Verification for Critical Infrastructure (KRITIS) in accordance with §8a BSIG

The providers of the so-called Critical Infrastructures (KRITIS) are legally obliged to protect their IT systems adequately and according to the "state of the technology" against threats such as hacker attacks, but also misconfiguration of systems. The Organizations or institutions with important significance for the public community are affected by the legal requirements, whose failure or impairment would result in lasting supply shortages, significant disruptions to public security or other dramatic consequences. This includes companies from the following sectors

  • Energy (electricity and gas supply)
  • Water supply
  • Transport and traffic
  • Information technology and telecommunications
  • Health
  • Food supply
  • Finance and insurance industry

The classification of an institution as Critical Infrastructure is based on clear criteria and threshold values in compliance with BSI-Kritisverordnung (BSI-KritisV).

According to §8a of the BSI Act (BSIG), operators of critical infrastructures (KRITIS) from these sectors must prove every two years that their IT security meets the industry-specific requirements. This proof is provided by means of an appropriate audit in accordance with §8a BSIG.

InterCert GmbH - Group of MTIC - supports operators of critical infrastructures (KRITIS) in providing these legally required proofs. For this purpose, InterCert GmbH - Group of MTIC - is recognized as a recognized Certification Body and has been accredited by the German Accreditation Body DakkS against ISO/IEC 27001:2013/2017 since 2013. In this role, we assemble a suitable auditing team of auditors and technical experts that covers all required areas of competence such as audit, IT security and industry expertise.

We audit and evaluate whether the affected IT systems, processes and components are properly protected according to the "state of the technology". For this purpose, we audit on the basis of international standards such as ISO/IEC 27001:2013/2017, specific industry standards, and the industry-specific security standards (B3S), which define specific requirements for the respective sectors. Finally, we prepare an audit report and, if necessary, a list of deficiencies according to the specifications of the German Federal Office for Information Security (BSI).

The long-term experience of our teams at InterCert GmbH  – Group of MTIC - in auditing, surveying, testing and certification guarantees high-quality performance of the services offered. For the surveyed company, the benefit lies in the realization of reasonable, practice-based and sector-typical methods.


Service provided by InterCert GmbH.

Contact our offices in Bonn to request a quote.

t. +49 228 62 9750-0 - m. info@mtic-group.org