KRITIS regulation

Secure & legally compliant according to KritisV


What does the German KRITIS regulation mean for data centers and server rooms?

Since January 1, 2022, the renewed Critical Infrastructure Protection Ordinance has been in force, which obliges KRITIS operators to secure their IT appropriately and in line with the state of the art. More than 1,850 companies in Germany are affected by this and are therefore obliged to make their data centers and server rooms secure and legally compliant in accordance with the KRITIS Regulation. The lead and transition periods have expired. Violations could result in severe penalties. But what does secure mean in this context? What are the obligations of KRITIS operators? Furthermore, due to the dynamics in the adjustments of the KRITIS regulation by the legislator, the implementation is a challenging task for companies.

Our Senior Project Manager Services Matthias Reidans explains in an interview what is important for operators of critical infrastructures for ensuring a future-proof IT infrastructure.


Which companies belong to the Critical Infrastructure?

The official definition is: "Critical infrastructures (KRITIS) are organizations or facilities with important significance for the state community, the failure or impairment of which would result in sustained supply bottlenecks, significant disruptions to public safety or other dramatic consequences." The BSI Act identifies the following critical sectors for a functioning state community: Information Technology & Telecommunications, Health, Energy, Water, Food, Finance & Insurance, Government & Administration, Transportation & Traffic, Media & Culture, and - newly included after the last amendment - Municipal Waste Disposal. The IT Security Act 2.0, on which the KRITIS Regulation is based, is aimed at companies that rely on digital infrastructures in the sense of "facilities". This includes machines and devices in the broadest sense, as well as software and IT services that are necessary for the provision of a critical service.

  • e.g. municipal utilities, distribution system operators
  • Gas
  • Petroleum
  • Electricity
  • District heating
Information technology & telecommunications
Information technology & telecommunications
  • Telecommunications providers
  • Mobile telephony providers
  • Medical care
  • Pharmaceuticals and vaccines
  • Laboratories
  • Hydro-electric plant operators
  • Sewage treatment plant operators
  • Food industry
  • Food trade
Finance / insurance
Finance / insurance
  • Banks
  • Stock exchanges
  • Insurance companies
  • Financial service providers
Transport and traffic
Transport and traffic
  • Logistics
  • Air travel
  • Marine transport
  • Road traffic
  • Rail transport
State / public authorities
State / public authorities
  • Parliament
  • Judicial institutions
  • Government and administration
  • Emergency/rescue services
Media and culture
Media and culture
  • Printed and electronic press
  • Television and radio
  • Cultural heritage
  • Buildings of symbolic importance
Municipal Waste Disposal
Municipal Waste Disposal

What sector-specific requirements do KRITIS operators need to be aware of?

There are specific thresholds for all sectors to ensure that really only those companies that are relevant to social life are classified as critical. As a rule, the thresholds are tailored to serve a lower limit of half a million inhabitants. In the energy sector, for example, this is the amount of electricity, heating oil, aviation fuel and the like provided; in the water sector, it is the amount of drinking water, but also the number of households connected to the sewer system. In the IT and TC sector, different factors are relevant depending on the service: Network subscribers, instances, domains, qualified certificates and server certificates, and in the case of data centers also power consumption - here a new lower limit of 3.5 instead of the previous 5 MW applies. Companies themselves are responsible for finding out whether they fall under the KRITIS rules and must take the appropriate steps. The lead and transition periods have now expired.

That means it would be important to keep KRITIS relevance in view on an ongoing basis?

Exactly. The law was passed in August 2021 and came into force on January 1, 2022. Affected facilities had to be registered by April 1 – and by the same date, KRITIS companies must also comply with the associated cybersecurity measures. This is likely to catch one or two new entrants among the KRITIS operators by surprise, not least because there is a threat of severe penalties. They will have to provide proof of implementation through KRITIS audits by April 1, 2024 at the latest, so there is at least a little time left. But even those who are not affected by the current classifications cannot sit back and relax. Further changes to the IT Security Act or the KRITIS Regulation are also planned for the current year. This means that a new delimitation of KRITIS relevance can occur at any time. So you should always keep an eye on the industry-specific thresholds. To be safe, it is advisable to consult experts here. Rosenberger OSI offers a non-binding quick check as an orientation aid as to whether KRITIS relevance exists. The focus of the check is the examination of the affiliation to KRITIS sectors, the classification with regard to threshold values and the evaluation of industry-specific peculiarities.

