Wording of Section 8a BSIG. Text formatted bold represents the amendments to the BSIG as a result of the German legislation to implement the EU Network and Information Security Directive (NIS Directive):

(1) Operators of critical infrastructures shall be obliged, within two years from commencement of the ordinance and in accordance with Section 10 (1) at the latest, to take appropriate organisational and technical provisions in order to avoid errors regarding the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes that are decisive for the functionality of the critical infrastructures operated by them. In so doing, the state of the art shall be observed. Organisational and technical precautions are considered appropriate if the time and expense required are not disproportionate as regards the consequences of a failure or an impairment of the critical infrastructure concerned.

(2) Operators of critical infrastructures and their industry associations may suggest industry-specific security standards for compliance with the requirements according to subsection 1. Upon request, the federal office determines whether these are suitable for complying with the requirements according to section 1. The determination shall be performed

1. after consultation with the Federal Office of Civil Protection and Disaster Assistance,
2. in consultation with the competent federal regulatory authority or after consultation with the otherwise competent regulatory authority.

(3) The operators of critical infrastructures must appropriately demonstrate compliance with the requirements according to section 1 at least every two years. This may be completed by means of security audits, reviews or certifications. The operators shall provide the Federal Office with the results of the audits or certifications performed, including the security deficiencies identified. The Federal Office may request that the documentation reviewed be presented. In the event of security deficiencies, the Federal Office, in consultation with the competent federal regulatory authority or after consultation with the otherwise competent regulatory authority, may request that the security deficiencies be remedied.

(4) The Federal Office may check if the operator of critical infrastructures complies with the requirements under subsection 1; when performing this check, it may use a qualified independent third party. The operator of critical infrastructures shall grant the Federal Office and the persons acting on its behalf access to the business and operating premises during the usual business hours for the purpose of this verification and, upon request, present the possibly relevant records, papers and other documents in a suitable way, provide information and grant the required support. Regarding the verification, the Federal Office shall only charge fees and expenses for the respective operator of critical infrastructures if the Federal Office has become active by reason of indications which substantiated justified doubts as to the compliance with the requirements under subsection 1.

(5) Regarding the design of the security audit, audit and certification procedures according to section 3, the federal office may define requirements regarding the way these are implemented, regarding the records to be maintained in this regard, as well as the technical and organisational requirements regarding the auditing body, after consultation with the representatives of the operators concerned and the trade associations concerned.

Operators of critical infrastructures must meet the requirements of Section 8a (1)of the BSI Act (security precautions) and Section 8a (3) of the BSI Act (documentation of compliance) in line with the BSI Act.

Operators of critical infrastructures within the meaning of the BSI Act are specified in the legal ordinance pursuant to Section 10 of the BSI Act (BSI KRITIS Regulation ). This sets out qualitative criteria (which system categories are critical infrastructures?) and quantitative criteria (above which thresholds are systems classed as a critical infrastructure within the meaning of the law?) for determining critical infrastructures.

The BSI KRITIS Regulation was adopted in two parts, each of which defined some of the KRITIS sectors in more detail. The first part came into force on 3 May 2016 and regulates the energy, water, food, IT and telecommunications sectors. The second part entered into force on 30 June 2017. It defines the critical infrastructures in the sectors of transport and traffic, health as well as finance and insurance.

Operators are exempt from the provisions of Section 8a of the BSI Act pursuant to Section 8d (1) and (2) of the BSI Act (in bold are the amendments to the BSI Act Implementing Regulation on the NIS Directive):

(1) Sections 8a and 8b shall not be applied to microenterprises as defined by the Recommendation 2003/361/EC of the Commission of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises (OJ L 124 of 20/5/2003, p. 36). Article 3 (4) of the Annex to the Recommendation shall not be applied.

