KRITIS
Critical infrastructures — heightened BSIG obligations
Practitioner's note: This article is practice-oriented compliance documentation, not legal advice. We are a compliance specialist, not a law firm. For legally binding information please consult a licensed lawyer.
TL;DR
KRITIS (Critical Infrastructures) under the BSIG are installations, systems or parts thereof which serve to supply the population with vital goods and services — and whose failure would cause significant supply shortages or threats to public safety. Reinforced by the NIS2UmsuCG: KRITIS qualify as 'particularly important entities'.
What is KRITIS?
9 KRITIS sectors under the BSI-KritisV:
- Energy
- Water
- Food
- Information technology and telecommunications
- Health
- Finance and insurance
- Transport and traffic
- Media and culture
- Government and administration
Thresholds are defined in the KritisV (e.g. energy: 500,000 persons supplied).
Practical example
Typical KRITIS examples: - Power grid operators serving 500,000+ persons - Municipal utilities (energy and water) - Hospitals with 30,000+ inpatient cases per year - Major airports (Frankfurt, Munich, Düsseldorf) - Major banks
Frequently asked questions
KRITIS = essential entity?
KRITIS is a subset of essential entities. KRITIS are 'particularly important entities' with additional obligations (BSI audit every 2 years, higher standards).
What does the BSI audit?
For KRITIS: mandatory audit every 2 years. Section 8a BSIG (old version, now extended under Section 30 BSIG). External auditors required.
Who decides whether I am KRITIS?
Sector authorities plus the BSI. Self-classification during BSI registration. In case of dispute: the BSI decides.