Skip to content

Services, Wiki-Artikel, Blog-Beiträge und Glossar-Einträge durchsuchen

↑↓NavigierenEnterÖffnenESCSchließen

Critical infrastructure (KRITIS): definition, protection and NIS2

KRITIS - Critical Infrastructure in Germany: Which sectors are affected, what cybersecurity obligations apply, and how the NIS2 Directive strengthens protection.

Table of Contents (9 sections)

Hospitals, power plants, water supply systems, banks—compromising these systems can endanger lives and destabilize entire societies. That is why operators of critical infrastructure in Germany are subject to specific cybersecurity obligations—which will be strengthened by the NIS2 Directive starting in October 2024.

What is critical infrastructure (KRITIS)?

Critical infrastructure refers to organizations and facilities of vital importance to the state, the failure or disruption of which would result in long-lasting supply shortages, significant disruptions to public safety, or other dramatic consequences (BSI definition).

The term "KRITIS" is the commonly used abbreviation in Germany and refers to operators legally defined under the BSI Act and the BSI-KRITIS Ordinance.

The KRITIS Sectors in Germany

The BSI and the BSI KRITIS Ordinance define 10 sectors as critical infrastructure:

SectorIndustriesThreshold
EnergyElectricity, gas, district heating, mineral oil, fuels500,000 supply units
WaterDrinking water, wastewater500,000 supply units
FoodFood supply500,000 supply units
IT and TelecommunicationsInformation technology and telecommunications services500,000 users
Transportation and TrafficAviation, rail transport, maritime shipping, road transportSector-specific
HealthcareHospitals, laboratories, pharmacies, pharmaceuticals30,000 cases/year
Finance and InsuranceBanks, stock exchanges, insurance companies, payment systemsSector-specific
Municipal Waste ManagementWaste management500,000 residents
Government and AdministrationFederal agencies, parliaments, judiciary-
Media and CultureBroadcasting, cultural institutions-

Who is covered? Operators active in these sectors that exceed the defined thresholds. Most thresholds are set at 500,000 "service units" (customers, households, patients).

IT Security Act 2.0 (IT-SiG 2.0)

The IT Security Act 2.0 (in effect since May 2021) significantly tightened the requirements for KRITIS operators:

Obligations under IT-SiG 2.0:

  1. Comply with minimum security standards (appropriate technical and organizational measures)
  2. Intrusion detection systems (IDS) mandatory starting May 2023
  3. Mandatory reporting of significant IT incidents to the BSI (within 72 hours)
  4. Registration requirement with the BSI, including designation of a contact point
  5. Verification requirement – demonstrate compliance every 2 years through audits, certifications, or inspections

Intrusion Detection Systems (SzA) – Mandatory since May 2023

KRITIS operators must operate intrusion detection systems (SzA):

Requirements for SzA (BSI Guidance):

  1. Event logging
  2. Attack detection
  3. Processing of recorded information
  4. Implementation of countermeasures (Response)

In practice: SIEM systems with 24/7 monitoring—either an in-house SOC or an MSSP (Managed Security Service Provider).

Reporting Requirements

Reporting to the BSI in the event of significant disruptions:

  • Operational disruptions that indicate a cyberattack
  • Within 72 hours of becoming aware of the incident
  • Form via the BSI reporting portal

The BSI responds by:

  • Analysis and early warning to other KRITIS operators
  • Technical assistance in managing the incident
  • Coordination with other authorities (BKA, BfV)

NIS2 and the Expansion of the KRITIS Concept

The NIS2 Directive (EU 2022/2555)—transposed into German law as of October 2024—significantly expands the scope of regulation. Instead of approximately 2,000 KRITIS operators, up to 30,000 German companies are now affected.

New Categories Under NIS2

Essential Entities:

  • KRITIS operators (automatically included)
  • Large companies (>250 employees or >50M EUR in revenue) in critical sectors
  • Qualified trust service providers, DNS operators, TLD registrars

Important Entities:

  • Medium-sized enterprises (>50 employees or >10 million EUR in revenue) in critical sectors
  • At the discretion of the Member State for smaller enterprises in certain sectors

NIS2 Sectors (expanded compared to IT-SiG):

  • All previous KRITIS sectors
  • NEW: Aerospace, postal and courier services, waste management, chemical industry, food production, digital infrastructure (cloud, data centers, CDN)
  • NEW: Public administration (federal and state governments)

Overview of NIS2 Obligations

Security Measures (Art. 21 NIS2):

MeasureContent
Risk AnalysisRegular assessment of IT risks
Incident HandlingDetection, analysis, and containment of incidents
Business ContinuityBCM, backup, disaster recovery
Supply ChainSecurity at suppliers and service providers
System ProcurementSecurity by Design in procurement
Vulnerability ManagementVulnerability management and patches
CryptographyUse of encryption
HR SecurityTraining, background checks
Access ControlMFA, PAM, least privilege
Asset ManagementInventory of all IT assets

Reporting Requirements under NIS2:

Significant Incident:
  → 24h: Early warning (was a cyberattack suspected?)
  → 72h: Initial report (current understanding, severity, impact)
  →  1M: Final report (complete analysis, countermeasures)

Management Liability: Management bodies (managing directors, board members) can be held personally liable for NIS2 violations and temporarily removed from their management roles.

