It is not mandatory to use an industry-specific security standard (B3S) in the context of providing proof of compliance.

Even if a B3S with the appropriate scope exists, a critical infrastructure operator is not obliged to implement it. The requirements in Section 8a (1) BSIG can also be met in other ways.

A B3S is developed within the respective industry and is intended to provide security for implementing and verifying the requirements in Section 8a (1) BSIG. It also provides legal certainty on what the BSI considers to be the 'state of the art' in the respective industry.

Note: Section 8a of the BSI Act (BSIG) does not apply in some dedicated areas of critical infrastructures because special statutory regulations apply here. This applies to the areas of energy networks and energy systems in particular. The Federal Network Agency (BNetzA) has drawn up a catalogue of security requirements for these areas.

• IT security catalogue pursuant to Section 11 (1a) EnWG, which serves to protect against threats to the telecommunications and electronic data processing systems necessary for secure grid operation.

The Federal Network Agency's IT security requirements catalogue is available at: www.bundesnetzagentur.de/it-sicherheitskatalog-energie.