BSI requirements catalogue for CRITIS operators and auditors

Published

18 March 2025

Author

Jürgen Seiler

BSI requirements catalogue for CRITIS operators and auditors

This article looks at the BSI document “Konkretisierung der Anforderungen an die gemäß § 8a Absatz 1 und Absatz 1a BSIG umzusetzenden Maßnahmen“ with its requirements and checklist for CRITIS operators and auditors.

The BSI document „Konkretisierung der Anforderungen an die gemäß § 8a Absatz 1 und Absatz 1a BSIG umzusetzenden Maßnahmen“, last updated on 10 September 2024, provides detailed requirements and a checklist for critical infrastructure operators (CRITIS) and audit bodies in Germany. It specifies the legal requirements according to § 8a Abs. 1 and 1a BSIG and defines a quasi-standard for cybersecurity in CRITIS with 135 controls. The catalogue also contains test criteria for evaluating security precautions and requirements for physical protection, as described in Section 2.7 on physical security.

Important note:
The current BSIG, and therefore the Requirements Catalogue, is valid until the NIS2UmsuCG (German) comes into force and a new BSIG is in place. Depending on political developments, this is expected in the course of 2025. An update of the catalogue of requirements is planned, taking into account the requirements of the NIS-2 Implementation and Cyber Security Strengthening Act (NIS2UmsuCG).

The most important facts at a glance:

BSI Requirements Catalogue for CRITIS Operators and Auditors

The catalogue of requirements provides CRITIS operators and audit bodies with a specification of the requirements of § 8a Absatz 1 und Absatz 1a BSIG (German).
In addition, the catalogue of requirements provides auditing bodies with suitable criteria for an appropriate audit of the security measures applied, in order to be able to provide the required evidence in accordance with § 8a Absatz 3 BSIG .
The BSI document “Konkretisierung der Anforderungen (KdA)“ with 135 controls defines basic cybersecurity requirements as a quasi-standard for CRITIS operators.
However, the catalogue of requirements also includes requirements for physical protection:
- See 2.7 Physical Security (page 21)
  a.o:
  72.perimeter protection (PS-01)
  73.physical access protection (PS-02)
  74.protection against external threats (PS-03)

Especially for: 72.perimeter protection (PS-01)

An appropriate framework for the structural and physical security required for the secure operation of a critical service shall be established.
The perimeters of premises or buildings housing sensitive or critical information, information systems or other network infrastructure shall be physically sound and protected by appropriate state-of-the-art security measures.
The security policy shall include the establishment of different security zones, separated by security perimeters, with monitored and secured transitions between the zones where necessary to protect the critical service.

“The BSI requirements catalogue provides CRITIS operators and auditors with a clear framework for implementing both cyber and physical security measures.. ”
Jürgen Seiler, Head of Business Development at Dallmeier electronic GmbH & Co.KG

Dallmeier solution: Panomera® Perimeter

The Panomera® S4 Perimeter sets a new standard in perimeter protection.
What used to require multiple cameras, complex infrastructure and complex analysis, now requires just one system.
Equipped with a neural network specially trained for perimeter scenarios, combined with the patented Panomera® multifocal sensor technology, the result is one of the most powerful perimeter protection systems in the industry.
Definition of pre-zones, alarm zones and object types.
Detection of unusual movements, even of camouflaged persons.
Automatically tracks and focuses on detected objects.

For more information and other benefits of the Dallmeier Panomera® Perimeter can be found here.

More information about CRITIS:
Info and download: "CRITIS practical guide“

Practical guide to video technology & CRITIS

Further information about the BSI requirements catalogue:

BSI document „Konkretisierung der Anforderungen an die gemäß § 8a Absatz 1 und Absatz 1a BSIG umzusetzenden Maßnahmen“ (German PDF)
BSI website Specification of CRITIS requirements (§ 8a Absatz 1 und Absatz 1a BSIG)

As always, further information on the Catalogue of Requirements (KdA) can also be found at OpenKRITIS

About the Author:

Jürgen Seiler

Head of Business Development
Dallmeier electronic GmbH & Co.KG

Regensburg

Name	Purpose	Lifetime	Type	Provider
CookieConsent	Saves your consent to using cookies.	1 year	HTML	Website
fe_typo_user	Assigns your browser to a session on the server.	session	HTTP	Website
m2c_accepted_hosts	Cookie to permanently allow the playback of videos from external sources.	31 days	HTTP	Website

Name	Purpose	Lifetime	Type	Provider
_pk_id	Used to store a few details about the user such as the unique visitor ID.	13 months	HTML	Matomo
_pk_ref	Used to store the attribution information, the referrer initially used to visit the website.	6 months	HTML	Matomo
_pk_ses	Short lived cookie used to temporarily store data for the visit.	30 minutes	HTML	Matomo
_pk_cvar	Short lived cookie used to temporarily store data for the visit.	30 minutes	HTML	Matomo

Name	Purpose	Lifetime	Type	Provider
reg_form_loaded	Used to show or hide the newsletter banner.	31 days	HTTP	Website
reg_form_not_loaded	Used to show or hide the newsletter banner.	7 days	HTTP	Website

BSI requirements catalogue for CRITIS operators and auditors

“The BSI requirements catalogue provides CRITIS operators and auditors with a clear framework for implementing both cyber and physical security measures.. ”

Newsletter