“Critical infrastructures (KRITIS for short) are organizations or facilities with important significance for the state community, the failure or impairment of which would result in lasting supply bottlenecks, significant disturbances of public safety or other dramatic consequences.”
KRITIS Definition of the Federal Departments
The KRITIS regulation defines a total of ten sectors that provide critical services to the general public. According to Section 39 (formerly Section 8a) (1) BSIG, KRITIS operators within these sectors are obliged to take appropriate organizational and technical precautions to prevent disruptions to the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes. These measures must be adapted to the current state of technology.
Every two years, KRITIS operators are obliged to provide the Federal Office for Information Security (BSI) with proof of the implementation of appropriate cyber security measures. These verification audits must be initiated by the operators themselves.
The KRITIS audit is due in 2026 for the following sectors:
- Energy
- Water
- Food
- Information Technology and Telecommunication
NIS-2 - will there be an adjusted proof of compliance interval?
In June 2025, the KRITIS working group published a new draft bill for the NIS-2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG). A key change in this concerns the proof of compliance interval for KRITIS operators: this shall be extended from two to three years in future.
“The draft bill provides for a change in the interval, but as long as the law does not officially come into effect, the BSIG and thus the two-year interval applies to all KRITIS operators.”
Vinzent Ratermann, Managing Security Consultant and Expert for Critical Infrastructure
We will keep you up to date on further developments in the legislative process in our newsblog.
Do you need to carry out a KRITIS audit in 2025 or 2026? Contact us. We are happy to help.
