Cookie consent(s)
We use cookies to personalize content and ads, provide social media features, and analyze traffic. This is done only with your explicit consent. By clicking "ACCEPT ALL," you agree to the processing and sharing of your data with our partners for social media, advertising, and analytics, including in third countries in accordance with Art. 49(1)(a) GDPR and Art. 17(1)(a) FADP (Switzerland). There is a risk that your data may be monitored by authorities without legal recourse. You can change or revoke your consents at any time in the data privacy settings.
Data protection declaration | Legal notices
Settings
Jubilee Signet

CRITIS Audit

IT security for operators of critical operational infrastructure

To ensure the security of civil society and the economy, in accordance with Version 2.0 of the German Federal IT Security Act (IT-SiG) amended in 2021, and the accordingly updated German CRITIS Ordinance (KritisV – Ordinance for Determining Critical Infrastructures in Accordance with theOrdinance on the Determination of Critical Infrastructures under the BSI Act (BSI CRITIS Ordinance - BSI-KritisV), operators of critical infrastructure in Germany are now obliged to implement an extended minimum security level, which they are required to demonstrate, and to also comply with stricter reporting requirements.

Our experienced experts review and assess the current level of protection and security of your IT infrastructure according to the transparent criteria set by the legislator, and help you to effectively meet the new requirements.
Would you like to learn more about the audit of critical infrastructure in accordance with § 8a BSIG? Schedule a meeting with us now!

We can offer you comprehensive support in the following sectors:

Network operators (energy)
Operators of electricity and gas networks are required by the Federal Network Agency (BNetzA) to introduce a certified information security management system on the basis of the German IT Security Catalog so as to ensure a secure supply of energy. Our experts will competently and confidently accompany you during your assessment according to the requirements of the German IT Security Catalog according to §11 Abs. 1a EnWG from your individual initial quote through to the receipt of your certificate.
Learn about the threshold values that apply to your system here​​.
Suppliers/producers (energy)
IT and telecommunications
Nutrition
Water / wastewater
Transport and traffic
Healthcare
Finance and insurance
Municipal waste disposal
Companies of special public interest

The protection of critical infrastructure reliably implemented

Infrastructure is classified as critical if facilities, installations or parts thereof are of major importance to civil society due to their scale and degree of interconnectedness, and if their failure or impairment threatens to cause significant supply shortages, impairments of public safety or would have other serious consequences.
Following the IT Security Act 2​.0 , the legislator also issued an updated CRITIS Ordinance in Version 1​.5 (also known as CRITIS Ordinance 2.0) in 2021. This has been in force since January 1st, 2022, and defines what facilities and operators are considered to be critical infrastructure and what thresholds apply for classification. The CRITIS sector for municipal waste disposal and the sector of companies operating in special public interest will be defined in a separate CRITIS Ordinance 2.0 and a UBI Ordinance in 2022.
In accordance with KritisV 1.5, CRITIS operators are required:
  • to appoint a contact point
  • to promptly report IT faults
  • to implement the “state of the art” according to the industry-specific security standards
  • and to demonstrate this to the BSI every two years (Section 8a (3) of the Act on the Federal Office for Information Security (BSIG)).
As proof of compliance, the BSI accepts security audits, assessments and certifications. Companies are required submit the results to the Federal Office for Information Security. Should security deficiencies occur, the BSI can request their rectification.
Different from most of the named areas of infrastructure which we audit as part of our CRITIS services, operators of electricity and gas networks are additionally certified according to the IT Security Catalog in accordance with Section 11 (1a) of the Act on the Federal Network Agency (BNETZA). The basis for the accreditation of the certification body with the German Accreditation Body (DAkkS) is the conformity assessment program.
CRITIS Audit
Our experts can offer you comprehensive audits as proof of your compliance with the CRITIS Ordinance. To do this, you are required to register with the BSI as a critical infrastructure operator. You need to have implemented a level of cyber security and IT security in your company that meets the requirements. This includes organizational measures, such as an implemented information security management system (ISMS), state-of-the-art technological protection measures to protect your IT and IT infrastructure, as well as systems and processes for attack detection, such as a security incident management (SIEM) or a security operation center (SOC).
A CRITIS audit by our experts takes place in 6 steps:
1. Preparation of the audit, including the choice of the basis for the audit and assessment of the scope of application
2. Preparation of the audit plan
3. Documentation review
4. On-site audit
5. Follow-up to the on-site audit
6. Preparation of the audit report and the list of defiencies
About CRITIS
New requirements for CRITIS operators according to IT-SiG 2.0
The current version of the IT Security Act 2.0 (IT-SiG 2.0) from 2021 introduces numerous amendments and extended obligations for operators of critical infrastructure. Among other updates, the definition of the CRITIS sectors and the threshold values have changed.
The IT-SiG 2.0 also obliges all CRITIS operators to implement extended security measures for their IT by 05/01/2023 at the latest.
Accordingly, IT systems have to be brought up to date with the latest technology to ensure their susceptibility to errors is as low as possible. CRITIS operators also have to demonstrate this in the form of security audits, assessments and certifications.
The BSI, which is the responsible supervisory authority, has also been given expanded competencies and is responsible for defining the latest “state of the art” for IT security products, and will also have the power to detect security risks itself – through appropriate attack scenarios, for example. Fines for infringements can now amount to 20 million euros.
Further information on the new requirements of the IT-SiG 2.0 can be found here​.

Implement the IT Security Act reliably with our know-how

  • Our experts will support you in ensuring the IT security of your critical infrastructure drawing on their many years of experience and extensive know-how.
  • With a neutral audit by the highly-regarded DEKRA auditors, you can demonstrate your competence on a trustworthy and global basis.
  • Make use of our services in other areas of corporate security and benefit from the possibility for a combined certification, such as with ISO 27001 certification, for example.
Would you like to learn more about our audits for critical infrastructure and the CRITIS audit? Then arrange your meeting now!