Critical infrastructures (CRITIS) are defined in the EU Directive 2008/114/EC. Critical infrastructures are those that have a significant impact on the maintenance of essential social, health, safety and economic structures. If their function were to be disrupted or even interrupted, this would have a considerable impact on public safety and lead to supply bottlenecks.

In Germany, the Federal Office for Civil Protection and Disaster Assistance (BBK) has identified nine areas of critical structures. These are structured as follows:

  • Energy

  • Information technology and communication

  • Health

  • Water

  • Nutrition

  • Logistics and transport

  • Insurance and finance

  • State and administration

  • Media and culture

Often many companies - especially SMEs - are not aware that they are part of the critical infrastructure. In principle, SMEs do not have to implement the requirements (§8d Abs.1 BSIG). However, if they act as suppliers for CRITIS organisations, SMEs must also comply with the CRITIS requirements and in turn oblige their suppliers to do so as well.


30 minutes free consultation

Are you interested in our certification?
Get in touch with us without obligation.
We will be happy to advise you.


Minimizing ris

According to §8a BSI Act (BSIG), operators of critical infrastructures are obliged to "take appropriate organizational and technical precautions [...] to ensure that a functional IT infrastructure is available. In order to ensure that operators of critical infrastructures have actually implemented the legal requirements through functioning and secure processes, a regular audit in a two-year cycle is required.

Possible proofs of implementation are

  • ISO/IEC 27001

  • Industry-specific security standard B3S

In addition, there are other requirements for operators of critical infrastructures that they must meet.


Auditing by the BFMT Group

Our experts support you - the operator - of a critical infrastructure on the way to successful certification according to ISO/IEC 27001, thereby not only ensuring that you meet all legal requirements, but also demonstrating to your customers the high level of security and reliability in your organization.