Securing Critical Infrastructures in Germany: Navigating KRITIS Regulation

23.08.2023 Read

Germany is widely acknowledged as one of the most technologically advanced nations. However, this prominence also implies a significant reliance on its critical infrastructures (KRITIS), which are essential to the smooth operation of the state and society.

To safeguard these infrastructures, Germany has enacted new laws, IT Security Act 2.0 and KRITIS Regulation 2.0, that aim to improve the security of IT systems.

Let’s explore the main features and implications of these regulations for KRITIS operators as well as best practices on KRITIS compliance.


Critical Infrastructures.jpeg

KRITIS stands for Kritische Infrastrukturen, which translates to critical infrastructures in English.

KRITIS refers to organizations or facilities of crucial significance for the community and the state. Their failure or impairment could lead to enduring supply shortages and substantial disruptions to public safety.

The BSI identifies nine sectors that belong to KRITIS:

  • Energy
  • Information technology and telecommunications
  • Transport and traffic
  • Health
  • Water
  • Food
  • Finance and insurance
  • Waste management
  • State and administration

The BSI also defines certain thresholds that determine whether an organization or facility is considered a KRITIS operator or not.

These thresholds are based on quantitative criteria, such as the number of customers served, amount of production or consumption, or share of market supply.

Why Is the Security of KRITIS Important?

The importance of KRITIS lies in the fact that they are indispensable for the functioning of society and the economy. Without them, many aspects of daily life would be impossible or severely impaired.

For example:

  • Without electricity, there would be no light, heating, cooling, communication, or internet.
  • Without water, there would be no drinking water, sanitation, irrigation, or firefighting.
  • Without transport and traffic, there would be no mobility, logistics, trade, or tourism.

Therefore, ensuring the availability and reliability of companies in the special public interest is a matter of national security and public safety. Any disruption or damage to KRITIS could have serious consequences for the population’s health, well-being, and livelihood.

Moreover, it could also affect other sectors that depend on KRITIS services or products.

What Is IT Security Act 2.0 (IT-SiG 2.0)?

National Security Law.jpeg

The IT Security Act 2.0, or IT-SiG 2.0 (IT-Sicherheitsgesetz 2.0), is a law that aims to increase the security of IT systems in Germany. This framework was established by the Federal Office for Information Security under the wings of the Ministry of the Interior.

The IT-SiG 2.0 is a revision and expansion of the previous IT Security Act 1.0, which was the first law in Germany to regulate the security of KRITIS. The IT-SiG 2.0 updates and adapts the existing provisions to reflect the current developments and challenges in cybersecurity.

What Is KRITIS Regulation 2.0?

The KRITIS Regulation 2.0 (KRITIS Verordnung 2.0) is a set of amendments to the existing KRITIS regulation, which defines the criteria and thresholds for identifying operators of critical infrastructures (KRITIS) in Germany.

The KRITIS Regulation 2.0 aims to reflect current developments and challenges in cybersecurity, as well as to implement the provisions of the IT Security Act 2.0.

Main Features of the IT-SiG 2.0 & KRITIS Regulation 2.0

The building blocks of IT-SiG 2.0, which have been strengthened with the KRITIS Regulation 2.0, are as follows:

Registration and Contact Point

KITIS operators must register with the BSI and maintain a contact point that can be reached at any time. This is to facilitate communication and cooperation between the BSI and KRITIS operators in case of incidents or emergencies.

Security Measures and Attack Detection Systems

KRITIS operators must implement appropriate organizational and technical security measures to protect their IT systems from cyberattacks. These measures must comply with the minimum standards set by the BSI.

Moreover, KRITIS operators must use state-of-the-art attack detection and data protection systems to monitor their IT systems for anomalies and intrusions.

Reporting Obligations and Information Sharing

KRITIS operators must report any significant incidents that affect their IT systems to the BSI within 72 hours. They must also provide the BSI with all information necessary to deal with the incident or malfunction.

In addition, KRITIS operators must share relevant information with other KRITIS operators within their sector or branch, as well as with the appropriate authorities.

Certification and Verification

KRITIS operators must submit documentation to the BSI for an assessment of whether they have met their obligations to implement security measures and attack detection systems.

The BSI may also conduct on-site inspections or audits to verify the compliance of KRITIS operators. Furthermore, KRITIS operators must use certified components or products for their IT systems, if such certification schemes exist.

Fines and Sanctions

KRITIS operators who fail to comply with obligations under IT-SiG 2.0 may face fines of up to two million euros.

The BSI may also impose other sanctions, such as ordering the cessation of operations, prohibiting the use of certain components or products, or revoking the certification of components or products.

How Can You Comply With the KRITIS Regulation?

How to comply with KRITIS regulation.jpeg

Complying with the KRITIS regulation is not only a legal obligation, but also a strategic advantage for your organization.
By implementing effective security measures, you can protect your IT systems from cyber-attacks, prevent disruptions or damages, and ensure the continuity and quality of your services or products.
To comply with the KRITIS regulation, you should follow these best practices:

Conduct KRITIS Audits

You should identify and assess the potential threats and vulnerabilities that could affect your IT systems, as well as their likelihood and impact.
Based on this analysis, you should prioritize your security needs and allocate your resources accordingly.

Implement Security Measures

Implementing appropriate organizational and technical security measures can protect your IT systems.
These measures should comply with the minimum standards set by the BSI. They should also cover all aspects of security, such as prevention, detection, response, recovery, governance, and awareness.

Provide Information and Cooperate With the BSI

You should provide the BSI with all the information necessary to deal with an incident, as well as assess your compliance with the security measures and attack detection systems.
It is essential that you cooperate with the BSI and follow its instructions.

Train and Educate Your Staff

Training and educating your staff on cybersecurity awareness and best practices should never be an afterthought.
You should ensure that your staff follows the security policies and procedures of your organization and reports any suspicious or unusual incidents.

Use Modern Attack Detection Systems

You should use state-of-the-art attack detection systems to monitor your IT systems for anomalies and intrusions.
These systems must be able to detect attacks, alert you in real-time, provide relevant information for analysis and investigation, and support you in taking countermeasures.

The Ultimate Platform to Comply With the KRITIS Regulation

As Germany's cybersecurity landscape undergoes a transformation with the introduction of IT-SiG 2.0 and KRITIS regulations, achieving compliance takes on greater significance.
In this pursuit, having a trusted attack detection system becomes crucial, and that's where the Logsign Unified Cyber Security Operations Platform stands out.
Logsign has revolutionized cybersecurity operations by seamlessly integrating key components – including SIEM, Threat Intelligence, UEBA, and Automated Detection & Response – into a single, comprehensive solution.
Logsign’s Unified Security Operations Platform simplifies compliance through a unified dashboard that centralizes monitoring, incident management, and reporting.
Moreover, it enhances your adaptability to the evolving cyber threat landscape through its advanced automated detection & response feature, seamlessly aligning with incident reporting obligations and security requirements outlined in the KRITIS regulations.
If you're navigating through digital security, operational success, and increased adaptability, we invite you to explore a live demo of Logsign's USO Platform.

A vast library of integrations and free services on demand
See All Integrations
See Logsign Unified SO Platform in action!
Watch Demo