Skip to content

Navigating KRITIS Compliance - How SecurityBridge and Turnkey Consulting Can Help You Prepare

If your business operates critical infrastructure in Germany, you may be aware of the new regulations put forth by the German Federal Office for Information Security (BSI) known as KRITIS. These regulations require companies to implement comprehensive security measures to protect against cyber threats and ensure the stability of critical infrastructure.

KRITIS Scope: Is your business provider of critical infrastructure?

KRITIS impacts various business sectors, including energy, healthcare, telecommunications, and transportation. Effective May 2023, companies that fall within the scope of the regulation must comply with strict security requirements. Non-compliance can result in significant penalties, making it crucial for businesses to take action now.  

However, simply complying with the regulation is not enough. The ultimate goal should be to become resilient against cyber threats, and that’s where SecurityBridge and Turnkey Consulting can help. 

May 2023 is coming: Are you prepared?

Already in early 2022, we published an article providing high-level advice on how to prepare for the implementation of the new KRITIS regulations. We highlighted the importance of self-assessment to determine whether your business falls under the scope of KRITIS, and how to identify which IT systems support critical infrastructure or can significantly impact operations.

As part of the regulation, it is mandatory to implement an automated system that detects cyberattacks. For all applications in scope, and per the § 8 a Absatz 1a BSIG regulation, this system must be in place by May 1, 2023. An audit must verify its effectiveness every two years.

KRITIS Compliance: How does it work?

Businesses must provide compliance proof to the German Federal Office for Information Security (BSI) to ensure compliance with KRITIS. A company typically starts with a gap analysis to identify the areas needing change. For KRITIS, this includes the scope definition, which furthers the understanding of the critical good or service and the supporting environment, including IT infrastructure and applications.

Once you’ve defined the scope, the BSI provides clear guidance on which measures you should implement. As always, the regulation text can be misinterpreted, particularly in the context of specific applications such as SAP S/4HANA. To reduce the risk of misinterpretation, specialized consulting firms can provide clear guidance.

KRITIS will conduct an audit on the evidence of compliance with the regulation’s requirements once you have implemented the required measures. The audit will include a review of policies and procedures and technical controls, like the system’s effectiveness to detect cyberattacks.

In our upcoming webinar on April 27th at 15 CEST, SecurityBridge and Turnkey Consulting will elaborate on this topic in the context of SAP application systems. We will provide valuable insights into KRITIS compliance, how to prepare for it, and discuss best practices for achieving resilience against cyber threats.

Join us for this must-attend webinar to learn how to confidently navigate KRITIS compliance. Register today and take the first step towards protecting your business and ensuring compliance with the new KRITIS regulations.

Posted by 

Christoph Nagy

Find recent Security Advisories for SAP©

Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.

DSAG Jahreskongress 2023

DSAG-Jahreskongress 2023

Alles verändert sich, nichts bleibt wie es ist, die heutige Zeit setzt Flexibilität voraus. Entsprechend wandelbar präsentieren sich DSAG, SAP und das gesamte Ökosystem.

Diese Wandlungsfähigkeit

Read More »
SAP security Patch day
SAP Security Patch Day
Today is another SAP Security Patch Day. In May 2023, the SAP Response Team released 20 SAP Security Notes, including Evergreen 2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client with HotNews priority. Besides two updated Notes, SAP Security Patch Day May 2023, contains 18 new security updates for the vast SAP Product portfolio while the majority relates to SAP Business Objects.
SAP ABAP Directory Traversal Vulnerability
SAP developers know that ABAP/4 (Advanced Business Application Programming) is not immune to security vulnerabilities like any other programming language. One significant security risk associated with SAP ABAP is directory traversal vulnerability. In this blog post, we will discuss what a directory traversal vulnerability is, why it is a problem for SAP customers, how it can be exploited, and what measures to take to prevent it.
SAP security Patch day
SAP Security Patch Day
On April 11th, SAP released its latest Security Patch Day following the Easter break. This day is crucial for businesses that rely on SAP software and are concerned about cybersecurity. In this article, we will take a closer look at four HotNews patches that have been released or updated. HotNews patches are the most critical patches that SAP releases.