Understanding and implementing the BSI KRITIS ordinance: how to meet the requirements of the Security Act

Critical infrastructures form the backbone of our modern society. They ensure power supply, healthcare, communication and many other essential areas. To ensure these systems remain stable and operational even in times of crisis, strict legal requirements apply to their operators – for example, the BSI KRITIS Ordinance. This article explains exactly what it entails and what obligations arise from it. 

A new threat landscape requires a new understanding of security. The BSI KRITIS Ordinance – also known as the Ordinance for Determining Critical Infrastructures under the BSI Act (BSI = Federal Office for Information Security), or simply BSI KritisV – is a central regulatory framework designed to promote precisely this understanding of security, as well as associated protective measures. The ordinance defines which facilities, systems and companies in Germany are considered particularly relevant for public provision and how these infrastructures must be strengthened in terms of information security and operational capability. 

The KRITIS Ordinance came into force on 3 May 2016. Since then, it has been amended and expanded several times: The first amendment in 2017 extended the scope to further sectors such as health, finance and insurance, as well as transport and traffic. The 2022 amendment introduced content-related changes (e.g. threshold values). Additional amendments in 2023 and 2024 expanded the ordinance to include further facilities.

As mentioned, the BSI KRITIS Ordinance targets operators of critical infrastructures  – “KRITIS” for short – that play a central role in public provision. Whether a company falls under this ordinance depends not only on its size but on its specific function within certain sectors and whether defined thresholds are met. A company is considered KRITIS if it … 

• ... operates in one of the sectors listed in the ordinance, such as energy, information technology, transport and traffic, health, finance and insurance, water, food supply or waste management.
• ... exceeds the threshold values set out in the ordinance for the respective sector (e.g. network capacities, daily processing volumes, number of people supplied).
• ... operates a facility that is classified as critical to public provision and/or contributes to the supply of the general public and is therefore considered system-relevant.

So what exactly does the BSI KRITIS Ordinance require? In general terms, it obliges affected companies to comprehensively secure their IT systems and ensure continued operations even in the event of technical faults, cyberattacks or other security-related incidents. Many of the measures are based on the so-called BSI IT-Grundschutz, which serves as a guideline for implementation. The requirements affect not only technical systems but also organisational processes, reporting procedures and cooperation with the BSI. 

• Operators must implement appropriate organisational and technical security measures in line with current best practices.
• There is an obligation to immediately report significant IT disruptions or security incidents to the Federal Office for Information Security.
• Companies must regularly submit proof of implemented security measures in the form of audit reports.
• Operators are required to designate a contact point that is available around the clock and acts as the BSI’s direct contact.
• For certain facilities and systems, a risk assessment must be carried out to identify potential threats and vulnerabilities.
• Operators must ensure that service providers and third parties involved in operational processes also meet the relevant security requirements.

The sometimes strict and demanding requirements have a serious background: In an increasingly digital and interconnected world, dependency on reliably functioning systems is growing, while the risk of cyberattacks, technical faults and human error is also increasing. Failures in critical infrastructure would have far-reaching consequences for the economy, government and society. The KRITIS Ordinance therefore creates uniform and binding security standards to help companies strengthen their information security in a structured and proactive way. 

Moreover, the ordinance provides a clear legal framework – backed by the Security Act – and supports operators of critical infrastructure in identifying risks early on, implementing appropriate security measures and making their supply systems more resilient. In doing so, it helps protect Germany as a business location and strengthens trust in digital processes. The KRITIS Ordinance is thus a cornerstone of the national cybersecurity strategy and indispensable for protecting modern critical infrastructures.

To not only formally comply with the requirements of the BSI KRITIS Ordinance but also integrate them effectively into everyday operations, a structured approach is essential. In addition to the legal obligations and technical measures already mentioned, strategic, procedural and personnel-related aspects play an equally important role. Pay attention to the following points to make your organisation sustainably resilient: 

1. Actively involve top management!
Responsibility for implementing the KRITIS requirements lies at the highest level. Without clear prioritisation by management, security concepts remain ineffective.

2. Integrate information security into all business processes!
Security measures are only effective when they are an integral part of operational workflows – from procurement and operation through to maintenance.

3. Train your employees regularly!
The security level largely depends on your teams’ behaviour. Awareness and training programmes must therefore be targeted and continuous.

4. Use established management systems!
Follow standards such as ISO 27001 or industry-specific guidelines to structure your security architecture and review it regularly.

5. Document all measures comprehensibly!
Complete documentation facilitates internal audits, external reviews and proof to the BSI. It provides the basis for transparency and compliance.

6. Keep track of changes and adjustments!
The KRITIS Ordinance is subject to dynamic developments. Adapt your processes early on to meet new requirements.

Deutsche Telekom’s IoT solutions  provide the ideal foundation for implementing the BSI KRITIS Ordinance digitally, efficiently and with future resilience. Intelligent sensor technology, secure connectivity and real-time data analysis allow you to detect critical conditions early, optimise operations and sustainably increase the resilience of your infrastructures.