Navigation and service

Industry-specific security standards

It is not mandatory to use an industry-specific security standard (B3S) in the context of providing proof of compliance.

Even if a B3S with the appropriate scope exists, a critical infrastructure operator is not obliged to implement it. The requirements in Section 8a (1) BSIG can also be met in other ways.

A B3S is developed within the respective industry and is intended to provide security for implementing and verifying the requirements in Section 8a (1) BSIG. It also provides legal certainty on what the BSI considers to be the 'state of the art' in the respective industry.