Critical infrastructures (CRITIS) are defined in the EU Directive 2008/114/EC. Critical infrastructures are those that have a significant impact on the maintenance of essential social, health, safety and economic structures. If their function were to be disrupted or even interrupted, this would have a considerable impact on public safety and lead to supply bottlenecks.
In Germany, the Federal Office for Civil Protection and Disaster Assistance (BBK) has identified nine areas of critical structures. These are structured as follows:
Information technology and communication
Logistics and transport
Insurance and finance
State and administration
Media and culture
Often many companies - especially SMEs - are not aware that they are part of the critical infrastructure. In principle, SMEs do not have to implement the requirements (§8d Abs.1 BSIG). However, if they act as suppliers for CRITIS organisations, SMEs must also comply with the CRITIS requirements and in turn oblige their suppliers to do so as well.
According to §8a BSI Act (BSIG), operators of critical infrastructures are obliged to "take appropriate organizational and technical precautions [...] to ensure that a functional IT infrastructure is available. In order to ensure that operators of critical infrastructures have actually implemented the legal requirements through functioning and secure processes, a regular audit in a two-year cycle is required.
Possible proofs of implementation are
Industry-specific security standard B3S
In addition, there are other requirements for operators of critical infrastructures that they must meet.
Auditing by the BFMT Group
Our experts support you - the operator - of a critical infrastructure on the way to successful certification according to ISO/IEC 27001, thereby not only ensuring that you meet all legal requirements, but also demonstrating to your customers the high level of security and reliability in your organization.