KRITIS Requirements under IT-SiG 2.0

What Is KRITIS? Definition and Scope

In Germany, the term KRITIS (short for Kritische Infrastrukturen, or Critical Infrastructures) refers to organizations and facilities of vital importance to society whose failure or degradation would result in sustained supply shortages, significant disruptions to public safety, or other severe consequences for the general population. The concept is legally anchored in the BSI Act (BSIG) and further specified through the BSI-KritisV (KRITIS Ordinance), which defines concrete thresholds for identifying affected operators.

KRITIS operators are not self-identified. Instead, the federal government defines eight sectors that constitute critical infrastructure in Germany. Each sector is further divided into sub-sectors and service categories. The affected sectors are:

• Energy: electricity generation and distribution, gas supply, mineral oil, district heating
• Water: public drinking water supply and wastewater treatment
• Food: food production, processing, and distribution at scale
• Information Technology and Telecommunications: internet exchange points, DNS services, data centers, and telecommunications networks
• Health: hospitals, pharmaceutical supply, laboratory diagnostics
• Transport and Traffic: aviation, maritime transport, rail, road logistics
• Finance and Insurance: payment systems, securities trading, insurance services
• Municipal Waste Management: waste collection, treatment, and disposal for municipalities

With the entry into force of IT-SiG 2.0 in May 2021, the municipal waste management sector was added as the eighth sector. Additionally, certain companies in the defense industry and manufacturers of IT products for processing classified information ("Unternehmen im besonderen offentlichen Interesse", or UBI) were brought into scope, even though they are not technically KRITIS operators. This expansion significantly broadened the reach of German critical infrastructure regulation. Understanding whether your organization falls under KRITIS is the essential first step toward compliance, because the obligations that follow are substantial.

BSI-KritisV Thresholds: When Does Your Organization Qualify?

Not every utility, hospital, or food producer automatically qualifies as a KRITIS operator. The BSI-KritisV defines quantitative thresholds for each sector and service category. These thresholds are based on the principle that an installation qualifies as critical if its failure would affect a significant portion of the population, typically benchmarked at 500,000 persons served.

The following are key thresholds from the current BSI-KritisV:

• Energy (electricity): installations with an installed net nominal capacity of 420 MW or higher, or annual power generation exceeding 3,700 GWh
• Energy (gas): gas transmission or distribution systems serving more than 500,000 connected consumers
• Water (drinking water supply): waterworks supplying 500,000 or more persons annually, measured by the volume of water delivered
• Water (wastewater treatment): treatment plants with a capacity of 500,000 population equivalents or more
• Food: production or processing facilities with an output exceeding 434,500 tonnes per year
• IT and Telecommunications: internet exchange points handling more than 300 connected autonomous systems, or DNS servers processing more than 250,000 domains
• Health: hospitals with more than 30,000 inpatient cases per year
• Transport: airports handling more than 20 million passengers per year, or ports handling more than 13 million tonnes of cargo
• Municipal Waste Management: facilities serving 500,000 or more connected persons

If your organization exceeds any of these thresholds, you are obligated to register with the Federal Office for Information Security (BSI) and comply with the KRITIS requirements set out in the BSIG. Note that the thresholds are reviewed and updated periodically, and the trend is clearly toward lowering them. Organizations currently just below the thresholds should proactively prepare, especially since the NIS2 implementation in Germany (NIS2UmsuCG), in effect since December 6, 2025, has significantly expanded the number of regulated entities.

BSIG Section 8a: Biennial Proof of Compliance

The core compliance obligation for KRITIS operators is defined in Section 8a BSIG. This provision requires operators to implement appropriate organizational and technical measures to secure the IT systems, components, and processes that are essential for the functioning of the critical infrastructure they operate. The standard is "state of the art" (Stand der Technik), which means measures must reflect current technological best practices and be updated continuously.

KRITIS operators must provide proof of their compliance every two years. This proof can take the form of security audits, inspections, or certifications. In practice, many operators rely on recognized industry-specific security standards (branchenspezifische Sicherheitsstandards, or B3S) developed by sector associations and approved by the BSI. For example, the energy sector follows the IT security catalog according to Section 11(1a) EnWG, while the water sector has its own B3S for water supply and wastewater treatment.

