KRITIS Regular Tests & Audits

The Section 8a compliance audit is conducted in two stages. In Stage 1, the audit scope is defined, documentation is reviewed and the audit plan is prepared. In Stage 2, the actual audit procedures take place: document review, interviews with responsible personnel, on-site inspection of systems and technical assessment. At the end, the compliance documents are prepared: BSI Form P (audit evidence), Form KI (description of the critical infrastructure), the audit report and, where applicable, a deficiency list. The BSI provides guidance documents (GAiN, RUN) that describe the exact procedure.

The audit basis is either a sector-specific security standard (B3S) recognised by the BSI, or established standards such as ISO 27001 or BSI IT-Grundschutz. Auditors must hold the special audit procedure competence for Section 8a BSIG. Since the NIS 2 transposition into the BSIG, the ten measure areas under Section

30 BSIG additionally serve as audit subjects, including risk analysis, incident management, business continuity, supply chain security and cryptography.

KRITIS operators must demonstrate to the BSI every two years that their IT security measures meet the state of the art. The deadline runs from the date of the last submission. Since the NIS 2 transposition in 2026, transitional provisions apply: operators may submit the next proof under the previous BSI requirements or already apply the NIS2-compliant requirements. The subsequent proof must then follow the updated procedure.

Penetration tests are a central component of the technical on-site assessment in the Section 8a procedure. The BSI recommends annual penetration tests for KRITIS operators, even though formal proof is only required every two years. Tests should follow recognised methodologies such as OWASP, the BSI penetration testing guide or PTES, and should cover IT/OT segmentation, firewall configurations, privileged accounts and, where applicable, physical access security. The pentest report serves as key evidence in the Section 8a audit.

With the transposition of the NIS 2 Directive into the BSIG, extended requirements apply. KRITIS operators are classified as particularly important entities and must demonstrate compliance with the ten measure areas under Section

30 BSIG. New requirements include supply chain security, use of cryptography and attack detection systems (SzA). The compliance procedure is being gradually adapted to NIS 2 requirements, with transitional periods in effect.

After completing the audit, the following documents must be submitted to the BSI: the audit evidence document (Form P), the critical infrastructure description (Form KI), the audit plan, the audit report with findings from the document review and on-site assessment, and where applicable a deficiency list with remediation deadlines. The BSI provides the forms and guidance documents (GAiN, RUN) that specify the exact scope and requirements for the compliance documents.

ADVISORI supports KRITIS operators throughout the entire audit cycle: in the preparation phase, we conduct a gap analysis to identify deviations from BSI requirements early. We assist with preparing the required documentation, conduct internal pre-audits and prepare responsible personnel for the interviews. Additionally, we provide regular penetration tests and vulnerability assessments between audit cycles to ensure security measures are continuously validated.