The German term KRITIS (Kritische Infrastrukturen) refers to organizations and facilities from sectors indispensable for the functioning of society. The BSI Act (BSIG) identifies nine sectors: energy, water, food, information technology and telecommunications, transport, healthcare, financial and insurance services, municipal waste disposal, and government and public institutions.

Within these sectors, thresholds determine when an operator qualifies as a KRITIS operator. In healthcare, for example, hospitals with more than 30,000 inpatient treatment cases per year qualify. KRITIS operators must implement adequate technical and organizational measures under §8a BSI Act, demonstrate these every two years (e.g., through audits) and report significant IT security incidents to the BSI.

The KRITIS Framework Act extends the concept of resilience to physical security: IT resilience and physical resilience (protection against power outages, flooding, physical access) must be considered together. For KRITIS operators, this means: backup infrastructure must be secured against both cyber attacks and physical threats.

In the context of data protection, physically isolated backup systems (air gap) and hardware for archiving are particularly relevant for KRITIS operators: a non-addressable storage medium meets the BSI requirement for a network-independent, storage in the most direct way possible.

Frequently asked questions

Hospitals with more than 30,000 inpatient treatment cases per year fall under §8a of the German BSI Act as operators of critical infrastructure. For the exact threshold and the current version of the KRITIS Ordinance, direct verification with the BSI is recommended. KRITIS operators must implement adequate technical and organizational measures, demonstrate their implementation every two years and report significant incidents to the BSI.
KRITIS operators who fail to meet their disclosure obligations risk fines under §14 BSIG. More seriously, however, is the operational risk: in a cyber attack without adequate protective measures, rapid restoration of operations is at risk — and in critical sectors such as healthcare or energy, operational disruptions can directly endanger people.