responsibility finder
Schleswig-Holstein

For operators of energy supply networks and energy systems: Demonstrate the use of attack detection systems

Source: Zuständigkeitsfinder Schleswig-Holstein (Linie6Plus)

Service Description

As an operator of energy supply networks and energy systems that are considered critical infrastructure, you must use systems for attack detection. You must provide evidence of this to the Federal Office for Information Security (BSI).

As an operator of energy supply networks and energy systems that are considered critical infrastructure, you are obliged to use systems for attack detection. These must continuously identify and prevent threats. You must also provide suitable measures to rectify any faults that occur. Since 01.05.2023, you must provide evidence of the use of these systems to the Federal Office for Information Security (BSI) at least every 2 years.

To protect your information technology from external attacks, you must take organizational and technical measures and precautions. You can have these documented through security audits, further tests or certifications. In the next step, you send the BSI the results of the tests carried out, including any security deficiencies discovered, using a verification document.

The BSI then checks whether your precautions and measures meet the legal requirements. The BSI can request the submission of further test documents and, in the event of security deficiencies, the rectification of the deficiencies.

Energy supply networks and energy systems are elementary for the state community. If they fail or are impaired, there is a risk of supply bottlenecks, significant disruption to public safety or other dramatic consequences. Regular verification of the use of attack detection systems is therefore required by law.


Process flow

You can submit your evidence online, by encrypted e-mail or by post. To submit the evidence, you must be registered with the BSI as an operator of energy supply networks and/or energy installations and have an operator ID/institution ID, which you received when you registered.

Submit evidence online:

  • To use the online service, you need an ELSTER organization certificate and ELSTER business account.
  • Go to the federal portal verwaltung.bund.de and complete the online application.
  • Upload the required documents.
  • The BSI's KRITIS (Critical Infrastructure) Office will check your details. If the KRITIS office has any queries during the review or requests additional documents, it will contact you by email.
  • After the formal check, the KRITIS office will send you a confirmation by e-mail and inform you of the deadline for your next proof.

Submit evidence by e-mail:

  • Download the KI* verification document from the BSI website
  • Fill out the form.
  • You can either complete the form digitally or print it out first and then complete it.
  • Sign the form.
  • Send the form and your verification documents by encrypted e-mail to the BSI's KRITIS office. For encryption, please use the S/MIME certificate of the KRITIS office on the BSI website.
  • The BSI's KRITIS Office will check your details. If the KRITIS office has any queries during the check or requests additional documents, it will contact you by e-mail.
  • After the formal check, the KRITIS office will send you a confirmation by e-mail and inform you of the deadline for your next proof.

Submit proof by post:

  • Download the proof document KI* from the BSI website.
  • You can either complete the form digitally and print it out or print it out first and then complete it.
  • Sign the form and add the necessary supporting documents.
  • Send your proof by post to the BSI's KRITIS office.
  • The BSI KRITIS office will check your details. If the KRITIS office has any queries during the check or requests additional documents, it will contact you by email.
  • After the formal check, the KRITIS office will send you a confirmation by e-mail and inform you of the deadline for your next proof.
Requirements

You are registered with the BSI as an operator of energy supply networks and/or energy systems that are considered critical infrastructure.

Which documents are required?
  • Critical infrastructure verification document (for operators of energy supply networks and energy installations that are considered critical infrastructure) KI*: Details of the operator, the audited energy system or audited energy supply network and the contact person
  • Verification document (inspection) P*: Details of the inspection. It must be signed by a person authorized to sign on behalf of the verifying body. It contains the following information:
    • Section (test execution) PD: Information on the execution of the test
      • Appendix PD A: Description and graphical representation of the scope of the test
    • Section (test result) PE: Information on the test result and the safety deficiencies detected
      • Appendix PE.A: List of safety deficiencies including implementation plan for remedying the deficiencies
  • Section (information on the inspecting body and the inspection team) PS: contains information on the inspecting body and the inspection team
What are the fees?

There are no costs for submitting the evidence to the BSI.

What deadlines do I have to pay attention to?

Period of validity: 2 Years
You must provide evidence of the use of attack detection systems to the Federal Office for Information Security every two years. You can also submit your verification documents at any time before the verification deadline. The statutory 2-year rule is the minimum requirement. The calculation of the deadlines depends on the time of the previous submission. If a proof proves to be incomplete in the course of the review, so that subsequent deliveries have to be made, this does not affect the deadline for the subsequent proof once it has been calculated. If you register new installations in addition to those already registered as a result of the annual inspection, you can combine all installations in one verification, provided you do not exceed the respective verification deadlines.