(2) Section 8a shall not be applied to

1. operators of critical infrastructures, where they operate a public telecommunications network or provide publicly accessible telecommunications services,
2. operators of energy supply networks or energy systems as defined by the German Energy Act of 7 July 2005 (Federal Law Gazette I p. 1970, 3621) last amended by Article 3 of the Act of 17 July 2015 (Federal Law Gazette I p. 1324), in the respectively valid version, where they are subject to the regulations of Section 11 of the Energy Act,
3. the Gesellschaft für Telematik under Article 291a (7) second sentence of Volume V of the Social Insurance Code (Fünftes Buch Sozialgesetzbuch) and Article 291b of Volume V of the Social Insurance Code, operators of services of the telematics infrastructure with respect to the services permitted under Article 291b (1a) and (1e) of Volume V of the Social Insurance Code and operators of services, where they use the telematics infrastructure for applications confirmed under Article 291b (1b) of
   Volume V of the Social Insurance Code,
4. permission holders under Section 7 (1) of the Atomic Energy Act in the version of announcement of 15 July 1985 (Federal Law Gazette I p. 1565) last amended by Article 2 of the Act of 17 July 2015 (Federal Law Gazette I p. 1324), in the respectively valid version for the scope of application
   of permission and
5. other operators of critical infrastructures, where they, based on legal regulations, have to meet requirements which are comparable with the requirements under Section 8a or more stringent.

Verification that appropriate precautionary organisational and technical measures on the basis of state-of-the-art technology have been implemented in accordance with Section 8a (1) BSIG must be provided to the BSI no later than two years after the relevant wave of the BSI KRITIS Regulation has come into force. For the first wave, including the energy, water, food and IT and telecommunications sectors, the latest date for implementation and documentation of compliance is 3 May 2018. For the second wave, including the finance, insurance, health and transport sectors, it is 30 June 2019. Documentation of compliance pursuant to Section 8a (3) of the BSIG must be provided every two years thereafter.

In principle, appropriate measures should be taken to mitigate risks. However, the issue of proportionality should be taken into consideration here -- the cost of the measures required should be proportional to the consequences of a failure of the infrastructure. This means that although risks can be accepted or transferred, such a decision must not be based purely on operational economic considerations but must also factor in providing the population with the critical service.

The requirements pursuant to Section 8a BSIG are primarily intended to protect the normal operation of a critical infrastructure, i.e. in normal conditions. Reacting to extraordinary events must also be taken into consideration (e.g. continuation of operation in the event of a power failure). Pursuant to Section 8a BSIG, crisis conditions must be explicitly addressed if other legal provisions stipulate that the affected critical infrastructures must continue to function in crisis conditions.

In accordance with Section 8a (4) of the BSI Act, the BSI can check if KRITIS operators meet the requirements of Section 8a (1) of the BSI Act. In the following, these reviews shall be referred to as in-depth reviews.

An in-depth review is an independent review process that is separate from the obligation to provide evidence in accordance with Section 8a (3) of the BSIG: in the event of an in-depth review, the BSI contacts the KRITIS operator in question and checks whether it is adhering to the requirements pursuant to Section 8a (1) of the BSIG. An in-depth review does not relate to evidence that has already been provided and the KRITIS operator does not need to commission any other auditors. In-depth reviews can be performed on specific grounds and randomly. Triggers could be, for example, spot checks or inconsistencies in documents submitted in accordance with Section 8a (3) of the BSIG that the BSI would like to clarify with the operator.

An in-depth review can involve auditing activities that are performed on the operator’s premises. Pursuant to Section 8a (4) of the BSI Act, a critical infrastructure operator must allow the BSI to enter its business and operating premises during normal operating hours for the purpose of the review.

In the first step of the review, the BSI requests the KRITIS operator under inspection to provide a series of documents. The specific documents required are listed in the letter sent.

The BSI is able to charge a fee for the in-depth review. A fee is always charged if there are substantiated doubts concerning the implementation of Section 8a (1) of the BSIG (see Section 8a (4) of the BSIG). If there is a fee, the KRITIS operator will be informed of this.

Additional information:
Explanations and notes regarding random reviews in accordance with Section 8a (4) of the BSIG

Section 8d of the BSI Act (area of application) governs topics including exceptions from the application of Sections 8a and 8b of the BSI Act for KRITIS operators that operate a public telecommunications network or provide publicly accessible telecommunications services, and for operators of energy supply grids or energy systems within the meaning of the German Energy Industry Act.

The legal exceptions do not apply to all of an operator’s systems; they only apply to systems that are regulated by other pieces of legislation.

The exceptions therefore relate exclusively to systems or parts of the critical infrastructure that fall within the scope of the Telecommunications Act, the Energy Industry Act or other statutory provisions listed in Section 8d of the BSI Act.