Fines:

  • Critical infrastructure operators: up to 10 million EUR or 2% of global annual turnover
  • Important entities: up to €7 million or 1.4% of global annual turnover

KRITIS-DachG – Physical Protection

The KRITIS-DachG (KRITIS Umbrella Act) supplements IT security obligations with physical security requirements:

  • Perimeter protection (fences, access control, video surveillance)
  • Security concepts for facilities
  • Coordination with authorities and police
  • Mandatory minimum standards for physical resilience

Cybersecurity for KRITIS in Practice

Risk-Based Approach

KRITIS operators must keep their security approach up to state-of-the-art standards—but without a blanket obligation to use specific products. The benchmark is always the appropriate balance between security measures and identified risks.

Recognized Standards:

  • ISO 27001 - international ISMS standard, recognized by the BSI
  • BSI IT-Grundschutz – German specialized standard with concrete measures
  • IEC 62443 – OT/SCADA specialized standard for industrial control systems
  • Industry-Specific Standards (B3S) – security standards recognized by the BSI for each sector

OT/IT Convergence as a Critical Risk

Many KRITIS operators have Operational Technology (OT) control systems for physical processes (SCADA, DCS, PLC). These are often:

  • Outdated and difficult to patch
  • Not originally designed for network connectivity
  • Now connected to IT networks and the Internet

Attacks on OT can cause physical damage: power grid outages, contamination of water supplies, disruption of production facilities.

Protective measures:

  • Strict network segmentation between IT and OT
  • Air gaps where possible and appropriate
  • OT-specific security solutions (Claroty, Dragos, Nozomi)
  • Asset inventory for all OT devices

Incident Response for KRITIS

KRITIS operators must plan their incident response with particular care:

KRITIS incident specifics:

  • Reporting obligations to BSI/CERT-Bund (72 hours)
  • Coordination with other KRITIS operators (ISAC)
  • Legal reporting obligations (GDPR, industry-specific)
  • Communication with regulatory authorities (BNetzA, BaFin, etc.)
  • Public communication in cases of societal impact
  • Special documentation requirements for auditors

Threat Landscape for KRITIS

BSI Situation Report 2024 shows: KRITIS operators are preferred targets:

  • Ransomware: Hospitals, municipalities, and energy providers are particularly affected
  • APT groups (state actors): Long-term espionage in energy providers and water utilities
  • Hacktivism: DDoS attacks on federal agencies by pro-Russian groups
  • Supply Chain: Attacks via IT service providers as a point of entry into KRITIS networks

Particularly Critical Incidents:

  • Anhalt-Bitterfeld District (2021): Ransomware paralyzes district services for weeks
  • Dortmund University Hospital (2023): Ransomware leads to operational restrictions
  • European wind farms (2022): Satellite communications shut down following a Viasat hack

Practical steps for KRITIS operators

1. KRITIS self-assessment:

  • Do you fall under the thresholds of the KRITIS Regulation?
  • Are you affected by NIS2 as an "essential" or "important" facility?
  • Registered with the BSI? (Mandatory!)

2. Gap Analysis:

  • ISMS in place and certified (ISO 27001)?
  • Attack detection systems implemented?
  • Reporting processes defined and tested?
  • Business continuity plan in place?

3. Action Plan:

  • Risk assessment according to ISO 27001 or BSI IT-Grundschutz
  • Immediate measures for the most critical gaps
  • Mid-term implementation of SIEM/SOC
  • Regular penetration tests and audits

4. Documentation:

  • Document all security measures with verifiable evidence
  • Plan for a two-year verification cycle with the BSI

Conclusion

KRITIS protection is not merely a compliance exercise—it protects systems on which millions of people depend every day. NIS2 has significantly expanded the scope of regulated entities and tightened the requirements. Companies operating in critical sectors should now assess whether they are affected—and align their security architecture accordingly.

Sources & References

  1. [1] BSI: Schutz kritischer Infrastrukturen - BSI
  2. [2] KRITIS-Dachgesetz (KRITIS-DachG) - BMI
  3. [3] NIS2-Richtlinie (EU 2022/2555) - Europäische Union
  4. [4] BSI-KRITIS-Verordnung - Bundesregierung

Questions about this topic?

Our experts advise you free of charge and without obligation.

Free Consultation

About the Author

Oskar Braun
Oskar Braun

Abteilungsleiter Information Security Consulting

E-Mail
PGP 16154FF042E7431B

Dipl.-Math. (WWU Münster) und Promovend am Promotionskolleg NRW (Hochschule Rhein-Waal) mit Forschungsschwerpunkt Phishing-Awareness, Behavioral Security und Nudging in der IT-Sicherheit. Verantwortet den Aufbau und die Pflege von ISMS, leitet interne Audits nach ISO/IEC 27001:2022 und berät als externer ISB in KRITIS-Branchen. Lehrbeauftragter für Communication Security an der Hochschule Rhein-Waal und NIS2-Schulungsleiter bei der isits AG.

3 Publikationen
ISO 27001 Lead Auditor (IRCA) ISB (TÜV)
Vollständiges Profil ansehen
This article was last edited on 03.03.2026. Responsible: Oskar Braun, Abteilungsleiter Information Security Consulting at AWARE7 GmbH. License: CC BY 4.0 - free use with attribution: "AWARE7 GmbH, https://a7.de"

Cookielose Analyse via Matomo (selbst gehostet, kein Tracking-Cookie). Datenschutzerklärung