Skip to content

§8a BSIG - discovered, explain

§8a of the BSI-Act

As an operator of critical infrastructures (KRITIS), you must prove every two years that your IT security is state of the art in accordance with Section 8a of the BSI Act. According to the BSI Criticism Ordinance (BSI-KritisV), proof is provided by means of a corresponding audit in accordance with Section 8a of the BSI-Act.

Frische Kartoffeln auf einem Feld

KRITIS – What does it mean?

Critical infrastructures (KRITIS) are organisations and facilities that have a decisive impact on the state community. This includes the following sectors:
Government and administration

  • energy
  • Healthcare
  • ITC & TC
  • Transport and traffic
  • Media & culture
  • Water
  • Finance & insurance, waste management
  • Nutrition

If these critical infrastructures fail or are impaired, lasting supply bottlenecks, significant disruptions to public safety or other dramatic consequences can be expected. If electricity and gas are missing, for example, important services can no longer be provided and life is almost unimaginable without a continuous supply of food and drinking water.

For this reason, the IT Security Act requires KRITIS operators to demonstrate a minimum level of IT security and to take appropriate state-of-the-art organisational and technical precautions to protect their IT systems, components and processes. This is intended to ensure the functionality of critical infrastructures. The law also stipulates that significant IT incidents, such as cyber attacks, must be reported to theFederal Office for Information Security(BSI).
 

 

UnCRITICAL IT security

Successful certification in accordance with §8a of the BSI-Act with TÜVIT

With us, you provide the required proof: We test your IT security in accordance with the requirements of the IT Security Act and assess whether you have taken appropriate precautions with regard to your IT systems, processes and components in line with the state of the art.

As a certified IT security service provider, we fulfil the requirements of the BSI as a testing body for §8a BSIG - testing of critical infrastructures and have the corresponding testing procedure expertise. In addition, we also test according to industry-specific security standards (B3S).

  • BSI-compliant proof of IT security
    With a successful audit in accordance with §8a BSIG or B3S, you fulfil the legal requirements of the IT Security Act.
     
  • Improved IT and supply security for your critical infrastructure
    By securing your critical infrastructure in accordance with the state of the art, you improve both IT and supply security.
     
  • Cost reduction & minimisation of liability risks
    By optimising processes, improving system availability and avoiding security incidents, you reduce costs and liability risks.

 

 

 

Your benefits at a glance

  • BSI-compliant proof of IT security

    You receive objective proof of fulfilment of the requirements of the IT Security Act.

  • Legal certainty through fulfilment of legal requirements

    By complying with the requirements of the IT-SIG, you fulfil your legal obligations.

  • Improved IT security according to the state of the art

    State-of-the-art security increases the security of your IT systems, processes and components.

  • Prevention of fines

    By implementing the requirements, you minimise the risk of high fines as a result of violations.

  • Greater security of supply

    By implementing the minimum level of IT security, you also improve the security of supply of your critical infrastructure.

  • Raise awareness among your employees

    A KRITIS audit raises your employees' awareness of IT security issues & new threats.

We will support you – no matter what

Get started at last!

We advise you


TÜV NORD IT Secure Communication I Berlin
Goal achieved?

We check that


TÜV Informationstechnik I Essen

Frequently Asked Questions (FAQ)

What you need to know about §8a BSIG

Operators of critical infrastructures within the meaning of the IT Security Act are obliged by the BSI Criticism Ordinance to

  • to designate a contact point,
  • report IT incidents,
  • implement the "state of the art"
  • and provide evidence of this to the BSI every two years.

ISO 27001 certification does not automatically cover the entire scope relevant for proof in accordance with Section 8a BSIG. This means that an ISO 27001 certificate can be used as part of a certificate - but not as a certificate itself - as long as certain general conditions are met.

  • Delimitation of scope: The scope must include the systems operated in accordance with the BSI Criticism Ordinance.
  • Extended scope: The scope must be extended to include outsourced areas and a comprehensive security assessment must be carried out from a KRITIS perspective.
  • Consideration of the KRITIS protection objectives: The KRITIS protection objectives of the operationally relevant parts must be suitably defined and included in the risk assessment throughout all processes and implementation of measures.
  • KRITIS IT protection requirements: As part of risk management, assess the protection objectives of availability, confidentiality, integrity and authenticity in relation to the maintenance of the critical service.
  • Dealing with risks: In particular, the extent of a risk to the general public, i.e. the impact on the functionality of the critical infrastructure and the critical service, must be taken into account. Appropriateness must be taken into account when selecting measures.
  • Implementation of measures: In principle, all measures required to maintain the critical service must be implemented. All measures that are only being planned - for example in the continuous improvement process (CIP), in the implementation plan or in the risk treatment plan - must be included in the list of safety deficiencies in accordance with § 8a (3) BSIG.

According to Section 8a BSIG, proof must be provided regularly every two years. The deadline for providing follow-up proof is calculated on the basis of the letter from the BSI that each company receives in response to the submission of proof documents.

The IT Security Act, which has been in force since 2015, focuses on making Germany's IT systems and digital infrastructures the most secure in the world. The Act aims to improve the security of companies, information and the associated information technology in the form of regulations. This is because, particularly in the area of critical infrastructures, potential failures or impairments can lead to significant supply bottlenecks or jeopardise public safety. Regulations to improve the availability and security of IT systems, especially in the area of critical infrastructures, are therefore a central part of the IT Security Act.