Systematic Validation of Your IT Security Measures
KRITIS Regular Tests & Audits
The KRITIS regulation requires regular tests and audits for continuous validation of IT security measures. We conduct systematic reviews that not only meet regulatory requirements but also provide valuable insights for continuous improvement of your security architecture.
- ✓Systematic validation of all IT security measures
- ✓Proactive identification of security gaps
- ✓Compliance-compliant documentation and reporting
- ✓Continuous improvement of security posture
Your strategic success starts here
Our clients trust our expertise in digital transformation, compliance, and risk management
30 Minutes • Non-binding • Immediately available
For optimal preparation of your strategy session:
- Your strategic goals and objectives
- Desired business outcomes and ROI
- Steps already taken
Or contact us directly:
Certifications, Partners and more...
KRITIS Regular Tests & Audits
Our qualifications
- Auditors with special audit procedure competence for Section 8a BSIG
- Experience across KRITIS sectors: energy, finance, healthcare, IT/telecoms
- Certified penetration testers (OSCP, OSCE, CREST)
- Knowledge of current BSI guidance and sector-specific security standards (B3S)
⚠
Key requirement
The Section 8a compliance proof must be submitted to the BSI every two years. The audit covers document review, interviews, on-site inspection and technical assessment. Begin preparation at least six months before your submission deadline.
ADVISORI in Numbers
11+
Years of Experience
120+
Employees
520+
Projects
We develop customized test and audit programs with you that systematically validate all aspects of your IT security and enable continuous improvements.
Our Approach:
Development of risk-based test and audit plans
Execution of systematic technical and organizational tests
Comprehensive documentation and compliance-compliant reporting
Development and prioritization of improvement measures
Continuous adaptation of test strategies to new threats
"Regular tests and audits are the backbone of a living KRITIS compliance. They not only create regulatory security but also enable continuous evolution of security architecture in a changing threat landscape."
Sarah Richter
Head of Information Security, Cyber Security
Expertise & Experience:
10+ years of experience, CISA, CISM, Lead Auditor, DORA, NIS2, BCM, Cyber and Information Security
Our Services
We offer you tailored solutions for your digital transformation
Technical Security Tests
We conduct comprehensive technical tests ranging from automated vulnerability scans to manual penetration tests that validate all layers of your IT infrastructure.
- Systematic penetration tests of all critical systems
- Vulnerability assessments and weakness analyses
- Red team exercises and advanced persistent threat simulations
- Industrial Control Systems (ICS/SCADA) security tests
Organizational Compliance Audits
We systematically review the organizational aspects of your KRITIS compliance, from governance structures to operational processes and emergency plans.
- Compliance audits for regulatory conformity review
- Governance and risk management assessments
- Business continuity and disaster recovery tests
- Incident response simulations and crisis exercises
Our Competencies in KRITIS Ongoing Compliance
Choose the area that fits your requirements
KRITIS Process Adaptations for New Threats
The threat landscape for critical infrastructure evolves constantly — AI-powered attacks, ransomware, and geopolitical cyber risks demand agile process adaptation. We integrate threat intelligence into your KRITIS security processes.
KRITIS Training & Awareness Campaigns
Security awareness is legally required for KRITIS operators. Our tailored training programs and awareness campaigns sensitize your employees to cyber threats and strengthen security culture in critical infrastructure.
Frequently Asked Questions about KRITIS Regular Tests & Audits
How does a KRITIS audit under Section 8a of the BSI Act work?
The Section 8a compliance audit is conducted in two stages. In Stage 1, the audit scope is defined, documentation is reviewed and the audit plan is prepared. In Stage 2, the actual audit procedures take place: document review, interviews with responsible personnel, on-site inspection of systems and technical assessment. At the end, the compliance documents are prepared: BSI Form P (audit evidence), Form KI (description of the critical infrastructure), the audit report and, where applicable, a deficiency list. The BSI provides guidance documents (GAiN, RUN) that describe the exact procedure.
What audit standards apply to KRITIS compliance audits?