Processing duration

Processing time: 1 - 2 Weeks
As a rule, processing takes about 10 days from receipt of the evidence until confirmation is issued - provided that all the necessary documents have been submitted and the information is complete.

Legal basis
Appeal

Not applicable

What else should I know?

There are no indications or special features.

Author
Forwarding service: Deep link to the original portal

Federal Office for Information Security (BSI)

The text was automatically translated based on the German content.

Teaser

As an operator of energy supply networks and energy systems that are considered critical infrastructure, you must use systems for attack detection. You must provide evidence of this to the Federal Office for Information Security (BSI).

Process flow

You can submit your evidence online, by encrypted e-mail or by post. To submit the evidence, you must be registered with the BSI as an operator of energy supply networks and/or energy installations and have an operator ID/institution ID, which you received when you registered.

Submit evidence online:

  • To use the online service, you need an ELSTER organization certificate and ELSTER business account.
  • Go to the federal portal verwaltung.bund.de and complete the online application.
  • Upload the required documents.
  • The BSI's KRITIS (Critical Infrastructure) Office will check your details. If the KRITIS office has any queries during the review or requests additional documents, it will contact you by email.
  • After the formal check, the KRITIS office will send you a confirmation by e-mail and inform you of the deadline for your next proof.

Submit evidence by e-mail:

  • Download the KI* verification document from the BSI website
  • Fill out the form.
  • You can either complete the form digitally or print it out first and then complete it.
  • Sign the form.
  • Send the form and your verification documents by encrypted e-mail to the BSI's KRITIS office. For encryption, please use the S/MIME certificate of the KRITIS office on the BSI website.
  • The BSI's KRITIS Office will check your details. If the KRITIS office has any queries during the check or requests additional documents, it will contact you by e-mail.
  • After the formal check, the KRITIS office will send you a confirmation by e-mail and inform you of the deadline for your next proof.

Submit proof by post:

  • Download the proof document KI* from the BSI website.
  • You can either complete the form digitally and print it out or print it out first and then complete it.
  • Sign the form and add the necessary supporting documents.
  • Send your proof by post to the BSI's KRITIS office.
  • The BSI KRITIS office will check your details. If the KRITIS office has any queries during the check or requests additional documents, it will contact you by email.
  • After the formal check, the KRITIS office will send you a confirmation by e-mail and inform you of the deadline for your next proof.

Requirements

You are registered with the BSI as an operator of energy supply networks and/or energy systems that are considered critical infrastructure.

Which documents are required?

  • Critical infrastructure verification document (for operators of energy supply networks and energy installations that are considered critical infrastructure) KI*: Details of the operator, the audited energy system or audited energy supply network and the contact person
  • Verification document (inspection) P*: Details of the inspection. It must be signed by a person authorized to sign on behalf of the verifying body. It contains the following information:
    • Section (test execution) PD: Information on the execution of the test
      • Appendix PD A: Description and graphical representation of the scope of the test
    • Section (test result) PE: Information on the test result and the safety deficiencies detected
      • Appendix PE.A: List of safety deficiencies including implementation plan for remedying the deficiencies
  • Section (information on the inspecting body and the inspection team) PS: contains information on the inspecting body and the inspection team

What are the fees?

There are no costs for submitting the evidence to the BSI.

What deadlines do I have to pay attention to?

Period of validity: 2 Years
You must provide evidence of the use of attack detection systems to the Federal Office for Information Security every two years. You can also submit your verification documents at any time before the verification deadline. The statutory 2-year rule is the minimum requirement. The calculation of the deadlines depends on the time of the previous submission. If a proof proves to be incomplete in the course of the review, so that subsequent deliveries have to be made, this does not affect the deadline for the subsequent proof once it has been calculated. If you register new installations in addition to those already registered as a result of the annual inspection, you can combine all installations in one verification, provided you do not exceed the respective verification deadlines.

Processing duration

Processing time: 1 - 2 Weeks
As a rule, processing takes about 10 days from receipt of the evidence until confirmation is issued - provided that all the necessary documents have been submitted and the information is complete.

Legal basis

Appeal

Not applicable

What else should I know?

There are no indications or special features.

Author

Forwarding service: Deep link to the original portal

Federal Office for Information Security (BSI)

The text was automatically translated based on the German content.

Further information and offers