The biennial audit results must be submitted to the BSI. If the BSI identifies deficiencies, it can order specific remediation measures and set deadlines for implementation. In severe cases, the BSI can conduct its own audits or commission third-party audits at the operator's expense. This is not a theoretical scenario: the BSI has increasingly exercised its audit authority, particularly for operators that submitted incomplete or unsatisfactory compliance documentation. For organizations approaching their first or next biennial proof, a structured policy management system is essential for maintaining audit-ready documentation at all times.

Recognized Security Standards (B3S)

Sector-specific security standards provide operators with a concrete framework for implementing Section 8a requirements. Using a BSI-recognized B3S offers a significant advantage: if your compliance proof is based on an approved B3S, the BSI presumes that you meet the requirements of Section 8a. Currently, approved B3S exist for multiple sectors, including water/wastewater, IT/telecoms, food, health, and municipal waste. Operators whose sector lacks an approved B3S must demonstrate compliance through alternative means, typically by aligning their ISMS with ISO 27001 and supplementing it with sector-specific measures. Regardless of the approach, the key requirement remains the same: all measures must be documented, implemented, and regularly reviewed. Proof without substance will not satisfy the BSI.

Reporting Obligations Under Section 8b BSIG

Beyond security measures, Section 8b BSIG establishes mandatory incident reporting obligations for all KRITIS operators. These obligations are designed to ensure that the BSI maintains a comprehensive picture of the threat landscape across critical infrastructure sectors. The requirements are strict and non-negotiable.

KRITIS operators must report significant IT security incidents to the BSI immediately. An incident is considered significant if it has the potential to impair the functioning of the critical infrastructure being operated. This includes successful cyberattacks, ransomware infections affecting operational systems, significant hardware failures, and even near-misses that could have caused disruption. The reporting threshold is deliberately low: operators should report early rather than late, even if the full scope of an incident is not yet clear.

To fulfill reporting obligations, every KRITIS operator must designate a permanent contact point (Kontaktstelle) that is reachable by the BSI at all times. This contact point must be registered with the BSI and kept up to date. In practice, this means having a 24/7 contact capability for IT security incidents. The contact point receives alerts and threat information from the BSI in return, creating a two-way information flow that benefits both parties.

Failure to report significant incidents, or reporting them late, can result in administrative fines. More importantly, delayed reporting can prevent the BSI from issuing timely warnings to other KRITIS operators in the same sector, potentially allowing a sector-wide threat to spread unchecked. Maintaining a robust incident management process with clear escalation paths and pre-defined reporting templates is not just a regulatory requirement but a practical necessity for any KRITIS operator.

IT-SiG 2.0: Tightened Requirements Since 2021

The Second IT Security Act (IT-SiG 2.0), which entered into force on 28 May 2021, represents the most significant tightening of KRITIS regulation to date. IT-SiG 2.0 amended the BSIG extensively and introduced several new obligations that go well beyond the original IT-SiG from 2015. For KRITIS operators, three changes are particularly consequential.

1. Mandatory Attack Detection Systems (SzA)

Since 1 May 2023, all KRITIS operators are required to deploy Systems for Attack Detection (Systeme zur Angriffserkennung, SzA). These systems must continuously monitor network traffic and system logs to identify indicators of compromise and anomalous behavior. The BSI has published a detailed Orientation Guide for SzA Implementation that specifies requirements in three areas: logging, detection, and response. The implementation maturity is assessed on a scale from 0 (not implemented) to 5 (fully optimized). The BSI expects operators to achieve at least maturity level 3 (established process). Operators that cannot demonstrate adequate SzA implementation face scrutiny in their biennial Section 8a proof and potential enforcement action.

2. Expanded Registration and Reporting

IT-SiG 2.0 expanded the registration obligations: KRITIS operators must now also register the critical components (kritische Komponenten) they use, and the use of critical components from certain manufacturers can be prohibited by the Federal Ministry of the Interior if there are security concerns. This provision was introduced in the context of the 5G/Huawei debate but applies to all KRITIS sectors. Additionally, the scope of mandatory incident reporting was broadened: operators must now also report significant disruptions of their IT systems even if the critical infrastructure service itself has not yet been impaired.

