KRITIS - Security for Critical Infrastructures

Implement the requirements of the IT Security Act (IT-SiG)

You are here
  1. KRITIS

The IT Security Act (IT-SiG) 2.0

Cyber resilience for KRITIS organizations

Increasing digitization and networking as well as increasingly sophisticated attack methods used by hackers make IT systems more vulnerable than ever. Operators of critical infrastructures (CRITIS) are thus becoming interesting targets with high damage potential for society. Because if they fail, this can lead to far-reaching and sometimes dramatic consequences for the population. The aim of the IT Security Act, which came into force in 2015, is to improve protective measures against cyber attacks. IT security in accordance with the "state of the art" becomes just as mandatory as reporting significant security incidents to the Federal Office for Information Security (BSI).

Are you ready for May 1, 2023? Because from then on, the stricter requirements for IT security and cyber resilience of the IT Security Act 2.0 (IT-SiG) will take effect - with far-reaching effects on more and more CRITIS organizations. Not only is the operational implementation of the IT-SIG requirements a real challenge with such a short lead time. The potential fines are also set sensitively high in the IT Security Act: up to 4% of turnover or 20 million euros.

This makes it all the more important to act now and set the right course to avoid a rude awakening during the BSI audit.

You would like to know more?

KRITIS Checklist

Use the dacoso KRITIS checklist to quickly and easily check whether all the mandatory requirements of the IT-SiG 2.0 have already been met.

IT-SiG 2.0

IT-SiG 2.0 defines the legal requirements that have been mandatory for CRITIS organizations since May 1, 2023. Tackle the IT-SiG before you and your critical infrastructure are targeted by hackers and attacked. Rely on our cybersecurity expertise and let us advise you on how to implement the legal requirements for attack detection (Section 8a (1a) BSIG) as well as mandatory reporting (Section 8b (4) BSIG) in accordance with the German Federal Office for Information Security (BSI) We will help you to design your IT and OT landscape so that you achieve at least the necessary maturity level 3 and meet all basic requirements for logging, detection and response. This means full legal conformity (compliance) in minimal implementation time through targeted technical and organizational measures (TOM)!

The solution lies in the Security Operations Center (SOC)

Make the most of the pressure to act through IT-SiG 2.0: Gain transparency and control over your IT security with all critical areas, components and data - without having to operate a control center in your own organization. Our Security Operations Center (SOC) makes this possible! Here, all threads come together as in a "Mission Control Center". We offer the perfect mix of processes, systems and proven experts as a customized IT security solution tailored to your needs: logging, detection and response from a single source. And SOC as a Service (SOCaaS) offers the highest security standards "Made in Germany" - even certified.

The central success component of our IT security solution is Security Information & Event Management (SIEM). This works like a magnet - the software attracts security-relevant data from all sources and directions that are generated within an IT and OT environment. All information flows together to a central location - the SOC - where it is analyzed by our experts. In this way, security gaps can be detected at an early stage and attacks can be quickly averted. Exactly as the BSI prescribes for operators of critical infrastructures with its IT-SiG 2.0.

This solution can be expanded in a modular fashion with supplementary systems such as Network Detection & Response (EDR), Endpoint Detection & Response (EDR) as well as Vulnerability Assessment (VAS) and Threat Intelligence (TIS). This is future-proofing that grows seamlessly with your security needs!

Our solutions for your security and compliance.

You have the choice! Either fast implementation of the legal minimum requirements of the IT-SiG 2.0 or the full expansion of your security for holistic protection "end-to-end".

The "Compliance" Solution

We ensure that you cover all the mandatory requirements of IT-SiG 2.0 (maturity level 3 of the BSI orientation guide) from day 1 and are ready for the BSI audit! We are your experienced navigator and advisor through the jungle of laws, orientation aids and guidelines.

What you can expect from us:

  • Managed service with German- and English-speaking support 24/7, from our certified Security Operations Center (SOC) in Germany.
  • Data protection compliant
  • Monitoring by SIEM system with preset use cases covering all relevant cases and integrating the most important log sources
  • Ticketing system for fast and targeted communication in case of incidents
  • BSI reporting and contact point for reportable IT incidents
  • Compliance reporting for documentation of legally compliant implementation plus service performance

The "Premium" solution

Your KRITIS company already meets the requirements of maturity level 3 ("must") today? Then we have something for you! Meet the "can" and "should" requirements and close attack points with our premium product.

All components of the "Compliance" variant plus the following services:

  • Extension of the SIEM system with SOAR capabilities for an automated and fast response to incidents based on playbooks.
  • NDR (Network Detection & Response) system for analysis of network activities

Cyber security requirements according to IT-SiG for KRITIS industries (B3S)

The public relies on the provision of security by CRITIS organizations in a wide variety of industries on a daily basis. Within the framework of "industry-specific security standards" (B3S), CRITIS operators or their associations can specify how the general requirements for the "state of the art" can be met in the respective industries. This means greater legal certainty in the event of an audit by the Federal Office for Information Security (BSI).

Basically, nine different industries are distinguished whose requirements we know exactly:

  • Energy
  • Health
  • IT and Telecommunications
  • Transport and traffic
  • Media and culture
  • Water
  • Finance and insurance
  • Food
  • State and administration

The pressure on CRITIS organizations is immense: The entire IT and OT must be put to the test within a very short time in order to meet the high security requirements of the legislator. This is only possible with an experienced consultant who can also implement customized solutions.
David Haas, dacoso-Expert für KRITIS

Our experience - your advantages

Benefit from uncompromising safety based on the highest standards.

  • Consulting, implementation and operation from a single source
  • Compliance - tailored to the requirements of IT-SiG 2.0
  • IT security "Made in Germany
  • Flexible integration of your IT infrastructure components and applications
  • Experienced experts who are familiar with KRITIS requirements
  • Comprehensive reporting
  • Near real-time attack detection and comprehensive log file analysis
  • certified Security Operations Center (SOC)
  • reliable operation as a managed service (detection & response)
  • 24/7 availability
  • BSI contact point for reporting cyber attacks
  • expandable, modular security portfolio - we take you to the next maturity level

Would you like to know more about our solutions for critical infrastructures (KRITIS and IT-SiG)?

We will be happy to inform you!