Critical infrastructure

The government, entrepreneurs, their business partners, investors and the general the public all demand that companies assure and comply with laws and ethical requirements.



Companies that operate critical infrastructure in particular are very important for the state. Failures or impairments can lead to supply bottlenecks that cause serious disruptions to public safety or other serious consequences.
This is why their sensitive data and information require a particularly high level of IT and information security and why they must take suitable precautions.

Click here for more information: Federal Office for Information Security (BSI)

Companies involved in critical infrastructure are required to obtain ISO certification

  • Companies operating facilities that are classified as critical infrastructure and exceed certain thresholds are required to obtain ISO 27001 certification.

    Since 2015, the IT Security Act (IT-SiG) and the IT Security Catalogue enshrined in this law have clearly defined which security precautions must be observed, especially by operators of critical infrastructure.
  • Contractors, suppliers and other stakeholders in value chains who work with certified companies stabilise and improve their market situation by obtaining certification.

    After all, critical infrastructure companies demand that their contractors are also certified. Different branches of industry and sectors define their own certification standards for information security, e.g. in TISAX®/VDA ISA  for auto-makers. Certification can strengthen – or even enable the continuation of – current business relationships. New ones may also emerge.
  • IT security incidents are subject to compulsory notification. Operators of critical infrastructure are therefore obliged to report to the federal office without delay any relevant disruptions to the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes that could lead to, or have already led to, a failure or impairment of the functionality of the critical infrastructures they operate.
  • The IT Security Act requires critical infrastructure companies to implement risk and crisis management systems and to introduce and maintain an ISMS (information security management system). They must be continuously reviewed, adapted and improved.

    In order to tackle these complex measures, it is advisable to enlist the help of specialised consultants such as ARCA-Consult right from the beginning of the planning process More detailed information can be found here. 

Standards and regulations

  • Federal Office for Information Security Act (BSI Act)

    The BSI Act regulates the tasks and powers of the BSI (Federal Office for Information Security) as the supervisory and notification authority for IT security compliance among operators of critical infrastructures.
  • IT Security Act (IT-SiG)

    The IT-SiG aims to improve IT security in companies and government administration, as well as among citizens using the internet. It describes measures and methods for this purpose.
  • BSI Critical Infrastructure Ordinance (BSI-KritisV)

    The BSI Critical Infrastructure Ordinance regulates which companies in the critical infrastructure sectors are subject to the IT Security Act and defines the asset categories and thresholds for this purpose.
  • ISO/IEC 27000 series

    • The ISO/IEC 27000 series (also known as the ISO/IEC 27000 family or ISO27k for short) describes standards for security procedures in information technology, how they can be introduced in a management system, which requirements must be met prior to certification and which measures are necessary and useful to achieve the goals.
    • ISO 27001 and 27002: General rules and measures 
    • ISO 27011: Special rules for the telecommunications industry 
    • ISO 27019: Special rules for the energy sector
    • ISO 27033: Special rules for network security
    • ISO 27701: Special rules for data protection 
  • Section 25a Banking Act (KWG)

    This contains the basic principle of information security. Provision for the financial services industry, provided it is regulated by the Federal Financial Supervisory Authority (BaFin).

    Trusted Information Security Assessment Exchange: the standard for information security within the automotive industry to unify standards in value chains. More detailed information can be found here.

Institutions, supervisory and notification authorities

  • BSI

    The Federal Office for Information Security is a supervisory and notification authority for incidents in information technology security.
  • BAFin

    The Federal Financial Supervisory Authority monitors the business activities of financial service providers (banking institutions and insurance companies) as well as their legally compliant handling of risk positions and capital adequacy.
  • BNetzA

    The Federal Network Agency is responsible for the safe operation of supply and communication networks in compliance with competition law.
  • Data protection authorities

    The federal and state data protection authorities monitor compliant handling of personal data under data protection law and sanction violations of the law.

    The European Union Agency for Cybersecurity coordinates and monitors the deployment of measures to defend against cyber attacks.
  • ISO and IEC

    The International Organization for Standardization and International Electrotechnical Commission define standards for the requirements placed on information security management systems (ISMS).