3. Increased Sanctions

IT-SiG 2.0 significantly increased the maximum penalties for non-compliance. Fines can now reach up to EUR 2 million for certain violations, including failure to implement adequate security measures, failure to register with the BSI, or failure to report incidents. For repeat offenders, the penalties escalate further. The BSI's enforcement powers were also strengthened: it can now conduct unannounced audits, request detailed technical documentation, and order specific remediation measures with binding deadlines. These expanded powers signal a clear shift from a cooperative toward a more enforcement-oriented regulatory approach.

KRITIS-Specific Measures for Utilities and Infrastructure Operators

Critical infrastructure operators face unique challenges that set them apart from conventional enterprises. While a typical office environment primarily deals with IT systems (servers, workstations, cloud applications), KRITIS operators in the energy, water, and waste management sectors operate Operational Technology (OT) environments that directly control physical processes. SCADA systems, Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), and industrial control systems (ICS) form the backbone of these operations. Securing these environments requires a fundamentally different approach than securing an office network.

IT/OT Segmentation

The most critical architectural measure for KRITIS operators is strict network segmentation between IT and OT environments. In too many utilities, the corporate IT network (email, ERP, office applications) and the OT network (SCADA, control systems, process control) are insufficiently separated. A ransomware infection on an office workstation should never be able to propagate into the control system that manages water treatment or power distribution. Best practice calls for a demilitarized zone (DMZ) between IT and OT, with strictly controlled unidirectional data flows where possible. Every connection between the two zones must be explicitly documented, justified, and monitored. Maintaining a complete inventory of all assets across both environments through dedicated asset management is a prerequisite for effective segmentation.

OT Security for SCADA and Control Systems

Securing OT environments presents specific challenges. Many control systems run on legacy operating systems that cannot be patched without risking process stability. Update cycles for OT components are measured in years, not weeks. The BSI's IT-Grundschutz catalog provides specific modules for industrial control system security (ICS-Security), and the international standard IEC 62443 offers a comprehensive framework for securing industrial automation and control systems. For KRITIS operators, key measures include: access control for all control system interfaces (no shared accounts on HMI panels), encrypted communication channels for remote access to OT systems, regular backup and recovery testing for control system configurations, and physical security for control rooms and substations.

Emergency and Business Continuity Planning

KRITIS operators must maintain comprehensive emergency response and business continuity plans that address both IT and OT failure scenarios. These plans must go beyond generic disaster recovery: they must address sector-specific scenarios such as a complete loss of the SCADA system, a targeted attack on water treatment processes, or a cascading failure across interconnected energy grids. Regular drills and tabletop exercises are essential to validate these plans. The plans must define clear escalation paths, assign responsibilities, and specify communication protocols with the BSI, sector CERTs, and potentially affected peer operators. For utilities operating across multiple sites, plans must address coordination between sites and fallback procedures for each critical function. Documenting all of this in a structured risk management system ensures that plans remain current and actionable rather than collecting dust in a binder.

The NIS2 Dimension: What Changes for KRITIS Operators

While the BSIG and BSI-KritisV define the current German KRITIS framework, the EU NIS2 Directive (2022/2555) has fundamentally reshaped the regulatory landscape. NIS2 was transposed into German national law through the NIS2UmsuCG on December 6, 2025, amending the BSIG and replacing significant portions of the previous KRITIS regulation. For KRITIS operators, NIS2 has brought several critical changes.

First, the number of regulated entities has increased dramatically. NIS2 uses a size-based criterion (enterprises with 50+ employees or EUR 10M+ turnover) rather than the threshold-based approach of the BSI-KritisV. Many organizations that previously fell below the KRITIS thresholds are now subject to regulation. Second, NIS2 introduces personal liability for management in regulated entities. Board members and managing directors can be held personally liable for failures in cybersecurity governance. Third, the maximum penalties increase significantly, with fines of up to EUR 10 million or 2% of global annual turnover for essential entities.

