Let's talk: +49 (0) 228 50431650 | Mail: info@e2security.de
For English, please scroll to the end of this blog article
Für Englisch, scrollen Sie bitte an das Ende dieses Blogartikels
In Germany, special regulations apply to operators of critical infrastructures under the Federal Office for Information Security / Bundesamt für Sicherheit in der Informationstechnik (BSI) Act. But who counts as an operator and when are infrastructures classified as critical?
What is a critical infrastructure?
Critical infrastructures (KRITIS) are organizations or facilities with important significance for the state community, the failure or impairment of which would result in lasting supply bottlenecks, significant disruptions to public safety or other dramatic consequences. Which of these are to be regarded as critical infrastructures is regulated by the KRITIS Ordinance within the BSI Act. According to this definition, organizations and facilities from the energy, transport and traffic, water, finance and insurance, food, media and culture, state and administration, health, information technology and telecommunications sectors are considered critical infrastructures.
Who is affected?
However, in reality, the circle of affected companies is much wider than one might assume. As a result, many operators of critical infrastructures run the risk of not realizing that they have to comply with the legal requirements of the BSI Act. This is because a number of thresholds for different sectors are specified in this set of regulations. This applies to both state-owned but also private-sector companies. To illustrate these abstract terms, have a look at the following three examples:
However, only a case-by-case assessment can answer with certainty whether a company is ultimately critical infrastructure or not. This is because it is important to understand that KRITIS also means that and to what extent a company’s IT must be involved in the handling of these goods. For example, a large retail company need not be critical infrastructure if it operates IT-autonomous sites. But if it has a centralized IT operation, the infrastructure must be classified as critical. To answer this question, various industry associations have already developed industry standards and coordinated them with the BSI.
What requirements must critical infrastructure companies meet?
If it has been determined on the basis of a review that a company is clearly to be assigned to the critical infrastructure, it must fulfill the following requirements in accordance with the regulations of the BSI Act:
Further information
All relevant regulations and answers to frequently asked questions can be found on the official website of the German Federal Office for Information Security / Bundesamt für Sicherheit in der Informationstechnik at www.bsi.bund.de.
Der Beitrag What is KRITIS and who does it affect? erschien zuerst auf e2 Security.
Please contact us directly!
e2 Security