The audit basis is either a sector-specific security standard (B3S) recognised by the BSI, or established standards such as ISO 27001 or BSI IT-Grundschutz. Auditors must hold the special audit procedure competence for Section 8a BSIG. Since the NIS 2 transposition into the BSIG, the ten measure areas under Section
30 BSIG additionally serve as audit subjects, including risk analysis, incident management, business continuity, supply chain security and cryptography.
How often must KRITIS operators submit Section 8a compliance proof?
KRITIS operators must demonstrate to the BSI every two years that their IT security measures meet the state of the art. The deadline runs from the date of the last submission. Since the NIS 2 transposition in 2026, transitional provisions apply: operators may submit the next proof under the previous BSI requirements or already apply the NIS2-compliant requirements. The subsequent proof must then follow the updated procedure.
What role do penetration tests play in KRITIS compliance?
Penetration tests are a central component of the technical on-site assessment in the Section 8a procedure. The BSI recommends annual penetration tests for KRITIS operators, even though formal proof is only required every two years. Tests should follow recognised methodologies such as OWASP, the BSI penetration testing guide or PTES, and should cover IT/OT segmentation, firewall configurations, privileged accounts and, where applicable, physical access security. The pentest report serves as key evidence in the Section 8a audit.
What changes does NIS2 bring for KRITIS tests and audits?
With the transposition of the NIS 2 Directive into the BSIG, extended requirements apply. KRITIS operators are classified as particularly important entities and must demonstrate compliance with the ten measure areas under Section
30 BSIG. New requirements include supply chain security, use of cryptography and attack detection systems (SzA). The compliance procedure is being gradually adapted to NIS 2 requirements, with transitional periods in effect.
What compliance documents must be submitted to the BSI?
After completing the audit, the following documents must be submitted to the BSI: the audit evidence document (Form P), the critical infrastructure description (Form KI), the audit plan, the audit report with findings from the document review and on-site assessment, and where applicable a deficiency list with remediation deadlines. The BSI provides the forms and guidance documents (GAiN, RUN) that specify the exact scope and requirements for the compliance documents.
How does ADVISORI support preparation for the Section 8a audit?
ADVISORI supports KRITIS operators throughout the entire audit cycle: in the preparation phase, we conduct a gap analysis to identify deviations from BSI requirements early. We assist with preparing the required documentation, conduct internal pre-audits and prepare responsible personnel for the interviews. Additionally, we provide regular penetration tests and vulnerability assessments between audit cycles to ensure security measures are continuously validated.
Success Stories
Discover how we support companies in their digital transformation
Digitalization in Steel Trading
Klöckner & Co
Digital Transformation in Steel Trading
Case Study
Results
Over 2 billion euros in annual revenue through digital channels
Goal to achieve 60% of revenue online by 2022
Improved customer satisfaction through automated processes
AI-Powered Manufacturing Optimization
Siemens
Smart Manufacturing Solutions for Maximum Value Creation
Case Study
Results
Significant increase in production performance
Reduction of downtime and production costs
Improved sustainability through more efficient resource utilization
AI Automation in Production
Festo
Intelligent Networking for Future-Proof Production Systems
Case Study
Results
Improved production speed and flexibility
Reduced manufacturing costs through more efficient resource utilization
Increased customer satisfaction through personalized products
Generative AI in Manufacturing
Bosch
AI Process Optimization for Improved Production Efficiency
Case Study
Results
Reduction of AI application implementation time to just a few weeks
Improvement in product quality through early defect detection
Increased manufacturing efficiency through reduced downtime
Let's
Work Together!
Is your organization ready for the next step into the digital future? Contact us for a personal consultation.
Your strategic success starts here
Our clients trust our expertise in digital transformation, compliance, and risk management
Ready for the next step?
Schedule a strategic consultation with our experts now
30 Minutes • Non-binding • Immediately available
For optimal preparation of your strategy session:
Your strategic goals and challenges
Desired business outcomes and ROI expectations
Current compliance and risk situation
Stakeholders and decision-makers in the project
Prefer direct contact?
Direct hotline for decision-makers
Strategic inquiries via email
Detailed Project Inquiry
For complex inquiries or if you want to provide specific information in advance