KRITIS demandsbiennial proofof state of the art.

KRITIS covers operators of critical infrastructure across energy, water, food, IT and telecommunications, finance and insurance, transport, health, municipal waste disposal, as well as state and administration. The BSI-Kritisverordnung defines the thresholds that trigger the §8a obligations. NIS-2 widens the regulatory landscape, but §8a evidence remains the established mechanism through which the BSI verifies the state of the art – and continues to drive the audit cadence in many sectors.

1. BLOCK · 01

   State of the art every two years

   §8a Abs. 3 BSIG requires operators to provide evidence at least every two years that organisational and technical precautions reflect the state of the art. The §8a-Nachweis is the formal artefact submitted to the BSI through a prüfende Stelle.

2. BLOCK · 02

   Attack detection (§8a Abs. 1a BSIG)

   Since the IT-Sicherheitsgesetz 2.0, operators must run systems for attack detection. We test detection coverage against realistic attack paths and document where signals are missing or unreliable.

3. BLOCK · 03

   B3S sector standards

   Where Branchenspezifische Sicherheitsstandards exist, they specify the controls. We map our test scope to the relevant B3S so the §8a-Nachweis can reference it directly.

4. BLOCK · 04

   Incident reporting under §8b BSIG

   Significant ICT disruptions must be reported to the BSI. We support the technical analysis required for accurate, timely notification – and prepare the forensic baseline to back it up.

The §8a-Nachweis stands or falls on the quality of the underlying evidence. We test the relevant attack paths against operational and IT systems, map findings to B3S or sector-specific control catalogues and deliver retest results that close the loop. The output integrates directly into the document body the prüfende Stelle submits to the BSI.