KRITIS (Kritische Infrastrukturen)
Organizations and facilities that are critical to the national community, the failure or disruption of which would cause significant supply shortages or pose a serious threat. In Germany, these are regulated by the BSI-KritisV across 10 sectors.
KRITIS stands for Critical Infrastructure—organizations and facilities whose failure or disruption would result in long-lasting supply shortages, significant disruptions to public safety, or other dramatic consequences for the community. In Germany, the term is legally defined and regulated by the BSI Act (BSIG) and the BSI-Kritis Regulation (BSI-KritisV).
Definition and Legal Framework
The KRITIS concept in Germany is based on two legal foundations:
- Section 2(10) BSIG: Legal definition of critical infrastructure
- BSI-KritisV: Specifies the thresholds—which companies are considered KRITIS
- Section 8a BSIG: Core obligations for KRITIS operators (state of the art, reporting obligation, proof)
The 10 KRITIS sectors in Germany
The BSI-KritisV divides critical infrastructure into 10 sectors:
| Sector | Examples |
|---|---|
| Energy | Electricity, gas, petroleum, district heating |
| Water | Drinking water supply, wastewater disposal |
| Food | Food production, processing, trade |
| Information Technology and Telecommunications | Telecommunications networks, data centers, DNS |
| Healthcare | Hospitals, laboratories, pharmaceuticals, medical devices |
| Finance and Insurance | Banks, stock exchanges, insurance companies, payment transactions |
| Transport and Traffic | Rail, road, shipping, air, logistics |
| Media and Culture | Broadcasting, public communication networks |
| Municipal Waste Disposal | Waste disposal and treatment |
| Government and Administration | Parliament, government, judiciary, emergency services |
Thresholds of the BSI-KritisV
A company is considered a KRITIS operator if it provides services to at least 500,000 people or exceeds certain sector-specific thresholds. Examples:
- Energy: Electricity generation with 420 MW or more of installed capacity; gas supply networks with 1,400 GWh/year or more
- Water: Drinking water supply of 22 million m³/year or more; wastewater treatment serving 500,000 connected residents or more
- Healthcare: Hospitals with 30,000 or more inpatient cases per year; laboratories conducting 1.5 million or more tests per year
- Finance: Stock exchanges and clearing houses; payment processors with a transaction volume of 6 billion EUR or more per year
Operators must self-report compliance with these thresholds to the BSI.
Section 8a BSIG: Obligations for KRITIS Operators
KRITIS operators are subject to stricter obligations under Section 8a BSIG:
- State of the Art: Appropriate technical and organizational measures (TOMs) to protect information systems—BSI IT-Grundschutz is the reference
- Verification every 2 years: Security audits, inspections, or certifications, the results of which must be submitted to the BSI
- Reporting obligation: Significant disruptions to IT systems must be reported to the BSI immediately
- BSI contact point: Designation of a contact person for the BSI (available 24/7)
KRITIS-DachG: Recent Developments
The KRITIS-Dachgesetz (KRITIS-DachG) expands the protection of critical infrastructure to include physical security measures and introduces a cross-sectoral approach. It supplements the purely ICT-focused regulation of the BSIG with physical resilience requirements (access controls, perimeter security, redundancies). The KRITIS-DachG transposes the EU CER (Critical Entities Resilience) Directive into German law.
Relationship to NIS-2
NIS-2 and KRITIS complement each other: NIS-2 defines a broader scope (18 sectors, 50 or more employees), while KRITIS applies only to the most critical operators above high thresholds. KRITIS operators are automatically classified as essential facilities under NIS-2 and are therefore subject to the stricter NIS-2 requirements (higher fines, personal liability of management, shorter reporting deadlines).
An ISO 27001-certified ISMS based on BSI IT-Grundschutz is the recommended foundation for KRITIS compliance—it simultaneously fulfills the §8a BSIG documentation requirement and the essential NIS 2 requirements.