The KRITIS regulation requires IT to be adequately secured in line with the “state of the art”. What does this mean?

With the term "state of the art", the legislator avoids static specifications that soon become obsolete - because technical development is faster than legislation. What constitutes the current "state of the art" can be derived from various national and international standards, such as DIN, ISO, DKE or ISO/IEC. In addition, models for the respective area that have been successfully tested in practice can also be consulted. The goal is taking appropriate precautions to prevent disruptions, for example, this refers to the availability, integrity, authenticity and confidentiality of the information technology systems, components or processes. The measures taken must be certified and proven to the BSI (German Federal Office for Information Security) within two years of the KRITIS regulation coming into force and renewed every two years. However, classic certifications such as ISO 27001 or BSI IT-Grundschutz alone are not sufficient for this.

Which KRITIS requirements must be observed for data centers and server rooms?

This depends on the need for protection and the availability requirements for the data center or server room. This can be the need for high availability, but also that certain requirements must be met for the location of the data center. With the certification according to the self-developed TSI.STANDARD, TÜViT has created a system that differentiates between four different levels, which reflect the quality of the supply systems as well as all other elements. It builds on the TSI (Trusted Site Infrastructure) methodology for testing and certifying the physical security and availability of data centers, which has been established since 2001. The TSI.STANDARD is continuously developed to reflect the current state of the art and standards - just as the BSI requires of KRITIS operators.

How does the infrastructure in data centers with high availability and protection class have to be optimized?

To build data centers with high protection class and availability, it is not enough just to optimize the IT infrastructure accordingly. The main vulnerabilities and risks in and around the data center, as well as the associated services - for example, DNS or certification services - should be considered in detail. And this should be done in a repeated process.

What exactly does this mean for the testing and evaluation of new data center buildings as well as existing data centers? In and around the data center?

In concrete terms, this means not only looking at the structure of the cabling or the power supply and the redundancies designed for it, but also the data center environment or aspects such as building construction, fire protection or security systems. In order to fulfill the KRITIS obligations, Rosenberger OSI checks how the valid requirement catalogs fit with the existing structural and physical security of the IT infrastructure. This analysis and evaluation results in technical and/or organizational lists of measures which, when implemented, can then guarantee the required level of security in accordance with the protection requirements to be met for the IT.

What does this mean for companies that are in the process of modernizing their infrastructure and fall under the BSI requirements?

The question of CRITIS relevance may come up in the middle of the IT modernization movement. If a company is an operator of critical infrastructures, then it is advisable to conduct an inventory and an analysis of the IT infrastructure. To fulfill the KRITIS obligations, the catalog of requirements should first be examined in an assessment. More information on further steps in the video.


What are important steps on the way to acceptance of the statutory KRITIS requirements?

The first step is to examine the BSI requirements catalog in order to record and evaluate in detail any deviations between the actual and target state of the IT infrastructure. This initially involves identifying the level for protection requirements and for availability as well as examining the criteria areas for IT operations, depending on the required protection requirement level. As part of the inventory, the complete IT infrastructure is recorded and its status evaluated. This is followed by a classification of the risks and a prioritization of the challenges to be overcome. Based on this, a catalog of measures is created, which includes a detailed recommendation for the protection requirement. In addition, targeted technical and/or organizational measures are derived to achieve the industry standard required by the BSI.



Interview with:
Matthias Reidans, Service Project Management

Matthias Reidans works as a senior project manager in Rosenberger OSI's service process. His current focus topic is Critical Infrastructure. With project assignments throughout Europe, he specialized in the topic of data center consolidation at an early stage. In many transformation projects, he successfully applied his knowledge of methodologies and project management standards in the outsourcing and cloud environment for customers from various industries such as banking, retail, transportation and industry.