The dependence on information technology systems is growing in our social system with increasing specialisation and division of labour. Where the flow of water, transport, food, medicines, energy and money is to be managed by the administration and the economy, that is where information technology works. Therefore, the legislator took into account the important role of information technology as a controlling infrastructure and passed the first IT Security Act (ITSiG) in 2015 and the Critical Infrastructure Protection Ordinance (KritisVO) based on it. The legislator has acknowledged the advancing digitalisation accordingly by passing the second IT Security Act (ITSiG 2.0) and updating the CritisVO in 2021.
Critical infrastructures (CRITIS) are defined by the legislator as organisations or facilities of major importance to the state community, the failure or impairment of which would result in lasting supply bottlenecks, significant disruptions to public safety or other dramatic consequences. The Federal Office for Information Security (BSI) names the areas of energy supply, information technology and telecommunications, transport and traffic, health, water, food, finance and insurance, state and administration as well as media and culture. If more than 500,000 citizens are affected by the failure of an infrastructure in one of these areas, then this infrastructure is considered critical. As the operator of such an infrastructure, the ITSiG and KritisVO oblige them to provide special evidence to the BSI.