CRITIS

Operators of critical infrastructures are companies and organizations active in the sectors of energy, water, food, information technology and telecommunications, health, finance and insurance, transport and traffic, as well as municipal waste disposal, that exceed defined threshold values. Under the BSI Act and the KRITIS Regulation, these operators are required to implement adequate organizational and technical measures to prevent disruptions to their information technology systems. In addition, they must report significant disruptions to the BSI without delay and provide evidence of the implementation of these measures every two years. ADVISORI supports you in assessing whether your organization falls under KRITIS regulation and accompanies you from the initial inventory through to full compliance assurance.

While the existing KRITIS regulation primarily targets the IT security of critical infrastructures and is anchored in the BSI Act, the KRITIS-Dachgesetz significantly extends the protective framework to include the physical resilience of critical facilities. The KRITIS-DachG transposes the EU CER Directive (Critical Entities Resilience) into German law and obliges operators to conduct comprehensive risk analyses, develop resilience plans, and implement measures against physical threats such as sabotage, natural disasters, or insider threats. Newly added sectors and an expanded authority structure — with the Federal Office of Civil Protection and Disaster Assistance (BBK) as the central body — complement the existing BSI regime. ADVISORI possesses in-depth expertise in both regulatory frameworks and helps you implement the requirements of KRITIS and KRITIS-DachG efficiently through an integrated compliance approach.

A KRITIS gap analysis at ADVISORI begins with a structured inventory of your existing security measures, processes, and organizational structures, benchmarked against the legal requirements of the BSI Act, the KRITIS Regulation, and relevant sector-specific standards such as B3S. In a second step, our experts identify specific gaps and prioritize them according to criticality and implementation effort. The outcome is a detailed gap report containing a clear roadmap that covers all identified areas for action, recommended measures, and a realistic timeline and resource plan. On the basis of this report, you can immediately begin addressing the identified gaps in a targeted manner, with ADVISORI providing full support throughout the subsequent implementation phase.

Sector-specific security standards (B3S) are frameworks recognized by the BSI, developed by industry associations, and serve as evidence of compliance with the state of the art pursuant to Section 8a of the BSI Act. They translate the general legal requirements into practical, sector-specific terms and enable operators to demonstrate their compliance on the basis of industry-relevant measures. Implementing a recognized B3S can significantly simplify the demonstration of compliance to the BSI while simultaneously strengthening operational security. ADVISORI is familiar with the relevant B3S standards for the finance and insurance sector as well as other industries, and supports you in selecting, implementing, and auditing the standard most appropriate for your organization.

KRITIS operators are legally required to report significant disruptions to their critical infrastructure to the BSI without delay, which necessitates clear internal processes, defined responsibilities, and technical detection capabilities. ADVISORI supports you in establishing a solid incident management process that addresses all regulatory reporting obligations while ensuring a rapid response to security incidents. We assist you with the implementation of suitable SIEM and monitoring solutions, the development of reporting processes and escalation paths, and the training of your staff in handling security incidents. In addition, our experts are available as experienced advisors in the event of an incident, supporting you in your communication with the BSI and in managing the situation.

KRITIS operators in the financial sector frequently face a wide range of parallel regulatory requirements, including DORA (Digital Operational Resilience Act), NIS2, and international standards such as ISO 27001. These frameworks share significant substantive overlaps — particularly in the areas of risk management, business continuity, incident management, and third-party governance — meaning that an integrated approach offers considerable synergies. ADVISORI pursues a comprehensive compliance approach that consolidates all relevant requirements within a unified framework, minimizing duplication of effort. As an ISO 27001 certified company with deep expertise in DORA, NIS2, and KRITIS, we are your ideal partner for the efficient, integrated implementation of all regulatory obligations from a single source.