Even if a B3S exists for the relevant industry, it is not mandatory for an operator of critical infrastructure within the meaning of BSIG to implement it. It is also possible for them to satisfy the requirements in accordance with Section 8a (1) BSIG in another way. A B3S is helpful in the implementation of the current technical security standards and provides legal certainty with regard to what the BSI views as 'state-of-the-art technology' in the relevant industry.

A B3S can be published by the issuer and applied by the operator regardless of whether it has received a suitability assessment. However, in the absence of a suitability assessment, the BSI gives no opinion regarding the suitability of the security arrangements. In this case, there is therefore no guarantee as to what extent additional measures should be taken.

Operators which use a B3S as the audit basis for providing documentation of compliance according to Section 8a of the Federal Office for Information Security Act should always use the latest version that has been confirmed as suitable.

If a B3S is adapted during an on-going documentation process, the compliance documentation submitted must prove that the latest state of the art is still fulfilled against the backdrop of the adapted B3S. There is no need to perform a migration in the midst of an on-going process.

All documentation of compliance must always show how operators deal with changes to the threat landscape, changes to processes within a critical infrastructure or changes to the effectiveness of actions.

'State of the art' is a common legal term. Since technology develops faster than legislation, it has proven useful in many areas of law to refer to the 'state of the art' in laws instead of trying to lay down concrete technical requirements in the law. What is the state of the art at a certain point in time can be determined, for example, on the basis of existing national or international standards or on the basis of role models for the respective area that have been successfully tested in practice. Since the necessary technical measures may differ depending on the specific case, it is not possible to describe the 'state of the art' in general and conclusive terms.

In the explanatory memorandum to the IT Security Act the 'state of the art' is described as follows:

Due to the far-reaching effects on society, the state of the art must be taken into account in the technical and organisational precautions. The state of the art in this sense is the level of development of advanced processes, facilities or modes of operation that makes the practical suitability of a measure to protect the functionality of information technology systems, components or processes against impairments of availability, integrity, authenticity and confidentiality appear assured. In determining the state of the art, reference shall be made in particular to relevant international, European and national norms and standards, but also to comparable procedures, equipment and modes of operation that have been successfully tested in practice. The obligation to take into account the state of the art does not exclude the possibility of using such precautions that provide protection as effective as the recognised state of the art precautions.

The preparation of a B3S is an opportunity for an industry to formulate its own 'state of the art' specifications based on its own expertise.

The relevant operator of critical infrastructure within the meaning of the Federal Office for Information Security Act (BSIG) is responsible for implementing Section 8a(1) of the Federal Office for Information Security Act in the critical infrastructure it operates. If the operator outsources part of that infrastructure to a third party, it still retains the responsibility for implementing Section 8a(1) of the Federal Office for Information Security Act. It is advisable to set out implementation obligations in the contractual agreements concluded with the third party.

The same applies if the operator outsources IT that is required to operate the critical infrastructure. The purchasing of other services (electricity, water, public telecommunications, etc.) is not considered outsourcing in this sense, provided that the purchased service is not itself part of the critical service.

The scope covers all 'information technology systems, components or processes … that are vital to the functionality of the critical infrastructure they operate'
(Section 8a(1) of the Federal Office for Information Security Act). The Act does not make any distinction about whether these systems, components or processes are located abroad or outsourced to external service providers or not. The only thing that matters in terms of scope is whether they are vital to the functionality of the critical infrastructure (asset).

The issue of outsourcing is addressed in a general sense in How to deal with services that have been outsourced to a third party?