Article: NIS-2 Directive to become national law
Read more
CRITIS Audit
IT security for operators of critical infrastructures
In order to ensure the security of society and the economy, the German IT Security Act (IT-SiG) in the 2021 amended version 2.0 and the correspondingly updated German CRITIS Ordinance (KritisV) require operators of critical infrastructures in Germany to implement and demonstrate an extended minimum security level and to comply with stricter reporting obligations.
Our experienced CRITIS auditors check and evaluate the current protection and security level of your IT infrastructure according to the transparent criteria previously defined in a so-called test basis.
Would you like to find out more about the audit of critical infrastructures in accordance with Section 8a BSIG to fulfill the corresponding requirements from the German IT-SiG 2.0, taking into account the requirements from the German KritisV?
Your benefits from a CRITIS Audit
- Compliance with current legal requirements, e.g. from the German IT-SiG 2.0
- Support improvement of the level of protection and security through regular independent audits
- Effective information security in accordance with valid standards or regulations such as ISO/IEC 27001 or industry-specific security standards (B3S)
- Professional and efficient implementation of CRITIS audits by experienced and appropriately approved CRITIS auditors
Protection of critical infrastructures reliably implemented
Infrastructures are classified as critical if facilities, systems or parts thereof are of great importance to the state community due to their size and degree of interconnectedness and if their failure or impairment threatens significant supply bottlenecks, restrictions to public security or other dramatic consequences.
The 4th Amendment Ordinance to the BSI Criticality Ordinance came into force on 1.1.24. The German KritisV defines which systems and operators belong to the critical infrastructure and which threshold values apply for classification.
The draft NIS2 implementation of November 2024 contains an amended version of the previous German KritisV for NIS2 in Art. 8. NIS2 may not result in a new legal ordinance for the designation of critical facilities, but the existing one will be adapted.
CRITIS operators are obliged
- to name a contact point (§ 8b (3) BSIG - German law)
- to report information technology-related faults immediately (§ 8b (4) BSIG)
- to comply with the "state of the art" when implementing security measures (§ 8a (1) sentence 2 BSIG).
- and to provide evidence of this to the BSI every two years (§ 8a (3) BSIG).
The operator must draw and implement up a so-called test basis, which must be agreed with the test service provider at a later date. This should consist of various sources, standards and regulations, e.g. ISO/IEC 27001 or an industry-specific security standard (B3S).
Companies must submit the results to the Federal Office for Information Security. If security deficiencies occur, the BSI can demand that they are rectified.
Operators of electricity and gas grids are required by federal law. DEKRA offers CRITIS audits for selected industries as proof of compliance with legal requirements. As an operator of critical infrastructures, you must register with the BSI. You should have implemented a level of cyber security and IT security in your company that meets the requirements. This includes state-of-the-art technical and organizational protective measures to protect your IT and OT infrastructure as well as the use of attack detection systems.
A CRITIS audit by our auditors takes place in 6 steps:
- Audit preparation, including the selection of the audit basis and the audit of the scope
- Preparation of the audit plan
- Documentation review
- On-site audit
- Follow-up of the on-site audit
- Preparation of the audit report and the list of deficiencies
The CRITIS Regulation defines the sectors in which critical services are provided to the general public. These can be found in the figure below.
The German KritisV defines the CRITIS facilities that provide critical services. In addition, the ordinance contains threshold values for when a facility is to be considered critical infrastructure.
We provide you with comprehensive support in the following sectors:
- Healthcare: Hospitals
- IT & TC: Data centers
- Transportation & traffic: gas station network operators, traffic (network) control companies
- Energy: Energy trading
- Disposal of municipal waste: Municipal waste disposal companies
The current version of the German IT-SiG 2.0 of 2021 introduces numerous innovations and extended obligations for operators of critical infrastructures. Among other things, the definition of CRITIS sectors and the threshold values have been changed.
The German IT-SiG 2.0 also obliges all CRITIS operators to implement extended security measures for their IT since 01.05.2023.
To this end, IT systems must be brought up to the latest state of the art in order to keep their susceptibility to faults as low as possible. The CRITIS operators must carry out a CRITIS audit for this and submit the result to the BSI as proof of testing.
The BSI, which is responsible as the German supervisory authority, will also be given extended powers and information on the “state of the art” for IT security products and will in future also have the authority to detect security risks itself - for example through corresponding attack scenarios. Possible fines for violations can now amount to a maximum of 20 million euros.
Further information on the new requirements of the IT-SiG 2.0 can be found here.
Reliably audit the IT Security Act with expertise
- Our CRITIS auditors provide independent and objective support to check whether the defined requirements (test basis) have been implemented or whether deficiencies need to be rectified.
- With a neutral audit, you can demonstrate your expertise in a trustworthy and global manner.
Would you like to learn more about our audits for critical infrastructure and the CRITIS Audit? Then arrange your meeting now!
