IT-Security Law

IT-Sicherheitsgesetz Icon

IT-Security Law

How to secure your critical infrastructure

What does the IT Security Law mean to you and what do you need to consider? And above all: How can the new requirements be combined with your grown, proven operational environment? We point out solutions with which you not only fulfil the requirements of the IT Security Law, but also increase your actual security level and ensure technically effective security.

In addition to the IT-Security catalog for gas network and power grid operators, the IT security law also requires a catalogue for operators of energy systems, provided that they are considered to be operators of critical infrastructures in accordance with the BSI Critis Regulation (BSI CritisV). All other operators, which according to BSI-KritisV are regarded as Critical Infrastructure, must also take organizational and technical measures to avoid disruptions and to ensure the operability, which are developed by the industry associations in cooperation with the BSI. In this regard, the law includes a reporting obligation to the BSI as a core requirement. This states that IT security incidents and almost incidents as well as audit results must be reported. Critical infrastructure managers must also appoint a contact person within six months.
The Kritis Regulation for the energy, water, food, information technology and telecommunications sectors was published in April 2016. Companies in these sectors that exceed the defined thresholds are obliged to comply immediately with the requirements of the BSI Act. The thresholds for all other sectors concerned were published in June 2017.

This results in the specific challenges for you to define possible failure and impairment scenarios for your company and to implement Incident Management.

So können wir Ihnen dabei helfen

  • We ensure to minimize the number of your reportable (almost) incidents through our technical protection
  • As a first step to Incident Management you receive a Quick Win through a Security Monitoring Baseline. Here all previously existing fragments will be integrated during implementation.
  • During our Incident Management assessments you receive an action plan for building your Incident Management
  • Use the synergies by integrating the report system in Security Management while establishing your ISMS
  • Use the necessary audits to review the effectiveness of your implemented security measures. To guarantee effectiveness the interaction between the technical and organizational elements of measures must be ensured, which can only be verified by integrated perspectives.

Your contact person


Andreas Eichmann

Senior account manager
Tel. +49 2173 20363-0

Reference projects

  • Implementation of B3S Food Trade
    • KRITIS Company Food Retailing
  • Conversion of B3S water/waste water
    • various KRITIS water supply and disposal companies
  • Consulting designing a B3S
    • KRITIS organisation traffic

more reference projects...

Committee work

  • Spiegelgremium NA 043-01-27
    • DIN
  • ISO IEC JTC1 SC27 (WG3 und WG4)
    • ISO
  • AG "WI-5.4 Cyber-Sicherheit"
    • DWA

more committee work...


  • Operationalization of a network operator ISMS
    • AK IT-security officer EVU
    • Nov 2016
  • Practical report - Development of an ISMS at an area network operator
    • VDE Symposium
    • Sep 2016
  • IT Security Law: What is in store for you
    • it-sa 2015
    • Oct 2015

more lectures...


  • IT Security Law - What does it mean to you?
    • Information Systems & Management
    • Aug 2015
  • ISMS: Pure paperwork or technically effective?
    • EW
    • Apr 2015
  • Continuous security management with the help of central services
    • SPS IPC Drives Kongress
    • Nov 2012

more publications...