Service Finder
For operators of energy supply networks and energy systems: Demonstrate the use of attack detection systems
Service Description
As an operator of energy supply networks and energy systems that are considered critical infrastructure, you are obliged to use systems for attack detection. These must continuously identify and prevent threats. You must also provide suitable measures to rectify any faults that occur. Since 01.05.2023, you must provide evidence of the use of these systems to the Federal Office for Information Security (BSI) at least every 2 years.
To protect your information technology from external attacks, you must take organizational and technical measures and precautions. You can have these documented through security audits, further tests or certifications. In the next step, you send the BSI the results of the tests carried out, including any security deficiencies discovered, using a verification document.
The BSI then checks whether your precautions and measures meet the legal requirements. The BSI can request the submission of further test documents and, in the event of security deficiencies, the rectification of the deficiencies.
Energy supply networks and energy systems are elementary for the state community. If they fail or are impaired, there is a risk of supply bottlenecks, significant disruption to public safety or other dramatic consequences. Regular verification of the use of attack detection systems is therefore required by law.
Process flow
You can submit your evidence online, by encrypted e-mail or by post. To submit the evidence, you must be registered with the BSI as an operator of energy supply networks and/or energy installations and have an operator ID/institution ID, which you received when you registered.
Submit evidence online:
- To use the online service, you need an ELSTER organization certificate and ELSTER business account.
- Go to the federal portal verwaltung.bund.de and complete the online application.
- Upload the required documents.
- The BSI's KRITIS office (Critical Infrastructure) will check your details. If the KRITIS Office has any queries during the review or requests additional documents, it will contact you by email.
- After the formal check, the KRITIS office will send you a confirmation by e-mail and inform you of the deadline for your next proof.
Submit evidence by e-mail:
- Download the KI* verification document from the BSI website
- Fill out the form.
- You can either complete the form digitally or print it out first and then complete it.
- Sign the form.
- Send the form and your verification documents by encrypted e-mail to the BSI's KRITIS office. For encryption, please use the S/MIME certificate of the KRITIS office on the BSI website.
- The BSI's KRITIS Office will check your details. If the KRITIS office has any queries during the check or requests additional documents, it will contact you by e-mail.
- After the formal check, the KRITIS office will send you a confirmation by e-mail and inform you of the deadline for your next proof.
Submit evidence by post:
- Download the proof document KI* from the BSI website.
- You can either complete the form digitally and print it out or print it out first and then complete it.
- Sign the form and add the necessary supporting documents.
- Send your proof by post to the BSI's KRITIS office.
- The BSI KRITIS Office will check your details. If the KRITIS office has any queries during the check or requests additional documents, it will contact you by email.
- After the formal check, the KRITIS office will send you a confirmation by e-mail and inform you of the deadline for your next proof.
Requirements
You are registered with the BSI as an operator of energy supply networks and/or energy systems that are considered critical infrastructure.
Which documents are required?
- Critical infrastructure verification document (for operators of energy supply networks and energy installations that are considered critical infrastructure) KI*: Details of the operator, the audited energy system or audited energy supply network and the contact person
-
Verification document (inspection) P*: Details of the inspection. It must be signed by a person authorized to sign on behalf of the verifying body. It contains the following information:
-
Section (test execution) PD: Information on the execution of the test
- Appendix PD A: Description and graphical representation of the scope of the test
-
Section (test result) PE: Information on the test result and the safety deficiencies detected
- Appendix PE.A: List of safety deficiencies including implementation plan for remedying the deficiencies
-
Section (test execution) PD: Information on the execution of the test
- Section (information on the inspecting body and the inspection team) PS: contains information on the inspecting body and the inspection team
What are the fees?
There are no costs for submitting the evidence to the BSI.
What deadlines do I have to pay attention to?
Period of Validity: 2 YearsYou must provide evidence of the use of attack detection systems to the Federal Office for Information Security every 2 years. You can also submit your verification documents at any time before the verification deadline. The statutory 2-year rule is the minimum requirement. The calculation of the deadlines depends on the time of the previous submission. If a proof proves to be incomplete in the course of the review, so that subsequent deliveries have to be made, this does not affect the deadline for the subsequent proof once it has been calculated. If you register new installations in addition to those already registered as a result of the annual inspection, you can combine all installations in one verification, provided you do not exceed the respective verification deadlines.
Processing duration
Processing Time: 1 - 2 WeeksAs a rule, processing takes around 10 days from receipt of the evidence to issue of the confirmation - provided that all the necessary documents have been submitted and the information is complete.
Legal basis
Applications / forms
not applicable
What else should I know?
There are no indications or special features.
Further Information
- Documents and materials for providing evidence on the website of the Federal Office for Information Security
- Guidance on the use of attack detection systems
- FAQ on the use of attack detection systems
- BSI guidelines for the introduction of intrusion detection systems
- S/MIME certificate from the KRITIS office on the BSI website
Author
Federal Office for Information Security (BSI)
Forwarding service: Deep link to the original portal
The text was automatically translated based on the German content.
Technically approved by
Federal Ministry of the Interior and for Home Affairs (BMI)
Professionally released on
17.01.2024
Source: Zuständigkeitsfinder Thüringen (Linie6PLus)
Start your request directly online:
Competent Authority
Bundesamt für Sicherheit in der Informationstechnik (BSI) KRITIS-Büro
Postal address
53175 Bonn, Stadt
Address
53175 Bonn, Stadt
Opening times
Monday: 08:00 to 15:30
Tuesday: 08:00 to 15:30
Wednesday: 08:00 to 15:30
Thursday: 08:00 to 15:30
Friday: 08:00 to 13:00