Question 1

Which organizations are classified as KRITIS operators?

Accepted Answer

Operators of critical facilities above the thresholds defined in KritisV across 10 sectors: Energy (electricity, gas, petroleum, district heating), Water (drinking water, wastewater), Food, IT & Telecommunications, Health, Finance & Insurance, Transport, Media & Culture, Municipal waste management, and Government administration.

Question 2

What are 'attack detection systems' under Section 8a (1a) BSIG?

Accepted Answer

Technical and organizational systems mandated by the BSI for continuous, automated capture and evaluation of security-relevant events. In practice: SIEM, EDR/XDR, NDR, threat intelligence integration, and 24/7 SOC operations. Mandatory for all KRITIS operators since May 1, 2023.

Question 3

How is compliance with Section 8a BSIG demonstrated?

Accepted Answer

A compliance audit by a BSI-recognized testing body every 2 years. Assessed items include: documented security concepts, industry-specific security standard (B3S), implemented measures, effectiveness of attack detection systems. Identified deficiencies must be remediated within a reasonable timeframe.

Question 4

What reporting deadlines apply to KRITIS incidents?

Accepted Answer

Significant disruptions must be reported to the BSI without undue delay. 'Without undue delay' typically means within 24 hours. Follow-up reports with detailed and root cause information after 72 hours. Violations are subject to fines up to EUR 20 million.

Question 5

How does the DeltaSecure SOC support KRITIS compliance?

Accepted Answer

Complete Section 8a-compliant attack detection as a managed service: 24/7 monitoring, integration of OT systems (remote terminal units, SCADA), B3S-compliant detection rules, automated BSI reporting with documented incident handling. Audit support for the biennial compliance audit included.

Question 6

Does NIS2 apply in addition to or replace KRITIS?

Accepted Answer

NIS2 supplements existing KRITIS legislation and significantly expands the scope of addressees (including essential and important entities below KRITIS thresholds). Existing KRITIS operators must additionally comply with NIS2 requirements but benefit from synergies in ISMS and reporting.

KRITIS Assessment: Attack Detection Systems

Based on official BSI requirements

10 Core Questions

3-5 Minutes

Instant Results

Bereit für Ihre Selbsteinschätzung?

Why attack detection systems?

The three pillars of attack detection

Logging

Detection

Response

Need support?

Frequently Asked Questions

Clients