Libelle IT Glossary Part 11: CRITIS - What is considered critical infrastructure?

Since May 2021, CRITIS and the associated IT Security Act 2.0 (IT-SiG) have been on everyone's lips again. The IT-SiG 2.0 extends the law by an important part of the economic sector waste and disposal. The CRITIS regulation brings with it a number of legal obligations for the companies concerned.

But what exactly does CRITIS mean and which companies does it affect? In the following blog post, we clarify these questions and provide an insight into how software solutions, such as Libelle BusinessShadow®, can support affected companies in the CRITIS challenge.

What does CRITIS mean?

CRITIS is the abbreviation for "critical infrastructures". Here, the focus is on facilities and organizations whose failure has a lasting impact on the state community. Such impacts may include supply shortages, public safety disruptions, or other significant disruptions. (Source)

The BSI Act provides the following definition:

"Organizations are Critical Infrastructure Operators as defined in Section 10(1) of the BSIG if they belong to one of the seven sectors from Sections 2 to 8 of the BSI Criticality Ordinance (all of the above except Media and Culture and Government and Administration), provide critical services as defined in Section 1(3) of the BSI Criticality Ordinance, and exceed the thresholds defined in the BSI Criticality Ordinance." (Source)

Who falls under CRITIS?

In 2009, the "National Strategy for Critical Infrastructure Protection (CRITIS Strategy)" identified sectors for which such critical infrastructures exist according to the law. In Germany, approximately 1,700 companies are currently covered by the CRITIS Ordinance. These can all be found within the economic sectors shown in the diagram. (Source)

What are the obligations of CRITIS companies?

With regard to the BSI Act (BSIG), the IT Security Act requires affected companies to comply with the following:

• Designation of an official point of contact for the critical infrastructure operated.
• Reporting of IT disruptions or other significant impairments
• Implementation of "state of the art" IT security
• Provide evidence every two years to the BSI that the above measures are being complied with (Source)

Cybercrime as a serious case

Companies operating in the relevant sectors in particular appear to be a lucrative target for cyber attacks, as they have a high potential for damage in relation to society.
An example of this would be the 2020 hacker attack on a German hospital. Especially in the medical sector, such a criminal act can be life-threatening. The clinic, which is important for emergency care, was down for 13 days as a result. Medical staff could not properly access X-ray images and computer tomograms. Data even had to be transferred by pen and paper and USB flash drive. It was not until a month after the attack that the university hospital was able to care for as many patients as before.
This makes it all the more important to secure IT. The challenge here lies in the high complexity of the IT systems and the longest possible life cycle of the information infrastructure of the operations. The BSI Criticality Ordinance and the associated obligations are intended to help companies prepare for emergencies.

With our Libelle BusinessShadow® solution, you can ensure automated disaster recovery and the best possible high availability. Mirror databases, SAP® landscapes and other application systems on a time-delayed basis and thus protect your company from the consequences of hardware and application failures, sabotage or other errors.

Would you like to learn more about IT terms? In connection with the term CRITIS, high availability and business continuity play an important role. But what exactly do these terms mean? Learn more on our Libelle IT blog and follow us on LinkedIn for regular updates.