Any deficiencies identified in an assessment pursuant to Section 8a(3) of the BSI Act must be reported to the BSI in the form of a list of deficiencies when submitting evidence. This list includes a plan for resolving deficiencies that reveals which measures will be taken at which time in order to resolve the deficiencies listed. The minimum requirements for a list of deficiencies are described in chapter 5.7 of the orientation guide to documentation of compliance; a sample list of deficiencies, including an implementation plan, is provided in annex D of the orientation guide.

To report on the current status of their efforts to rectify faults, operators regularly submit an updated version of their list of deficiencies to the relevant sectoral division. The intervals between updates range between one and six months; operators will be notified of the reporting cycle by the responsible sectoral division once their initial list of deficiencies has been assessed.

In the updates, deficiencies must retain the same number (ID) from the original list of deficiencies submitted with the evidence so that the BSI can clearly identify them.

Please provide details on the implementation dates of the measures being taken by specifying the actual or planned month of completion. If the implementation of certain measures is delayed, comprehensible and plausible reasons must be provided.

In principle, all auditing bodies which are capable of providing suitable documentation of compliance can provide documentation of compliance according to Section 8a(3) of the Federal Office for Information Security Act. Ultimate responsibility for providing suitable documentation of compliance and, therefore, for selecting a suitable auditing body as well lies with the operator of the critical infrastructure.

In the 'Orientation guide to documentation of compliance according to Section 8a(3) of the Federal Office for Information Security Act', the BSI describes criteria that can be used to evaluate the suitability of an auditing body (Section 3) and the audit team (Section 4). If these criteria are fulfilled, operators can be assured that Section 8a(3) of the Federal Office for Information Security Act will be implemented correctly.

As a matter of principle, the BSI considers all accreditations for auditing bodies granted by the National Accreditation Bodies of the EU Member States in line with European Regulation (EC) No 765/2008 (Article 4(1)) as being equal to accreditations from DAkkS. In addition, any auditing body accredited for the ISO/IEC 27001 field is considered to have implemented and complied with ISO/IEC 17021-1 and ISO/IEC 27006 by virtue of that accreditation.

If you are in any doubt, you can contact the BSI, stating the accreditation body and the field for which it has been accredited, to put your mind at rest.

Pursuant to Section 8a (3) BSIG, the documentation must be submitted every two years. Previously performed audits can be taken into consideration, provided they are no older than one year at the time of submission. Detailed information is available in the "Orientation guide to documentation of compliance according to Section 8a (3) BSIG".

The "Orientation guide to documentation of compliance according to Section 8a (3) BSIG" is not a regulation within the meaning of Section 8a (4) BSIG. Deviations from the recommendations are permissible, provided that alternatives of an equal quality are used.

Deviating procedures or detailed presentations can be defined as part of a B3S and submitted to the BSI for the purpose of the suitability assessment.

The compliance documentation submitted to the BSI must list all security deficiencies identified in the underlying audit. It is permitted to make a subsequent improvement and indeed desirable in order to increase IT security in KRITIS. The improvement should be documented in an implementation plan in order to allow the deficiency to be assessed.

Previously remedied security deficiencies can be voluntarily reported to the BSI so that they can be recorded in the current situation overview.

The compliance documentation including the annexes and the list of security deficiencies should be submitted in German. The operator's documents and audit reports can be provided in English.

It is not possible to provide any general statements about the duration of the audit, since the systems of operators of critical infrastructure differ greatly. The audit must ensure that the affected infrastructure is protected in accordance with Section 8a (1) BSIG. The BSI cannot provide exact details on the scope of audits.

If necessary, the time required for the audit may be shortened if former or different audit certificates are still valid and can be used. In this respect, both changes within the system audited and changes regarding the threat landscape must be taken into account.

Sections 8a and 8b BSIG contain no general implementation deadline for cases in which the thresholds are exceeded for the first time. The only implementation deadlines provided are those relating to the BSI KRITIS Regulation (wave 1 and 2) coming into force for the first time. Operators that are not subject to the regulations when wave 1 or 2 comes into force, but become subject to the regulations in future, must implement the obligations pursuant to Sections 8a and 8b BSIG without delay. However, operators are given two years to provide documentation of compliance with regard to implementation.

No, auditors can also achieve audit process competence for Section 8a of the Federal Office for Information Security Act through equivalent qualifications.

With an audit according to Section 8a(3) of the Federal Office for Information Security Act, at least one member of the audit team must have sufficiently in-depth knowledge of auditing in general and of the specifics of auditing according to Section 8a(3) of the Federal Office for Information Security Act.

Since this is a complex subject, the BSI drew up a training concept for gaining this additional audit process competence. The training offers operators of critical infrastructure an additional safeguard when it comes to selecting auditors and helps in conducting a well-targeted and appropriate audit. The BSI therefore recommends attending a training course hosted by a qualified training provider (see the BSI website).

This training is not an accreditation, recognition or certification of the auditor; it is a recommended additional qualification.

A B3S by itself does not provide a suitable basis for audits pursuant to Section 8a (3) BSIG, but may however be used to construct such an audit basis, given that a B3S reflects the state of the art in the particular sector / industry. The choice of a suitable audit basis for audits pursuant to Section 8a (3) BSIG is the responsibility of the auditor.

The BSI has no formal requirements for the audit report. The BSI only receives the audit report if it is requested subsequently; initially the BSI just needs the information requested in the forms for submitting audit records.

The random samples taken as part of an audit should cover the relevant subject areas to an appropriate degree. It is the auditor's responsibility to determine an appropriate sample size, establish the correct audit techniques and document them in a suitable format in the audit report.

This means that, in principle, a B3S can be used to construct an audit basis or part thereof. However, if the B3S contains only an abstract level of detail, it may be necessary to narrow down the audit basis for providing documentation of compliance based on specific measures or adapt the audit basis to an operator's specific circumstances by either expanding or, with justification, restricting it.

Please refer to the 'Orientation guide to documentation of compliance' and the relevant FAQs for more information.