'State of the art' is a common legal term. Technical development is quicker than legislation. For this reason, it has proven successful for many years in many areas of law to refer to the 'state of the art' in laws instead of trying to specify concrete technical requirements in the law. What is the state of the art at a certain point in time can be determined, for example, on the basis of existing national or international standards such as DIN, ISO, DKE or ISO/IEC or based on role models in the respective areas that have been successfully tested in practice. Since the necessary technical measures may differ depending on the specific case, it is not possible to describe the 'state of the art' in generally applicable and conclusive terms.

If you are affected by the KRITIS-specific regulations of the BSI-Act, your organisation is obliged to take 'appropriate precautions to prevent disruptions [...] of its information technology systems, components and processes' in accordance with the 'state of the art' no later than two years after the legal ordinance (i.e. the BSI Kritis Regulation) comes into force and to document this to the BSI.

The state of the art can be recorded by operators or associations in B3S sector-specific security standards and submitted to the BSI to determine their suitability.

Note

Section 8a of the BSI-Act does not apply in some dedicated areas of critical infrastructures because special statutory regulations apply here. This applies in particular to the areas of public telecommunications, energy networks and energy systems. The Federal Network Agency (BNetzA) has drawn up catalogues of security requirements for the areas mentioned. The catalogue for energy systems is currently under development. Further information on the Federal Network Agency's IT security catalogue is available at: www.bundesnetzagentur.de/it-sicherheitskatalog-energie