Operators of Critical Infrastructures (KRITIS operators) must, in accordance with Section 8a (1) of the BSI-Act and in an appropriate manner, provide the BSI with documentation of their precautions to avoid disruptions to the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes which are crucial for the operability of the Critical Infrastructures they operate.

All operators of Critical Infrastructures are required to provide documentation, with the exception of those mentioned in Section 8d (2) of the BSI-Act .

In line with the BSI Kritis Regulation, operators of Critical Infrastructures must check annually if their systems are subject to documentation requirements. Operators should check by 31 March if their systems have exceeded the respective thresholds in the previous calendar year. If the threshold value is exceeded, the system is considered a critical service as of 1 April. The system is thus subject to verification and should be registered immediately with the BSI.

KRITIS operators must submit compliance documents to the BSI for each infrastructure or system subject to documentation requirements. These shall include both general information on the nature and extent of the audits carried out and a list of the security deficiencies detected. Operators of Critical Infrastructures within the meaning of Section 2 (10) BSIG must provide compliance documentation for their critical systems every two years.

This page provides an overview of what needs to be considered with regard to compliance documentation in accordance with Section 8a (3) of the BSI-Act.

Compliance documentation
You can use the forms for submitting documentation to submit your compliance documentation, including all the information required for processing, to the Federal Office for Information Security (BSI).

Orientation guide to documentation of compliance according to Section 8a (3) of the BSI-Act
This page describes the basic framework for providing appropriate documentation. The guidance on documentation describes, among other things, the roles involved and their tasks in the provision of documentation. The forms for submitting documentation are also available for download on this page.

Requirements pursuant to Section 8a (5) of the BSI-Act
Operators of Critical Infrastructures in the system category 2.1.1 Data Centre will find requirements for implementing documentation compliance pursuant to Section 8a (3) of the BSI-Act with regard to validation and scope here.

The BSI provides information about Section 8a of the BSI-Act in the related FAQ.