Critical infrastructure (KRITIS)

Critical infrastructure (KRITIS) industries

What are critical infrastructures and what are they important for?

Supply shortages, significant disruptions to public safety, or other dramatic consequences would set in if critical infrastructure (KRITIS) failed or were compromised. KRITIS are organizations or facilities of critical importance to the governmental community.

Critical infrastructure includes organizations and facilities in the following sectors:

  • Energy – electricity, petroleum, natural gas
  • Transportation and traffic– Air transport, rail transport, shipping, road transport
  • Drinking water supply and delivery
  • Finance and insurance – Banking and credit institutions, stock exchanges
  • Nutrition
  • Media and culture
  • Government and administration
  • Health – Health care facilities/health care providers
  • Information technology and telecommunications

Basis for the functioning of society

The operators of critical infrastructures are responsible for ensuring that the critical services that are absolutely necessary for supplying the population are guaranteed. They provide these in high quality and stability. A high sense of responsibility is what distinguishes KRITIS operators and forms an essential basis for a functioning society – this is why KRITIS are particularly worthy of protection and their operators are also responsible for their protection.

Protection against external attacks

If you are an operator of essential services or critical infrastructure, you are subject to the Network and Information System Security Act (NIS) in Austria. In Germany, the IT Security Act and the Regulation determining critical infrastructure apply. These regulations require operators to implement minimum IT security standards to protect your business from potential cyber or other external attacks.

Requirement to provide evidence

Those responsible for critical infrastructures are subject to a reporting obligation if significant IT security disruptions occur.The Federal Office for Information Security (BSI) in Germany also requires regular reporting of the implementation of all required security requirements. In Austria, this obligation to provide proof to the Federal Ministry of the Interior (BMI) applies at intervals of at least three years.

Avoid disturbances

KRITIS operators are required to take appropriate organizational and technical precautions to prevent disruptions to the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes that are critical to the functioning of the critical infrastructures they operate no later than two years after the entry into force of the statutory order pursuant to Section 10 (1).

KRITIS - Crisis management and business continuity disaster recovery concept

Implement KRITIS requirements

The regulations for ensuring security must be implemented by KRITIS operators in all EU member states. For many companies, this is a challenge that can be solved with our HITGuard software.

Optionally, KRITIS operators can choose to demonstrate compliance with the minimum IT security standards by

  • the “IT-Grundschutz” of the BSI,
  • an information security management system (ISMS) according to ISO/IEC 27001 or
  • an ISMS according to an industry standard (B3S standard; this must have been adopted by a regulation and entered into force)


If you are a critical infrastructure operator and need to demonstrate a functional ISMS and do not know how to proceed or how to identify relevant risks, contact TogetherSecure.

Our software maps the BSI procedure model in an efficient and sustainably maintainable way. Among other things, you can perform risk analyses according to the content of the BSI IT-Grundschutz Kompendium 2021 with HITGuard.

Likewise, we support the implementation of an ISMS according to ISO/IEC 27001 and also offer knowledge base subscriptions for this purpose with different focuses and contents such as extensive template collections.

If you want to implement a B3S standard, you can also do that with HITGuard. For example, we support the industry-specific security standard for healthcare in hospitals.

Risikomanagement Dashboard mit ISO 27001 Compliance Auswertung [HITGuard]

Risk management dashboard with ISO 27001 compliance evaluation [HITGuard]

Jetzt unverbindlich Demo anfordern

Erfahren Sie, was die GRC Software HITGuard für Sie leisten kann

Learn more about other modules of HITGuard!

Wo sich HITGuard unter anderem bereits bewährt


ca. 20.000 Mitarbeiter

ca. 700 Mitarbeiter


ca. 18.000 Mitarbeiter

IT-Security Solutions
ca. 100 Mitarbeiter

ca. 400 Mitarbeiter

ca. 500 Mitarbeiter

Burgenländische Krankenanstalten-Gesellschaft m.b.H. (KRAGES)

ca. 1.600 Mitarbeiter

computer betting company gmbh



Ist Ihre Branche nicht dabei? Sie benötigen mehr Informationen? Gerne stellen wir Ihnen individuelle Referenzbeispiele zusammen – kontaktieren Sie uns.