your data may be monitored by authorities without legal recourse. You can change or revoke your consents at any time in the data privacy settings.
Data protection declaration | Legal notices
Settings
Jubilee Signet

CRITIS Audit

IT security for operators of critical infrastructures

In order to ensure the security of society and the economy, the German IT Security Act (IT-SiG) in the 2021 amended version 2.0 and the correspondingly updated German CRITIS Ordinance (KritisV) require operators of critical infrastructures in Germany to implement and demonstrate an extended minimum security level and to comply with stricter reporting obligations.

Our experienced CRITIS auditors check and evaluate the current protection and security level of your IT infrastructure according to the transparent criteria previously defined in a so-called test basis.
Would you like to find out more about the audit of critical infrastructures in accordance with Section 8a BSIG to fulfill the corresponding requirements from the German IT-SiG 2.0, taking into account the requirements from the German KritisV?
Schedule a meeting with us now!

Protection of critical infrastructures reliably implemented

Infrastructures are classified as critical if facilities, systems or parts thereof are of great importance to the state community due to their size and degree of interconnectedness and if their failure or impairment threatens significant supply bottlenecks, restrictions to public security or other dramatic consequences.
The 4th Amendment Ordinance to the BSI Criticality Ordinance came into force on 1.1.24. The German KritisV defines which systems and operators belong to the critical infrastructure and which threshold values apply for classification.
The draft NIS2 implementation of November 2024 contains an amended version of the previous German KritisV for NIS2 in Art. 8. NIS2 may not result in a new legal ordinance for the designation of critical facilities, but the existing one will be adapted.
CRITIS operators are obliged
  • to name a contact point (§ 8b (3) BSIG - German law)
  • to report information technology-related faults immediately (§ 8b (4) BSIG)
  • to comply with the "state of the art" when implementing security measures (§ 8a (1) sentence 2 BSIG).
  • and to provide evidence of this to the BSI every two years (§ 8a (3) BSIG).
The operator must draw and implement up a so-called test basis, which must be agreed with the test service provider at a later date. This should consist of various sources, standards and regulations, e.g. ISO/IEC 27001 or an industry-specific security standard (B3S).
Companies must submit the results to the Federal Office for Information Security. If security deficiencies occur, the BSI can demand that they are rectified.
Procedure of the CRITIS Audit
Operators of electricity and gas grids are required by federal law. DEKRA offers CRITIS audits for selected industries as proof of compliance with legal requirements. As an operator of critical infrastructures, you must register with the BSI. You should have implemented a level of cyber security and IT security in your company that meets the requirements. This includes state-of-the-art technical and organizational protective measures to protect your IT and OT infrastructure as well as the use of attack detection systems.
A CRITIS audit by our auditors takes place in 6 steps:
  • Audit preparation, including the selection of the audit basis and the audit of the scope
  • Preparation of the audit plan
  • Documentation review
  • On-site audit
  • Follow-up of the on-site audit
  • Preparation of the audit report and the list of deficiencies
About CRITIS

We provide you with comprehensive support in the following sectors:

  • Healthcare: Hospitals
  • IT & TC: Data centers
  • Transport & traffic: Petrol station network operators
  • Transport & traffic: Traffic (network) control companies
  • Energy: Energy trading
New requirements for CRITIS operators through the German IT-SiG 2.0
The current version of the German IT-SiG 2.0 of 2021 introduces numerous innovations and extended obligations for operators of critical infrastructures. Among other things, the definition of CRITIS sectors and the threshold values have been changed.
The German IT-SiG 2.0 also obliges all CRITIS operators to implement extended security measures for their IT since 01.05.2023.
To this end, IT systems must be brought up to the latest state of the art in order to keep their susceptibility to faults as low as possible. The CRITIS operators must carry out a CRITIS audit for this and submit the result to the BSI as proof of testing.
The BSI, which is responsible as the German supervisory authority, will also be given extended powers and information on the “state of the art” for IT security products and will in future also have the authority to detect security risks itself - for example through corresponding attack scenarios. Possible fines for violations can now amount to a maximum of 20 million euros.
Further information on the new requirements of the IT-SiG 2.0 can be found here​.

Reliably audit the IT Security Act with expertise

  • Our CRITIS auditors provide independent and objective support to check whether the defined requirements (test basis) have been implemented or whether deficiencies need to be rectified.
  • With a neutral audit, you can demonstrate your expertise in a trustworthy and global manner.
Would you like to learn more about our audits for critical infrastructure and the CRITIS Audit? Then arrange your meeting now!