For existing KRITIS operators, the transition to NIS2 means that current compliance measures will need to be reviewed and potentially expanded. The detailed requirements from the NIS2 requirements catalog provide a comprehensive overview of what is now required. Operators who have already built a mature ISMS aligned with BSI-KritisV will have a strong foundation, but gaps in areas like supply chain security, management accountability, and cross-border reporting will need to be addressed.

How Kopexa Supports KRITIS Compliance

Managing KRITIS compliance across all the requirements described above, from Section 8a proof to SzA documentation to incident reporting, demands a structured approach and the right tooling. Spreadsheets and shared folders cannot keep pace with the volume, complexity, and auditability requirements that KRITIS regulation demands. Kopexa provides a purpose-built GRC platform that addresses the specific needs of critical infrastructure operators.

Policy Management for Section 8a Readiness

The biennial proof under Section 8a requires that all security measures are documented in policies that are current, approved, and accessible. Kopexa's policy management provides version-controlled policy lifecycle management with approval workflows, review reminders, and distribution tracking. You can map each policy directly to the relevant B3S requirement or ISO 27001 control, creating a clear traceability matrix for auditors. When policies need updating, the system tracks who changed what, when, and why, giving you a complete audit trail that satisfies BSI expectations.

Risk Management for OT and IT Environments

KRITIS operators must manage risks across both IT and OT environments, often with fundamentally different risk profiles and treatment options. Kopexa's risk management module enables you to maintain a unified risk register that distinguishes between IT and OT risks, assigns risk owners, tracks mitigation measures, and generates the risk reports required for Section 8a audits. Risk assessments can be linked to specific assets, creating a direct connection between your asset inventory and your risk treatment plan. This is particularly valuable for KRITIS operators who need to demonstrate that they have assessed and mitigated risks for every component in their critical infrastructure chain.

Asset Management Across IT and OT

A complete and current asset inventory is the foundation of every KRITIS security concept. Without knowing what you have, you cannot protect it. Kopexa's asset management allows you to catalog all IT and OT assets, from servers and workstations to SCADA controllers and PLCs. Each asset can be classified by criticality, linked to the processes it supports, and tagged with its network zone (IT, OT, DMZ). This structured asset register directly supports your IT/OT segmentation documentation and provides the foundation for risk assessments and business continuity planning.

Evidence Collection for Audits

When the Section 8a audit cycle comes around, the biggest time sink is often evidence collection: gathering screenshots, configuration exports, training records, and approval documents scattered across multiple systems. Kopexa centralizes evidence collection by allowing you to attach evidence directly to the controls and requirements they satisfy. When audit time arrives, you can generate a comprehensive compliance report with all supporting evidence in a single export. This reduces audit preparation from weeks to days and ensures that nothing is missed.

Incident Tracking and Reporting Templates

Section 8b reporting obligations require structured, timely incident reports to the BSI. Kopexa's incident management provides pre-configured templates aligned with BSI reporting requirements, automatic escalation workflows, and a complete timeline for every incident from detection through resolution. This ensures that your organization can meet the "immediate" reporting requirement without scrambling to collect information or determine responsibilities during a crisis.

Next Steps

KRITIS compliance is not a one-time project but a continuous process that evolves with each regulatory update, each new threat, and each organizational change. The following resources help you deepen your understanding of specific topics and prepare your organization for both current KRITIS requirements and the NIS2 obligations now in effect:

• NIS2 for Critical Infrastructure covering the NIS2UmsuCG transposition, expanded scope, management liability, and how to prepare for the transition
• BSI Compliance for KRITIS Operators with detailed guidance on IT-Grundschutz alignment, B3S implementation, and BSI audit preparation
• NIS2 Requirements Catalog with the complete requirements catalog, control mappings, and implementation guides
• Risk Management for building a unified IT/OT risk register aligned with KRITIS requirements
• Asset Management for cataloging critical infrastructure components across IT and OT environments
• Policy Management for maintaining audit-ready documentation with approval workflows and version control