responsibility finder
Schleswig-Holstein

Critical infrastructures: demonstrating compliance with the state of the art

Source: Zuständigkeitsfinder Schleswig-Holstein (Linie6Plus)

Service Description

If you operate critical infrastructures, you must prove that the security of your information technology corresponds to the state of the art. You must submit proof to the Federal Office for Information Security (BSI) every two years.

Critical infrastructures (KRITIS) are organizations and facilities that are important for the state community. If these facilities fail or are impaired, this can lead to supply bottlenecks, significant disruptions to public safety or other dramatic consequences. Regular proof of compliance with the state of the art is therefore required by law. KRITIS includes the following sectors, for example:

  • Energy,
  • health,
  • information technology and telecommunications,
  • transportation and traffic,
  • water,
  • finance and insurance,
  • nutrition,
  • municipal waste disposal.

As an operator of critical infrastructures, you must ensure that the security of your information technology systems, components and processes, which are fundamental to their operation, corresponds to the state of the art. You must prove this to the Federal Office for Information Security (BSI) at least every two years.

To protect your information technology against failure and external attacks, you must take organizational and technical measures and precautions. This also includes the use of attack detection systems.
You can have this documented by security audits, tests or certifications from auditing bodies. The next step is to submit the results of these audits to the BSI using a verification document, including any security deficiencies that have been discovered.

The BSI then checks whether your precautions and measures meet the legal requirements. The BSI can request the submission of further test documents and, in the event of security deficiencies, the rectification of the security deficiencies.


Process flow

You can submit your evidence via the online service, by encrypted e-mail or by post.

If you submit evidence via the online service:

  • To use the online service, you need an ELSTER organization certificate and ELSTER company account.
  • Go to the federal portal verwaltung.bund.de and complete the online application.
  • You can upload your documents directly.
  • The KRITIS office of the Federal Office for Information Security (BSI) will check your details.
  • If the KRITIS office has any questions for you during the review or requests additional documents, it will contact you by email.
  • After the formal check, the KRITIS office will send you a confirmation by e-mail and inform you of the new deadline for your next proof.

If you submit evidence by encrypted e-mail:

  • Download the proof document KI from the BSI website.
  • Fill out the form.
    • You can either complete the form digitally
    • or print it out first and then fill it in.
  • Sign the form.
  • Send the form and your verification documents by e-mail to the BSI's KRITIS office.
    • The KRITIS Office will accept your verification documents by encrypted e-mail.
    • For encryption, use the S/MIME certificate of the KRITIS office on the BSI website.
  • The next steps are the same as for the online service.

If you submit evidence by post:

  • Download the KI verification document from the website of the Federal Office for Information Security.
    • You can either fill out the form digitally and print it out,
    • or print it out first and then fill it in.
  • Sign the form and add the necessary verification documents.
  • Send your proof to the BSI's KRITIS office.
  • All further steps correspond to the procedure of the online service.
Requirements
  • You operate critical infrastructure
  • You are registered with the BSI
  • You have a corresponding operator ID/institution ID
Which documents are required?
  • AI verification document: information on the operator, the tested critical infrastructure and the contact person
  • Verification document P: Information on the inspection.
    • must be signed by an employee of the inspecting body who is authorized to sign.
    • must contain the following information:
      • Section PD: Information on the performance of the inspection
        • Appendix PD.A: Description and graphical representation of the scope of the audit
        • Annex PD.B: Information on the test procedure
        • Appendix PD.C: Description of the test basis
      • Section PE: Information on the test result and the safety deficiencies detected
        • Appendix PE.A: List of safety deficiencies including implementation plan
      • Section PS: Information on the suitability of the inspecting body and the inspection team
        • Appendix PS.A: Proof or evidence of qualification ″additional test procedure competence for § 8a BSIG″ or equivalent proof of competence
What are the fees?

There are no costs for you for submitting the certificates to the BSI.

What deadlines do I have to pay attention to?

Period of validity: 2 Years
You must provide proof of compliance with the state of the art to the Federal Office for Information Security (BSI) at least every 2 years. You can also submit your verification documents at any time before the verification deadline. The calculation of the deadlines depends on the time of the previous submission of the documents. If a proof proves to be incomplete in the course of the inspection, so that subsequent deliveries have to be made, this does not affect the deadline for the subsequent proof once it has been calculated. For critical infrastructures that fall under the regulations of the BSI Act for the first time, proof must be provided within 2 years. If you register new systems in addition to already registered systems through the annual inspection, you can combine all systems in one verification, provided that the respective verification deadlines are not exceeded.

