Obligation to report for KRITIS

Datenschutz Grundverordnung Icon

Obligation to report for KRITIS

Obligation to report

The reporting obligation to the BSI includes considerable IT disturbances of the plant operator defined as KRITIS. If a failure or impairment is impossible after an IT malfunction, or if it is merely an ordinary IT malfunction, no notification to the BSI is required. However, if a failure or impairment occurs or is an exceptional IT fault, the BSI must be notified.

A failure of the plant operators is characterized by the fact that electricity is no longer generated in sufficient quantities. An impairment of power plants exists, for example, if the capacity is reduced by at least 210 MW or could be reduced.

A malfunction in the water sector means that a wastewater treatment plant no longer treats the wastewater to the prescribed quality. An impairment exists if the system is impaired by the incident to a degree corresponding to 250,000 population equivalents. If the impairment persists for several days, the daily values must be added.

Reportable or not?

IT disruptions can be described as exceptional if, for example, they have not already been averted automatically using the measures described as "state of the art", but only with considerable or significantly increased resource expenditure (e. g. increased coordination effort, involvement of additional experts, use of a special organizational structure, calling up a crisis management team). Examples of exceptional IT disruptions are:

  • New, previously unpublished vulnerabilities or unknown malware
  • New attack paths or targeted exploitation of security holes for which there is no patch yet
  • Successful overcoming of a safety measure (e. g. explicit separation technology, encapsulation / sandboxing technology, etc.)
  • Exceptional (D)DoS attacks that cannot initially be fended off with existing mitigation measures
  • Targeted IT attacks (Advanced Persistent Threats (APT)) that have been successful, attempted or successfully fended off
  • Exceptional and unexpected technical defects related to IT (e. g. after software updates or server cooling failure)
  • Spear-Phishing (features are e.g. specific topics tailored to the recipient, personal salutation)

Examples of extraordinary IT disturbances in the field of process control systems are:

  • security gaps on programmable logic controllers (PLC), incl. in web servers and other services
  • Utilization of errors in SCADA/PLC protocols or generally insecure protocols
  • Malfunction after firmware update

Ordinary IT disruptions, such as a hardware failure or spam or phishing e-mails, on the contrary, are those that have been fended off with (technical and/or organizational) measures implemented according to the "state of the art" and have been dealt with without significant problems or increased resource expenditure.

Reporting procedures

For the initial reporting to the BSI after the occurrence of a malfunction to be reported, speed before completeness applies in principle. The report must be made immediately after detection of the IT fault, i.e. without culpable hesitation. All information available at the time of notification must be reported to the BSI. If it is not yet possible to provide all the necessary information on the IT malfunction within the framework of this immediate notification, the notification must be marked as an initial notification.

As soon as missing information is known, a follow-up message and finally a final message must be submitted. In case of doubt, the report is subordinate to the containment of the immediate consequences of the IT malfunction.

A final report can be issued after all incident processing measures have been fully implemented. With the final report, the operator has fully fulfilled his obligation to report this IT malfunction to the BSI, unless the BSI makes other statements to the operator within five working days (e. g. by further inquiries on the incident).

How we can support you

    • Implementation of a Security Monitoring
    • Technical security to avoid reportable incidents
    • CSIRT – Incident Response
      • Support in eliminating malfunctions
      • Determination of the causes of faults, recommendations for action

Your contact person


Andreas Eichmann

Senior account manager
Tel. +49 2173 20363-0
Mail info-at-admeritia.de

Reference projects

  • Mandate Contact person for IT security
    • Various network operators Electricity/gas
  • Structure Security Monitoring
    • Large energy supplier
  • Incident Response Operations
    • Corss-industry customers

more reference projects...

Committee work

  • Working group "WI-5.4 Cyber-Security"
    • DWA
  • ISO IEC JTC1 SC27 (WG3 und WG4)
    • ISO
  • Mirror committee NA 043-01-27
    • DIN

more committee work...


  • The benefits of a safety test for process control technology
    • Westermo Solution Days - Roadshow
    • Feb 2016
  • Consistent security management with the help of central services
    • IT security requirements for the energy industry
    • Mai 2014
  • Technical tests for ICS-systems
    • 14. Deutscher IT-Security-Congress
    • May 2015

more lectures...


  • Consistent security management with the help of central services
    • SPS IPC Drives Kongress
    • Nov 2012
  • Hazard situation and safety of pump stations in open pit mining operations
    • a+s
    • Feb 2012
  • Information Security for Energy Automation Systems
    • EW
    • Sep 2009

more publications...