The IT Security Act (ITSiG) and the BSI Act require operators of critical infrastructures to comply with minimum technical and organizational security standards. The underlying idea of the decrees is that the security measures are based on the state of the art in the operator’s industry for preventing IT disruptions/failures.

For operators of critical infrastructure, this fuzzy wording raises many a question:

• What measures does the minimum technical or organizational standard include?
• As a critical infrastructure operator, where do we exceed this minimum standard and where do we deviate from it?
• Is there a specific state of the art in my industry and if not, what can I use as a guideline or how can I define such an industry-specific standard?
• Which audits and certifications already completed simplify the verification process vis-à-vis the BSI?

The legislator has deliberately allowed this scope for interpretation. The audit reports to be submitted in the first round are initially intended to take stock of the precautions taken by the operators and the safety levels customary in the industry. In addition, the industries are to be given the opportunity to agree on industry-specific safety standards (B3S).

If no specific security standards emerge for an industry, then the BSI has the option to prescribe these security standards. The KritisVO grants a corresponding possibility.

This is an opportunity that critical infrastructure operators should seize. It is to be expected that the Federal Office for Information Security (BSI) will suggest a more detailed formulation of the CritisVO on the basis of the findings obtained in the first round of reviews.

We are happy to offer you the opportunity to draw on the expertise of our specialists when reviewing your technical and organizational security standards. We are also happy to support them in formulating their industry-specific standards.