Following self-identification and registration with the BSI, approximately 90 companies and organisations in the finance and insurance sectors are subject to the supervision of the BSI as operators of critical infrastructures for around 390 facilities. This group of supervised organisations is very heterogeneous.

For operators in finance and insurance, documentation of compliance in accordance with Section 8a (3) of the BSIG became due and had to be submitted to the BSI in June 2019. In the compliance documentation, the operators must provide the BSI with the results of the audits or certifications performed, including the security deficiencies identified. All operators required to submit compliance documentation have done so. On this basis, this article gives an overview of alternative methods for operators and of the deficiencies identified during the audits, classifying these deficiencies in categories. It also looks at elements of the supervisory practices at the BSI.