KRITIS Regulation Overview

Critical Infrastructure (KRITIS) regulations in Germany protect essential services and systems whose disruption would have severe consequences for society. Understanding KRITIS requirements is essential for organizations operating in sectors that society depends upon for basic functioning.

Understanding KRITIS

KRITIS encompasses organizations and facilities whose failure or significant impairment would cause supply shortages, substantial public safety disruptions, or dramatic consequences for society overall. The framework recognizes that certain infrastructure supports functions so fundamental that their protection requires regulatory intervention beyond normal market incentives.

KRITIS Sectors

German KRITIS regulation covers nine defined sectors. Energy includes electricity generation, transmission, and distribution along with gas and oil infrastructure. Water covers drinking water supply and wastewater treatment. Food encompasses production, processing, and distribution systems that feed the population.

Information Technology and Telecommunications includes network operators, data centers, and communication infrastructure. Health covers hospitals, pharmaceutical production, and laboratory services. Finance and Insurance encompasses banks, insurance companies, and stock exchanges.

Transport and Traffic includes air, rail, road, and maritime transportation along with logistics. Municipal Waste Management addresses waste collection and processing systems. State and Administration covers government functions essential for public services.

Threshold Values

The BSI-KritisV ordinance defines specific thresholds that determine KRITIS operator status within each sector. Energy utilities become KRITIS operators when serving 500,000 or more persons. Water suppliers face the same 500,000 person threshold.

Information Technology and Telecommunications facilities face various criteria depending on their specific function. Healthcare facilities become KRITIS operators at 30,000 or more inpatient cases annually. Thresholds exist for each sector and require careful analysis against organizational operations.

KRITIS Operator Obligations

Organizations meeting KRITIS thresholds must register with the BSI as KRITIS operators. They must implement appropriate security measures reflecting current state of the art. Every two years, they must provide evidence demonstrating security implementation. Significant security incidents require mandatory reporting to BSI.

State of the art security typically means ISO 27001 certification or implementation of sector-specific security standards known as B3S. These branchenspezifische Sicherheitsstandards provide sector-appropriate security baselines recognized by regulators.