KRITIS Readiness

KRITIS Readiness refers to the degree to which an organization is prepared to meet the legal requirements for protecting critical infrastructures, in particular pursuant to the BSI Act, the IT Security Act 2.0, and the KRITIS Umbrella Act regulation. Operators of critical infrastructures in sectors such as energy, water, finance, healthcare, or transport are required to implement appropriate technical and organizational protective measures and to demonstrate these to the relevant authorities. An early readiness assessment helps you identify compliance gaps before audits or incidents occur. ADVISORI supports you in systematically determining your current maturity level and developing a clear roadmap toward full compliance.

Our assessment follows a structured, multi-stage approach that begins with an initial inventory of your existing security measures, processes, and documentation. We then conduct a detailed gap analysis, comparing your current situation against legal requirements and recognized industry standards such as BSI IT-Grundschutz or IEC 62443. Based on the identified gaps, we develop prioritized recommendations and a realistic implementation plan that takes into account your individual resources and risk priorities. You will receive a comprehensive report that can serve as a basis for internal decision-making as well as for communication with authorities and auditors.

KRITIS operators in Germany are subject to a wide range of regulatory requirements, derived primarily from the BSI Act (BSIG), the IT Security Act 2.0, and the KRITIS Umbrella Act currently being transposed into national law, which implements the European CER Directive. Key obligations include implementing the state of the art in IT security measures, registering with the BSI, reporting significant security incidents, and demonstrating protective measures through regular audits or certifications. In addition, sector-specific requirements must be observed, such as those arising from the EnWG for energy suppliers or from the DORA regulation for financial institutions. ADVISORI has in-depth expertise across all relevant sectors and keeps you continuously informed of current regulatory developments.

The duration of a KRITIS Readiness Assessment depends on the size and complexity of your organization and the scope of the infrastructure areas to be assessed, and typically ranges from four to twelve weeks. For an effective assessment, we require access to relevant contacts from the areas of IT, OT, information security, emergency management, and compliance, as well as to existing documentation such as security concepts, network diagrams, and process descriptions. We place great importance on keeping the burden on your team as low as possible, and coordinate interview appointments and document requests closely with you. ADVISORI brings all necessary methodologies, checklists, and assessment frameworks, allowing you to focus on your day-to-day operations.

Yes, ADVISORI supports you not only in assessing your KRITIS Readiness, but also in the concrete implementation of the recommended measures — from concept development and implementation through to preparation for regulatory inspections and audits. Our interdisciplinary team of information security experts, regulatory specialists, and technical consultants ensures that all measures are embedded sustainably, both technically and organizationally. We assist you, for example, with the introduction of an ISMS in accordance with ISO 27001, the development of emergency and business continuity concepts, and the training of your staff. This gives you end-to-end support from a single source, from initial assessment through to demonstrated compliance.

The KRITIS Umbrella Act, which transposes the EU Directive on the resilience of critical entities (CER Directive 2022/2557) into German law, significantly broadens the focus beyond pure IT security and addresses, for the first time in a comprehensive manner, physical security aspects such as access controls, sabotage prevention, and resilience planning. Compared to previous regulations, the range of affected sectors and operators is expanded, and the requirements for risk analyses, resilience plans, and reporting obligations are made more specific. For operators, this means that existing security concepts must be supplemented with physical and organizational resilience measures, and new documentation obligations must be fulfilled. ADVISORI works with you to analyze which new requirements are relevant for your organization and integrates them smoothly into your existing compliance strategy.