How to deal with services that have been outsourced to a third party?

The relevant operator of critical infrastructure within the meaning of the Federal Office for Information Security Act (BSIG) is responsible for implementing Section 8a(1) of the Federal Office for Information Security Act in the critical infrastructure it operates. If the operator outsources part of that infrastructure to a third party, it still retains the responsibility for implementing Section 8a(1) of the Federal Office for Information Security Act. It is advisable to set out implementation obligations in the contractual agreements concluded with the third party.

The same applies if the operator outsources IT that is required to operate the critical infrastructure. The purchasing of other services (electricity, water, public telecommunications, etc.) is not considered outsourcing in this sense, provided that the purchased service is not itself part of the critical service.