Processing duration

Processing time: 1 - 2 Weeks
The processing time is usually around 10 days from receipt of the supporting documents until confirmation is issued - provided that all the necessary documents have been submitted and the information is complete.

Legal basis
Appeal

There are no legal remedies.

Applications / forms

Forms available: Yes
Written form required: Yes
Informal application possible: No
Personal appearance necessary: No

Online services available: Yes

What else should I know?

There are no indications or special features.

Author
Forwarding service: Deep link to the original portal

Federal Office for Information Security (BSI)

The text was automatically translated based on the German content.

Teaser

If you operate critical infrastructures, you must prove that the security of your information technology corresponds to the state of the art. You must submit proof to the Federal Office for Information Security (BSI) every two years.

Process flow

You can submit your evidence via the online service, by encrypted e-mail or by post.

If you submit evidence via the online service:

  • To use the online service, you need an ELSTER organization certificate and ELSTER company account.
  • Go to the federal portal verwaltung.bund.de and complete the online application.
  • You can upload your documents directly.
  • The KRITIS office of the Federal Office for Information Security (BSI) will check your details.
  • If the KRITIS office has any questions for you during the review or requests additional documents, it will contact you by email.
  • After the formal check, the KRITIS office will send you a confirmation by e-mail and inform you of the new deadline for your next proof.

If you submit evidence by encrypted e-mail:

  • Download the proof document KI from the BSI website.
  • Fill out the form.
    • You can either complete the form digitally
    • or print it out first and then fill it in.
  • Sign the form.
  • Send the form and your verification documents by e-mail to the BSI's KRITIS office.
    • The KRITIS Office will accept your verification documents by encrypted e-mail.
    • For encryption, use the S/MIME certificate of the KRITIS office on the BSI website.
  • The next steps are the same as for the online service.

If you submit evidence by post:

  • Download the KI verification document from the website of the Federal Office for Information Security.
    • You can either fill out the form digitally and print it out,
    • or print it out first and then fill it in.
  • Sign the form and add the necessary verification documents.
  • Send your proof to the BSI's KRITIS office.
  • All further steps correspond to the procedure of the online service.

Requirements

  • You operate critical infrastructure
  • You are registered with the BSI
  • You have a corresponding operator ID/institution ID

Which documents are required?

  • AI verification document: information on the operator, the tested critical infrastructure and the contact person
  • Verification document P: Information on the inspection.
    • must be signed by an employee of the inspecting body who is authorized to sign.
    • must contain the following information:
      • Section PD: Information on the performance of the inspection
        • Appendix PD.A: Description and graphical representation of the scope of the audit
        • Annex PD.B: Information on the test procedure
        • Appendix PD.C: Description of the test basis
      • Section PE: Information on the test result and the safety deficiencies detected
        • Appendix PE.A: List of safety deficiencies including implementation plan
      • Section PS: Information on the suitability of the inspecting body and the inspection team
        • Appendix PS.A: Proof or evidence of qualification ″additional test procedure competence for § 8a BSIG″ or equivalent proof of competence

What are the fees?

There are no costs for you for submitting the certificates to the BSI.

What deadlines do I have to pay attention to?

Period of validity: 2 Years
You must provide proof of compliance with the state of the art to the Federal Office for Information Security (BSI) at least every 2 years. You can also submit your verification documents at any time before the verification deadline. The calculation of the deadlines depends on the time of the previous submission of the documents. If a proof proves to be incomplete in the course of the inspection, so that subsequent deliveries have to be made, this does not affect the deadline for the subsequent proof once it has been calculated. For critical infrastructures that fall under the regulations of the BSI Act for the first time, proof must be provided within 2 years. If you register new systems in addition to already registered systems through the annual inspection, you can combine all systems in one verification, provided that the respective verification deadlines are not exceeded.

Processing duration

Processing time: 1 - 2 Weeks
The processing time is usually around 10 days from receipt of the supporting documents until confirmation is issued - provided that all the necessary documents have been submitted and the information is complete.

Legal basis

Appeal

There are no legal remedies.

Applications / forms

Forms available: Yes
Written form required: Yes
Informal application possible: No
Personal appearance necessary: No

Online services available: Yes

What else should I know?

There are no indications or special features.

Author

Forwarding service: Deep link to the original portal

Federal Office for Information Security (BSI)

The text was automatically translated based on the German content.

Further information and offers