Kritis Regulation: Understanding and Meeting Requirements

The most important thing in brief:

• Die Kritis regulation defines which companies are considered operators of critical infrastructures and which legal requirements arise as a result.
• Operators must have their Clearly document IT structures, assess risks and conduct regular safety audits.
• One complete transparency about systems, processes and dependencies is pivotalto reliably meet the requirements of the regulation.

What is the Kritis Regulation?

Die Kritis regulation (also: BSI Critics Ordinance) specifies that BSI Act (BSIG) and determines which companies are classified as operators of critical infrastructures. This includes sectors such as:

• energy
• health
• Information technology and telecommunications
• water
• sustenance
• Transport and traffic
• Finance and insurance

The regulation defines thresholds as to when a facility is considered a KRITIS operator — and is therefore subject to special legal obligations.

Legal basis:

• Section 8a BSIG obliges critical infrastructure operators to take “appropriate organizational and technical measures” to protect their systems against IT disruptions.
• In addition, the regulation requires regular evidence and checks.

This creates clear expectations: IT infrastructures must documented, tested, monitored and are constantly being improved.

Why the Kritis Regulation is necessary

The Kritis Regulation is becoming increasingly important as cyber threats increase. Companies that provide critical services are under particular pressure to make their IT infrastructures reliable, secure and transparent. Digitalization means that many essential services depend heavily on IT systems. A single failure can not only cause economic damage, but also jeopardize security of supply, public order and health.

The KRITIS regulation therefore has three central objectives:

1. Protecting the public — Ensure availability of critical systems.
2. Increase safety levels — Identify IT risks and minimize them in a structured manner.
3. Create transparency — Operators are required to clearly document their infrastructures.

Point 3 in particular is often a major challenge in IT practice. Many companies have established networks in which dependencies are barely fully comprehensible anymore. This is where it is decided how efficiently and securely IT processes actually run.

Requirements for KRITIS operators

The BSI Critics Ordinance requires, among other things:

• Create and maintain a complete IT documentation
• Carrying out a ISMS (information security management system)
• Regular safety audits and effective evidence in accordance with Section 8a BSIG
• Clear documentation from Network architecture, systems, Assets, interfaces and permissions
• Comprehensible processes in the event of faults, emergencies and changes

These requirements can only be met if companies have a holistic understanding of their technical infrastructure. This is exactly where the use of professional inventory and documentation software plays a decisive role.

Implementation challenges for IT

In many IT departments, the picture is similar: systems have been expanded over the years, new solutions have been integrated, old systems have never been completely replaced. The result is a heterogeneous environment that is difficult to understand.

Typical difficulties:

• Manual documentation is prone to errors and quickly becomes obsolete.
• An overview of devices, servers, applications or networks is lost.
• Access rights are only partially recorded.
• Auditors need comprehensible charts and up-to-date data.
• Responsibilities and dependencies are not clearly defined.

This creates a real risk for KRITIS operators: Without complete transparency, legal requirements can hardly be met.

How companies can effectively implement the Critis Regulation

1. Automate IT inventory

The basis of all KRITIS compliant IT documentation is a complete recording of all systems.

2. Set up structured documentation

Clean documentation is mandatory for KRITIS operators.

3. Make authorizations transparent

Documentation of roles, groups and approvals is essential, especially for sensitive systems.

4. Prepare regular audits

Companies need meaningful reports, charts and export files in order to be able to carry out Section 8a documentation in a structured manner.

5. Identify dependencies

Complex infrastructures can only be controlled when dependencies become visible. Docusnap clearly presents these relationships — an essential advantage when analyzing faults.

Which role Docusnap particularly strengthens in the KRITIS context

Docusnap fills a central gap that many organizations feel in their everyday lives: It combines inventory, documentation, authorization analysis and reporting in a continuous process. Especially in the context of the KRITIS Regulation, where transparency, traceability and timeliness are required by law, Docusnap enables a structured and efficiently implementable approach. By automatically recording IT systems, visualizing complex dependencies and providing auditable reports, the solution significantly reduces the workload for internal teams. It also provides a reliable basis for audits, risk assessments and continuous improvements.

Benefits at a glance:

• Automated data collection avoids errors due to manual maintenance.
• Up-to-date documentation meets audit and compliance requirements.
• Transparency across all systems supports the operation of safety-relevant systems.
• Rapidly available reports speed up tests and certifications.
• Agentless analysis reduces implementation costs.

All of this means that IT departments are relieved — and at the same time reliably meet legal requirements.

A practical example from everyday IT life

Imagine a regional energy provider operating several substations and intelligent metering systems. The technology was modernized over the years — but the documentation was only partially provided. If there is a fault in the network, a sensor reports unclear values. The IT team must react within a short period of time, as the power supply to thousands of households depends on it.

It is now clear that no one knows exactly which VLANs the sensor uses to communicate, which system is responsible for data aggregation and which authorization chains lie behind it. The manually maintained plans are two years old. An external auditor complained about incomplete network diagrams before.

If the company had used an automated solution such as Docusnap, it would be:

• Network plans updated daily,
• dependencies clearly visible between systems,
• Authorization structures documented,
• Reports available at the click of a button.

In an emergency, this saves valuable time — and at the same time meets the reporting requirements of the KRITIS regulation.

Conclusion: The Critis Regulation as an opportunity for more IT security

Die BSI Criticism Regulation makes high demands — but it also meets the Basis for a modern, stable and secure IT landscape. It is crucial that companies understand, document and continuously monitor their infrastructures. Companies that rely on professional tools at an early stage not only meet legal requirements, but also increase the efficiency and security of their entire IT environment.

With a solution such as Docusnap This process is significantly facilitated: inventory, documentation, authorization analysis and reporting work seamlessly together and provide the transparency that KRITIS operators need.