Laws/regulations:

• Act on increasing the security of IT systems (German IT Security Act)
• BSI-Act
• BSI Kritis Regulation

to the top

Registering and reporting:

• Operators can find the forms required to register their contact point on the report and information portal (MIP),

  already registrated operators can find the form for additional registration of Critical Infrastructures after the login also on the MIP.

• S/MIME-Zertifikat für Meldungen for reports

Please note that the following keys are only to be used for the e-mail address contained therein.

• All communication with the KRITIS-Büro uses the S/MIME-Zertifikat für das E-Mail-Postfach des KRITIS-Büros
• Public PGP-key of the KRITIS-Büro

to the top

Documents on requirements pursuant to Section 8a (1) BSI-Act:

• Specifying the requirements for the safeguards to be implemented

to the top

Documents on industry-specific security standards (B3S) pursuant to Section 8a (2) BSI-Act:

• Guidance on industry-specific security standards: Orientierungshilfe zu Inhalten und Anforderungen an branchenspezifische Sicherheitsstandards (B3S)
• Form for the submission of an industry-specific security standard
• Annex for the submission of industry-specific security standards: Mapping table for B3S orientation guide

to the top

Documents for the proof of compliance pursuant to Section 8a (3) BSI-Act:

We will be happy to accept your documentation in electronic form via encrypted e-mail. For encryption, please use the S/MIME certificate or the public PGP key of the KRITIS office. Both are provided in the 'Registering and reporting' section. Transfer by De-Mail is also possible (De-Mail address of the BSI: de-mail@bsi-bund.de-mail.de).

• Datenschutzrechtliche Hinweise
• Critical Infrastructure compliance documentation: Form KI
  The form contains information on the operator and the installation of the audited Critical Infrastructure and designates contact persons. It is completed by the operator and submitted to the BSI.
• Compliance document for review – Form P
  The document contains information on the following:
  - the scope, the audit topics and the type, scope and duration of the audit
  - the audit result and the security deficiencies identified
  - the suitability of the auditing body and the audit team
• Selbsterklärung zum Nachweis der zusätzlichen Prüfverfahrenskompetenz einer Person gemäß § 8a BSIG
• Selbsterklärung der prüfenden Stelle zum Vorliegen der Eignungsvoraussetzungen für die Prüfung und zur Einhaltung der ethischen Grundsätze

• Orientation guide to documentation of compliance pursuant to Section 8a (3) BSI-Act (Version 1.1)

  • English translation of the orientation guide to documentation of compliance pursuant to Section 8a (3) BSI-Act (Version 1.1)

to the top

Documents on requirements pursuant to Section 8a (5) BSI-Act:

Anforderungen an die Nachweisführung bei der Anlagenkategorie "Rechenzentrum"

With this document, the BSI makes use of the legal regulation pursuant to Section 8a (5) BSI-Act and specifies requirements for the implementation of the verification pursuant to Section 8a (3) BSI-Act with regard to the validation and presentation of the scope for operators of Critical Infrastructures of the system category 2.1.1 data centre pursuant to Annex 4 (3) of the BSI Kritis Regulation. Affected operators and the associations of data centre operators (housing) had the opportunity to comment within the scope of a hearing.