KRITIS Readiness

A KRITIS Readiness Assessment systematically evaluates how well your organization is prepared for the legal requirements for protecting critical infrastructures. It is particularly relevant when you have been newly identified as a KRITIS operator, are approaching a section 8a audit, when the KRITIS Umbrella Act or NIS 2 introduces new requirements for your organization, or when you need to reassess your compliance status after a merger or restructuring. ADVISORI reviews technical measures, organizational processes, and documentation against BSI requirements and sector-specific standards.

The assessment reviews your compliance against all relevant regulatory requirements: the BSI Act (section 8a BSIG) and IT Security Act 2.0, the KRITIS Umbrella Act (CER Directive), sector-specific requirements such as the Energy Industry Act, DORA, or the Telecommunications Act, sector-specific security standards (B3S), BSI IT-Grundschutz and ISO 27001/27002, and the requirements for attack detection systems (SzA). We also evaluate physical security measures, which are regulated for the first time under the KRITIS Umbrella Act.

A readiness assessment is a preparatory evaluation that determines your current maturity level and identifies gaps before a formal audit is due. The section 8a audit, by contrast, is the legally required examination by qualified auditors whose results are submitted to the BSI. The readiness assessment gives you the opportunity to address weaknesses early and prepare specifically for the audit, rather than being confronted with deficiencies during the examination.

The duration depends on the size and complexity of your organization. For a single facility or manageable infrastructure, we estimate four to six weeks. For complex organizations with multiple sites, interconnected OT systems, or multiple KRITIS sectors, the assessment may take eight to twelve weeks. We coordinate interview schedules and document requests closely with your teams to minimize disruption to your day-to-day operations.

The KRITIS Umbrella Act transposes the European CER Directive (2022/2557) into German law and significantly broadens the focus beyond IT security: Physical security such as access controls and sabotage prevention is regulated for the first time, the scope of affected sectors and operators is expanded, risk analyses must be conducted and documented more comprehensively, and resilience plans including recovery measures become mandatory. Existing KRITIS operators must supplement their security concepts accordingly.

Yes, we provide end-to-end support from assessment through demonstrated compliance. After the assessment, we assist with implementing prioritized measures, introducing or extending an ISMS in accordance with ISO 27001, developing emergency and business continuity concepts, preparing for section 8a audits and regulatory inspections, and training your staff on KRITIS-relevant topics.