Germany's IT Security Act and BSI standards mandating robust cryptographic controls for KRITIS operators, with BSI TR-03145 governing CA operations and certificate management.
Germany's IT Security Act (IT-Sicherheitsgesetz 2.0), enacted in 2021, and the BSI standards establish comprehensive cybersecurity requirements for operators of critical infrastructure (KRITIS). The BSI (Bundesamt für Sicherheit in der Informationstechnik) serves as Germany's federal cybersecurity authority, issuing binding Technical Guidelines and overseeing KRITIS compliance.
Key BSI Technical Guidelines directly relevant to PKI include TR-03145 for CA operations and TR-03116 for approved cryptographic algorithms. KRITIS operators in energy, water, food, IT/telecom, health, finance, and transport must implement state-of-the-art security measures including PKI-based controls for authentication, integrity, and confidentiality.
Since May 2023, all KRITIS operators must also deploy mandatory attack detection systems. Germany is currently transposing the EU NIS2 Directive through the NIS2UmsuCG, which will further expand the scope of regulated entities and strengthen security obligations.
Critical infrastructure operators must implement appropriate organizational and technical measures to ensure the availability, integrity, authenticity, and confidentiality of their IT systems.
BSI Technical Guideline TR-03145 defines requirements for secure CA operations in Germany, covering key generation, certificate issuance, revocation procedures, and audit logging.
BSI Technical Guideline TR-03116 specifies approved cryptographic algorithms, key lengths, and protocols for use in German federal IT systems and critical infrastructure.
KRITIS operators must deploy systems for attack detection (Systeme zur Angriffserkennung) capable of continuously monitoring network traffic and identifying threats in real time.
KRITIS operators must report significant IT security incidents to BSI without undue delay, including detailed technical information and impact assessments for coordinated response.
Industry associations can develop sector-specific security standards (branchenspezifische Sicherheitsstandards) approved by BSI as a reference for demonstrating compliance with §8a BSIG.
Germany's first IT Security Act establishes cybersecurity obligations for critical infrastructure operators and strengthens BSI's regulatory role.
Critical infrastructure operators must implement state-of-the-art security measures and report significant incidents to BSI.
Major update expands scope to include waste management and arms industry, introduces mandatory attack detection systems, and increases BSI enforcement powers.
All KRITIS operators must have implemented attack detection systems (SzA) by May 1, 2023, as required by IT-SiG 2.0.
Germany transposes NIS2 Directive through the NIS2 Implementation Act, further expanding obligations for critical and important entities.
BSI standards and the IT Security Act have direct and extensive implications for PKI operations and certificate management in Germany. Here are the critical areas:
BSI TR-03145 directly governs Certificate Authority operations in Germany, defining requirements for key generation, certificate lifecycle, revocation management, and audit logging.
BSI TR-03116 specifies approved cryptographic algorithms and key lengths that directly affect certificate standards, requiring regular updates to PKI configurations as recommendations evolve.
Certificate-based authentication is essential for KRITIS attack detection systems, ensuring the integrity and authenticity of security monitoring data across critical infrastructure networks.
Critical infrastructure operators must implement robust key management practices, including secure key storage, rotation policies, and certificate lifecycle management aligned with BSI guidelines.
BSI TR-03145 aligned CA with Stream — Stream aligns with BSI TR-03145 CA operational requirements, providing compliant key generation, certificate issuance, and revocation management with full audit trails.
BSI-approved algorithm enforcement with Horizon — Horizon enforces BSI TR-03116 approved algorithms and certificate standards, automatically flagging non-compliant certificates across your infrastructure.
Automated KRITIS compliance — Automated certificate management ensures KRITIS operators maintain continuous compliance with security obligations, reducing manual overhead and response times.
Attack detection integration — Seamless integration with BSI-certified attack detection systems, providing certificate-based authentication for security monitoring infrastructure.
