Identified as an operator of a critical installation ? We will guide you safely through the audit.
From scope-of-application analysis to scope definition, gap analysis, roadmap and implementation through to the supported §39 verification audit — AI-powered, in German and audit-ready. As a fully managed service if you prefer.
Eight steps. One result.
Structured from scope-of-application all the way to passing the external audit.
KRITIS in practice
Insights from regulated industries — current legal situation, audit experience and a concrete approach.
KRITIS today rests on two pillars — and both apply to you at the same time.
The former KRITIS landscape was fundamentally reorganised in 2025/2026. Cybersecurity and physical resilience are now regulated by two separate laws. Anyone operating a critical installation generally falls under both.
Cybersecurity & verification
The NIS2 implementation act reformed the BSIG and has been in force since 6 December 2025 — with no transition period. It governs risk management, reporting obligations and the §39 verification procedure.
- Operators of critical installations automatically qualify as a "particularly important entity" (§28 BSIG).
- Evidence of measures must be submitted to the BSI every three years (§39 BSIG).
- Reporting corridor of 24 h / 72 h / final report in the event of security incidents.
- Registration with the BSI via the new portal (§33/§34 BSIG).
Physical resilience
The KRITIS Umbrella Act transposes the EU CER Directive and addresses physical security using an all-hazards approach — adopted by the Bundestag on 29 January 2026, entering into force in 2026.
- Registration of installations with the BBK via the joint BBK/BSI platform.
- Risk analyses, resilience measures and crisis management (§13).
- 24/7 contact point and reporting chains in the event of disruptions.
- Mapping to ISO 27001 and ISO 22301 creates synergies for implementation.
Are you really an operator of a critical installation?
The most important question first — and it has become more complex in 2026. What matters is no longer just the individual installation, but the interplay of BSI-KritisV, NIS2 implementation and the KRITIS Umbrella Act. We assess your scope of application robustly and on a sound legal basis.
Threshold assessment
Does your installation reach the standard threshold of 500,000 persons supplied? We assess quantitative and qualitative criteria such as market share, reach and interdependencies for each sector.
Dual classification
Anyone operating a critical installation is automatically a particularly important entity under §28 BSIG — that means duplicate obligations, no choice. We make visible what applies to you.
Interface with NIS2 analysis
KRITIS scope is determined in parallel with NIS2 scope and cleanly interlocked — one consistent data base instead of two parallel assessments.
→ Go to NIS2 consultingWhich sectors fall under KRITIS
Critical services supplying the general public — across all regulated sectors. Operators of critical installations in these areas are subject to obligations under BSIG and the KRITIS Umbrella Act.
Energy
Electricity, gas, fuels & mineral oil, district heating
Water
Drinking water supply & wastewater disposal
Food
Food supply & logistics
IT & telecommunications
Networks, data centres, digital services
Health
Hospitals, pharmaceuticals, laboratories
Finance & insurance
Payments, exchanges, insurers
Transport & traffic
Air, rail, road, maritime, logistics
Municipal waste
Disposal & waste management
Supplemented by space, public administration and further sectors under NIS2 — the specific mapping is clarified in the scope-of-application analysis.
From scope of application to a passed audit — in eight steps.
One continuous, audit-ready path. Each step can be booked individually or as a fully managed end-to-end process — AI-powered with VamiGRC and supported by experienced lead auditors.
KRITIS scope-of-application analysis
We determine on a sound legal basis whether and with which installations you qualify as an operator of critical installations — in parallel with the NIS2 scope assessment and cleanly interlocked. The result is a robust classification including the resulting obligations under BSIG and the KRITIS Umbrella Act.
Interface: NIS2 scope of applicationDefining the scope
Precise delineation of the critical installation within the company — including associated processes, IT and OT. We define the scope and network structure diagram so that attack detection is fully visible and unmonitored areas are clearly marked — exactly as required by the §39 verification procedure (GAiN 2.2).
KRITIS gap analysis
Structured target/actual comparison against the applicable audit basis — sector-specific B3S, cross-sector requirements and KRITIS specifics. We take ISO 27001 and ISO 22301 into account in order to reuse existing structures and avoid duplicate work.
Roadmap & detailed action plan
The gaps are turned into a prioritised, timed implementation plan with clear responsibilities, effort estimates and milestones — aligned with the next verification audit and the deadlines under the BSIG and Umbrella Act.
Implementation supportoptional vCISO / vISB
We operationally support the implementation — on request with an external vCISO or virtual information security officer (vISB) who fully meets the ISO function from a regulatory perspective (BSIG, NIS2, ISO 27001). Steering, reporting to executive management and audit preparation from a single source.
ISMS platformoptional VamiGRC
On request we implement and operate your ISMS platform — either your existing solution or our own AI-powered platform VamiGRC. Risks, controls, policies, measures and evidence on a single, audit-ready data base.
Get to know VamiGRCFormal internal audit
Prior to the external audit we conduct a formal internal audit according to recognised standards — including a deficiency list, classification (major / minor) and a concrete remediation plan. This way you enter the verification audit without surprises.
Support during the external verification audit
We coordinate the independent auditing body, prepare all evidence documents and annexes (scope, deficiency list, audit basis) and accompany you through the entire §39 procedure to a successful verification before the BSI.
The audit is not a project for the end — it is the benchmark from day one.
Operators of critical installations must provide evidence of their measures to the BSI every three years. The auditing body and audit team must be external as well as legally and economically independent; a B3S alone is not sufficient. From 1 January 2027 additional requirements apply to the recognition of certificates in the audit. We factor in the audit from the very first step — so that requirements do not turn into a bottleneck.
KRITIS never stands alone — we connect it with your compliance landscape.
KRITIS, NIS2 and your management system share risks, controls and evidence. Instead of siloed projects we create a consistent, reusable foundation.
NIS2 consulting
Operators of critical installations are automatically a particularly important entity. We bring KRITIS and NIS2 obligations together consistently — one scope, one integrated approach.
Go to NIS2 consulting →VamiGRC
Our AI-powered ISMS and GRC platform: risks, controls, policies, measures and evidence on one audit-ready data base — continuous monitoring included.
Discover VamiGRC →GRC as a Service
You do not want to build a team? We take over the entire KRITIS and GRC operations as an external stack — vCISO, platform and audit support, audit-ready from day one.
GRC as a Service →"GRC as a Service" — your KRITIS audit, fully managed.
From scope of application through ongoing ISMS maintenance to the three-yearly verification audit: we take over the complete cycle as an external GRC stack — with a dedicated vCISO/vISB, the VamiGRC platform and coordination of the auditing body. No need to build your own department, no vendor lock-in.
Everything your KRITIS programme needs
Frequently asked questions on KRITIS consulting
How do I know whether I am an operator of a critical installation?
What is the difference between KRITIS, NIS2 and the KRITIS Umbrella Act?
How often must the §39 BSIG audit be provided?
Do we still need an internal information security officer?
Do we have to use the VamiGRC platform?
Can we outsource the entire KRITIS compliance?
Trust from regulated industries
What customers say about working with VamiSec.
"VamiSec carried out an NIS2 gap analysis with us for a KRITIS client. What particularly stood out was the competence of the entire team and their in-depth knowledge. We recommend VamiSec without reservation, 100%."
"I have been working with Mr Milke for several years. He has developed strategic concepts, performed technical audits and held workshops as a trainer. His calm and confident manner makes him a true trusted advisor."
Clarify your KRITIS scope — in a free initial consultation.
No sales pitch — an honest assessment of your situation and the sensible next steps.
