Jun 20, 2017 - Special topic

2nd part of the Act on Critical Infrastructure Protection (BSI KRITIS Act) – more providers with obligations

The countdown has begun - data protection compliant IT security solutions are urgently required

Recent events in English hospitals have shown how quickly a security loophole in IT-critical infrastructures can lead to shortages for the public. The Federal Government’s decision from a few days ago on stricter security terms for more provider sectors can therefore hardly be questioned.Recent events in English hospitals have shown how quickly a security loophole in IT-critical infrastructures can lead to shortages for the public. The Federal Government’s decision from a few days ago on stricter security terms for more provider sectors can therefore hardly be questioned.



Kiel – The BSI (German Federal Office for Information Security) will, in future, be placing even more responsibility on supply companies for infrastructures that are especially relevant to society (critical infrastructures). On May 31, the Federal Government resolved the second part of the Ordinance Implementing the IT Security Act.

More sectors are covered by the BSI KRITIS Act
This means that larger providers of critical infrastructures (KRITIS) from the healthcare, finance and insurance, transport and traffic sectors are now also subject to increased IT security regulations. In terms of Section  8a of the Act on the Federal Office for Information Security (BSI Act - BSIG), within the next two years they must meet minimum standards for IT security, and ensure data security in all of their service processes.

How exactly the standards, to be reported on regularly in future, will be guaranteed - and the proof of fulfillment required - has only been broadly defined. What is certain is that “state-of-the-art” IT security measures must be implemented, and reported on to the BSI as the central contact partner. The BSI has published a related list of requirements. A reliable information security management system (ISMS) is advisable, in order to sustainably fulfill the requirements - and to avoid the prospect of fines. However, this should not be seen as a necessary evil, but rather as a chance to generate new additional value.

Using information security management for added value
By means of log files, a modern ISMS can make data from all the desired “hidden corners” of a company usable. Solutions, which are not only deployable as individual security information and event management (SIEM) systems, but operate as platforms, are able to represent/display all IT processes. Thus, deviations are comprehensively recorded. In this way, data streams are not only secured. The additional benefit is the fact that the collected data can be optimized according to the respective desired criteria. Equipment or computer malfunctions can thus be avoided, for example, and their performance improved. A further area of application is predicting customer behavior, in order to adjust business processes. This gives companies a tool to demonstrably fulfill their duties, and at the same time generate added value in their work processes.

For the operators of critical infrastructure, data security is already an important topic due to the federal state data protection acts. Through the second part of the BSI KRITIS regulation based on the IT Security Act, and the coming EU General Data Protection Regulation, this becomes even more important. The changes will impose much stricter data security requirements, and tougher sanctions if they are not met. The size at which companies in the respective sectors are affected by these new regulations is specified in the so-called “threshold values” of the BSI.

PDF Vorschaubild
Download Text

Download picture with high resolution

One of the KRITIS sectors is health care. Source: Fotolia ©upixa

Ansprechpartner

Petra Sauer-Wolfgramm

Petra Sauer-Wolfgramm

Corporate Communications

phone: +49 431 3993-525

e-mail: sauer-wolfgramm@consist.de