--- title: KRITIS (Critical Infrastructure) date: 2026-06-01T17:19:00+02:00 author: Hannes Heckel canonical_url: "https://www.fast-lta.de//en/glossary/kritis-critical-infrastructure" section: Glossar --- The German term KRITIS (Kritische Infrastrukturen) refers to organizations and facilities from sectors indispensable for the functioning of society. The BSI Act (BSIG) identifies nine sectors: energy, water, food, information technology and telecommunications, transport, healthcare, financial and insurance services, municipal waste disposal, and government and public institutions. Within these sectors, thresholds determine when an operator qualifies as a KRITIS operator. In healthcare, for example, hospitals with more than 30,000 inpatient treatment cases per year qualify. KRITIS operators must implement adequate technical and organizational measures under §8a BSI Act, demonstrate these every two years (e.g., through audits) and report significant IT security incidents to the BSI. The KRITIS Framework Act extends the concept of resilience to physical security: IT resilience and physical resilience (protection against power outages, flooding, physical access) must be considered together. For KRITIS operators, this means: backup infrastructure must be secured against both cyber attacks and physical threats. In the context of data protection, physically isolated backup systems (air gap) and hardware WORM for archiving are particularly relevant for KRITIS operators: a non-addressable storage medium meets the BSI requirement for a network-independent, immutable backup storage in the most direct way possible. ### Immutable Storage Immutable storage refers to storage technologies that protect stored data from subsequent alteration or deletion — where the decisive difference lies in whether this protection is enforced at the hardware level (cannot be circumvented) or at the software level (can be circumvented by administrators with sufficient rights). [Mehr erfahren →](https://www.fast-lta.de//en/glossary/immutable-storage) ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm) ## Frequently asked questions #### Is my hospital a KRITIS operator? Hospitals with more than 30,000 inpatient treatment cases per year fall under §8a of the German BSI Act as operators of critical infrastructure. For the exact threshold and the current version of the KRITIS Ordinance, direct verification with the BSI is recommended. KRITIS operators must implement adequate technical and organizational measures, demonstrate their implementation every two years and report significant incidents to the BSI. #### What are the consequences of not meeting KRITIS requirements? KRITIS operators who fail to meet their disclosure obligations risk fines under §14 BSIG. More seriously, however, is the operational risk: in a cyber attack without adequate protective measures, rapid restoration of operations is at risk — and in critical sectors such as healthcare or energy, operational disruptions can directly endanger people.