Your asset counts as critical infrastructure if it reaches or exceeds the threshold value specified by the BSI Kritis Regulation (BSI-KritisV) for the respective category of asset infrastructure. The standard threshold of 500,000 customers served has simply been utilised in order to specify the asset-specific threshold values. This is based on the rationale that outages affecting critical infrastructure can only be compensated for up to a certain order of magnitude in terms of emergency capacity. In cases where such outages exceed the compensatory abilities of emergency planning, this will result in general supply bottlenecks. As specific protection goals for emergency planning have been specified only in isolated cases to date, thresholds must therefore be based on empirical values. An exemplary analysis of emergency planning and emergency capacities at federal level reveals a capacity limit in the examples investigated within a corridor of around 500,000 affected individuals. Outages that exceed this value cannot be adequately compensated for with current emergency capacities.
The calendar year in which the service, production, etc. is actually performed should be used to assess the threshold. Older points in time defined by accounting principles or, for example, law of obligation principles should not be taken into consideration.
The legislative justification for the BSI Kritis Regulation is a clarification from the Federal Ministry of the Interior and Community (BMI) adopted for the Regulation. It does not have binding force, but serves as an indirect aid when interpreting the rules of the BSI Kritis Regulation. When it comes to the question of what is included in an asset category, for example, the justification for the BSI Kritis Regulation is a crucial indication of what interpretation the legislators intended when they adopted the Regulation.
The BSI KRITIS Regulation identifies systems as critical infrastructure within the meaning of the BSIG, not locations. However, the operating location may represent an actual criterion in the assessment of whether a joint system as defined by the BSI KRITIS Regulation exists. This does not mean that an operating location in its entirety is considered to be critical infrastructure as defined by the BSI KRITIS Regulation. As such, it is solely the requirements for the existence of a joint system specified in the Annexes that are decisive.
The thresholds in the BSI KRITIS Regulation apply on a system basis (strict reference to a system). Groups, companies, plants or locations are not critical infrastructure themselves. So if no individual system exceeds the threshold, no critical infrastructure exists. An exception is the 'joint system', which is defined for each sector in the relevant Annex of the BSI KRITIS Regulation.
All IT systems that are directly necessary for the functionality of the relevant facilities are affected. Which individual areas of a company are affected must be assessed individually by the operator.
Quantities produced in the Federal Republic of Germany that are sent abroad or are the property of a foreign company must also be included. IT is not permissible for them to be deducted from the calculation of the annual turnover quantities.
An exception applies for the production of prescription drugs. In this case, only the units produced for the German market are included.
The term "joint management" does not refer to physical control infrastructure. Instead, it ensures that two systems are only considered to be a joint system if they are under the control of oneoperator (principle of operator identity). This requirement is met without problems if the system is operated by one (natural or legal) person. Joint management of the two systems is therefore indicative of joint management as defined by the Regulation. However, the requirement is also met if multiple systems can be assigned to different legal persons, provided they are in a relationship of dependency under group law.
