Skip to content

§39 BSIG - discovered, explain

§ 39 of the BSI-Act

In a world where the security of critical infrastructure is of paramount importance, operators of critical infrastructure (KRITIS) must demonstrate at least every three years, in accordance with Section 39 of the German Federal Security Act (BSIG), that their IT security is state of the art. This demonstration is based on corresponding security audits, tests, or certifications.

Frische Kartoffeln auf einem Feld

KRITIS – What does that mean?

In NIS-2, the existing KRITIS operators are referred to as operators of critical facilities. The existing KRITIS logic, which is based on KRITIS sectors, critical services and KRITIS facilities with defined thresholds (at least 500,000 people supplied), remains unchanged. The operators automatically become particularly important facilities alongside KRITIS.

In Germany, critical infrastructures (KRITIS) are facilities, installations or organisations that are of central importance to the functioning of the community. The legal basis for this is the BSI Act (BSIG). Infrastructure is considered critical if its failure or impairment would lead to significant supply bottlenecks, massive disruptions to public safety or other serious consequences for the state, economy and society. The classic KRITIS sectors include

  • Energy
  • health
  • ITC & TC
  • Transport and traffic
  • water
  • Finance & Insurance
  • Waste management
  • Food & Nutrition
  • Government & Administration
  • Space
  • Social security

Without a reliable electricity and gas supply, central services cannot be provided; without functioning IT and telecommunications systems, administration, business and critical services come to a standstill; and without a continuous supply of food and drinking water, public life can hardly be maintained.

German IT security law has been comprehensively modernised with the NIS-2 Implementation Act. It transposes the European NIS 2 Directive into national law and significantly expands the scope of application. The existing KRITIS concept remains in place, but is embedded in a much broader cyber security regime. In addition to the traditional KRITIS operators, numerous other companies are now also covered. The aim is to increase the overall resilience of key economic and social sectors.

KRITIS thus continues to refer to Germany's infrastructures that are particularly worthy of protection. However, the NIS 2 Implementation Act has systematically expanded and tightened their protection in order to effectively counter the growing cyber threats and ensure the long-term functioning of the community.

 

UnCRITICAL IT security

Successful certification in accordance with §39 of the BSI-Act with TÜVIT

With us, you can provide the required evidence: We check your IT security in accordance with the requirements of the IT Security Act and assess whether you have taken appropriate state-of-the-art precautions with regard to your IT systems, processes, and components. 
As a certified IT security service provider, we meet the requirements of the BSI as an auditing body for § 39 BSIG - Audits of Critical Infrastructures and have the relevant auditing expertise. 
In addition, we also perform GAP analyses to determine the required levels of maturity and implementation and also audit according to industry-specific security standards (B3S).

Your benefits at a glance

  • BSI-compliant proof of IT security

    You receive objective proof of fulfilment of the requirements of the IT Security Act.

  • Legal certainty through fulfilment of legal requirements

    By complying with the requirements of the IT-SIG, you fulfil your legal obligations.

  • Improved IT security according to the state of the art

    State-of-the-art security increases the security of your IT systems, processes and components.

  • Prevention of fines

    By implementing the requirements, you minimise the risk of high fines as a result of violations.

  • Greater security of supply

    By implementing the minimum level of IT security, you also improve the security of supply of your critical infrastructure.

  • Raise awareness among your employees

    A KRITIS audit raises your employees' awareness of IT security issues & new threats.

We will support you – no matter what

Get started at last!

We advise you

TÜV NORD IT Secure Communication I Berlin
To the consulting services Contact us
Goal achieved?

We check that

TÜV Informationstechnik I Essen
To the test offers Contact us

Frequently Asked Questions (FAQ)

What you need to know about §8a BSIG

Operators of critical infrastructures within the meaning of the IT Security Act are obliged by the BSI Criticism Ordinance to

  • to designate a contact point,
  • report IT incidents,
  • implement the "state of the art"
  • and provide evidence of this to the BSI every two years.

ISO 27001 certification does not automatically cover the entire scope relevant for proof in accordance with Section 8a BSIG. This means that an ISO 27001 certificate can be used as part of a certificate - but not as a certificate itself - as long as certain general conditions are met.

  • Delimitation of scope: The scope must include the systems operated in accordance with the BSI Criticism Ordinance.
  • Extended scope: The scope must be extended to include outsourced areas and a comprehensive security assessment must be carried out from a KRITIS perspective.
  • Consideration of the KRITIS protection objectives: The KRITIS protection objectives of the operationally relevant parts must be suitably defined and included in the risk assessment throughout all processes and implementation of measures.
  • KRITIS IT protection requirements: As part of risk management, assess the protection objectives of availability, confidentiality, integrity and authenticity in relation to the maintenance of the critical service.
  • Dealing with risks: In particular, the extent of a risk to the general public, i.e. the impact on the functionality of the critical infrastructure and the critical service, must be taken into account. Appropriateness must be taken into account when selecting measures.
  • Implementation of measures: In principle, all measures required to maintain the critical service must be implemented. All measures that are only being planned - for example in the continuous improvement process (CIP), in the implementation plan or in the risk treatment plan - must be included in the list of safety deficiencies in accordance with § 8a (3) BSIG.

According to Section 8a BSIG, proof must be provided regularly every two years. The deadline for providing follow-up proof is calculated on the basis of the letter from the BSI that each company receives in response to the submission of proof documents.

The IT Security Act, which has been in force since 2015, focuses on making Germany's IT systems and digital infrastructures the most secure in the world. The Act aims to improve the security of companies, information and the associated information technology in the form of regulations. This is because, particularly in the area of critical infrastructures, potential failures or impairments can lead to significant supply bottlenecks or jeopardise public safety. Regulations to improve the availability and security of IT systems, especially in the area of critical infrastructures, are therefore a central part of the IT Security Act.