Critical infrastructures are the backbone of our modern society. They secure the power supply, healthcare, communication and many other essential areas. To ensure that these systems remain stable and functional even in crisis situations, strict legal requirements apply to their operators - for example, the BSI KRITIS Regulation. You can find out exactly what this is and what obligations it entails in this article.
A new threat situation also requires a new understanding of security. The BSI KRITIS Ordinance - also known as the Ordinance on the Determination of Critical Infrastructures according to the BSI Act (BSI = Federal Office for Information Security) or BSI KritisV for short - is a centralised set of rules that is intended to promote precisely this understanding of security and the associated protective measures. The regulation defines which facilities, systems and companies in Germany are considered particularly relevant for the provision of services to the general public and how these infrastructures must be strengthened in terms of their information security and functionality.
The KRITIS Regulation came into force on 3 May 2016, but has been amended and expanded several times since then: The first amending regulation from 2017 included additional sectors such as healthcare, finance and insurance as well as transport and traffic, while the amendment to the BSI KRITIS Regulation from 2022 provided for adjustments to the content (e.g. the threshold values). Further amendments were made in 2023 and 2024, each of which added additional annexes to the KRITIS Regulation.
Simply fill out the contact form – we’ll get back to you as soon as possible.
The BSI KRITIS Regulation should not be confused with the so-called NIS2 Directive, even though both pursue similar objectives and complement each other. The BSI KRITIS Regulation is based on German law and is aimed specifically at operators of critical infrastructures. NIS2, on the other hand, is an EU-wide directive that has a much broader scope and also applies to many companies outside the classic KRITIS sectors.
As already mentioned, the BSI KRITIS Regulation is aimed at operators of critical infrastructures, or "KRITIS" for short, which play a central role for the community. However, whether a company falls under this regulation does not depend solely on its size, but also on its specific function within certain sectors and whether it reaches defined thresholds. A company belongs to KRITIS if it ...
The CRITIS Regulation is regularly amended to take account of technological developments and risk situations. New versions may include additional companies. The current status of the ordinance can be found in the Federal Law Gazette (BGBL).
So what exactly does the BSI KRITIS Ordinance require? In general terms, it obliges affected companies to comprehensively secure their IT systems and ensure continued operations even in the event of technical faults, cyberattacks or other security-related incidents. Many of the measures are based on the so-called BSI IT-Grundschutz, which serves as a guideline for implementation. The requirements affect not only technical systems but also organisational processes, reporting procedures and cooperation with the BSI.
Digital security requires technical stability. Use the powerful IoT network technologies and customised tariffs from Deutsche Telekom to make your critical infrastructures future-proof and compliant with the KRITIS Regulation.
The sometimes strict and demanding requirements have a serious background: In an increasingly digital and interconnected world, dependency on reliably functioning systems is growing, while the risk of cyberattacks, technical faults and human error is also increasing. Failures in critical infrastructure would have far-reaching consequences for the economy, government and society. The KRITIS Ordinance therefore creates uniform and binding security standards to help companies strengthen their information security in a structured and proactive way.
Moreover, the ordinance provides a clear legal framework – backed by the Security Act – and supports operators of critical infrastructure in identifying risks early on, implementing appropriate security measures and making their supply systems more resilient. In doing so, it helps protect Germany as a business location and strengthens trust in digital processes. The KRITIS Ordinance is thus a cornerstone of the national cybersecurity strategy and indispensable for protecting modern critical infrastructures.
A structured approach is crucial in order to not only formally fulfil the requirements of the BSI KRITIS Regulation, but also to effectively anchor them in day-to-day operations. In addition to the legal obligations and technical measures already mentioned, strategic, procedural and personnel aspects play an equally important role. Pay attention to the following points to make your organisation resilient in the long term:
Deutsche Telekom's IoT solutions create the ideal basis for implementing the requirements of the BSI KRITIS Regulation digitally, efficiently and in a future-proof manner. Intelligent sensor technology, secure connectivity and real-time data analysis enable you to detect critical conditions at an early stage, optimise your operating processes and sustainably increase the resilience of your infrastructures.
The Internet of Things (IoT) is transforming industries with smart solutions that drive efficiency, sustainability, and convenience. Discover real-world use cases that make digital transformation tangible.
Back in 2016, Anna worked on IoT topics at Deutsche Telekom for the first time. Since then, she has been supporting customer best practices in a wide range of industries – always focusing on the benefits that the Internet of Things can provide. Her IoT blogposts describe real use cases and the value these innovations add to market players, their business models, and even entire industries.
In modern companies, more and more devices are communicating with each other in real time. However, the stronger the networking, the greater the attack surface, as every IoT device is a potential gateway into the company network. Find out here what risks exist and how you can protect your systems effectively.
Read article
Critical infrastructures (KRITIS) are the backbone of our social and economic life. They ensure that electricity flows reliably, healthcare remains accessible, payments are processed smoothly, and much more. Learn more in this article!
Read article
With smart real-time monitoring, you can identify problems before they arise – and turn risks into opportunities. This allows you to stay one step ahead in a digitalised world.
Read article