B3S Sector Standards: Duty, Practice, Audit Reality

B3S is neither BSI IT-Grundschutz nor ISO 27001. B3S are sector-specific security standards, exclusively for KRITIS operators, recognised by the BSI, binding within each sector. Mixing up these three standards leads to audit failure. This text separates them cleanly and shows what security managers must actually prove.

B3S Sector Standards: Definition and Legal Basis

B3S are sector-specific security standards under § 8a (2) BSIG. They are recognised by the BSI under the BSI-Kritisverordnung and apply per sector: energy, water, health, finance, ITC, transport, food, municipal waste. Eight sectors, eight separate standard worlds.

BSI recognition typically runs for two years (§ 8a (2) BSIG). Re-evaluation against the current state of the art follows. What was recognised in 2023 is not automatically compliant in 2025.

A B3S does not replace the two-yearly proof duty to the BSI under § 8a (3) BSIG. It structures it. The operator can apply the B3S or document a custom security architecture. The burden of proof remains identical.

Delimitation: BSI IT-Grundschutz is generic and not KRITIS-bound. ISO 27001 is an international ISMS framework, voluntarily certifiable, not sectoral. B3S is KRITIS-specific, sector-driven and legally anchored in Germany. Submitting ISO 27001 does not satisfy a B3S.

For specifics, continue with KRITIS requirements overview.

Which B3S Exist and Who Issues Them

Hospitals use the B3S of the Deutsche Krankenhausgesellschaft (DKG), current version 1.2. Applicable from the threshold of 30,000 full inpatient cases per year (BSI-KritisV Annex 5).

Water supply and wastewater disposal follow the B3S of DVGW and BDEW. Energy uses the BDEW Whitepaper Information Security as a de-facto standard, complemented by sectoral B3S for grid operators and producers.

Food: BVE B3S for food production from the threshold of 434,500 tonnes per year (BSI-KritisV Annex 8). Below that, the operator is not KRITIS and not B3S-obligated. The exact thresholds are listed in the sectors list and thresholds.

Important: issuers are industry associations, not the BSI. The BSI reviews the draft and either recognises or rejects it. The association writes, the BSI seals. This split explains why B3S content reflects sector practice rather than abstract theory.

Physical Security in the B3S: What Is Actually Required

Every B3S contains a physical security chapter. The core requirements are comparable across sectors.

24/7 perimeter monitoring with documented detection threshold and response time. Not: cameras present. But: detection from distance X within Y seconds, alarm to Z, intervention within T.

Zoning in four levels: public, controlled, protected, highly protected. Each zone boundary requires technical transition controls. Mantrap, turnstile, biometric access control. A door with a key is not a zone boundary under the B3S.

Redundancy of monitoring: no single point of failure in camera, sensor or personnel. If one sensor fails, a second takes over. If a Posten fails, there are backup procedures with documented activation time.

Logging of all detection events with timestamp, tamper-proof for at least 90 days [depending on sector B3S, e.g. DKG B3S v1.2, physical security section]. Some sectors require 12 or 24 months. Tamper-proof means WORM storage or cryptographically signed logs, not an Excel file on the guard-book laptop.

Proof of effectiveness through documented tests, not through manufacturer specifications. If a camera is specified with 200 metre range, the operator must prove that it detects a person at 150 metres in fog and at night. A datasheet is not enough in the audit.

Autonomous Robotics as a B3S-Compliant Perimeter Solution

Classic Wachschutz fulfils the B3S requirements. With substantial personnel cost. Autonomous robotics can take over parts of it while improving the quality of evidence.

The QR-3 with LiDAR and drone detection meets the detection requirements for the highly protected zone. LiDAR provides object classification independent of lighting conditions, and the drone module detects small UAVs in a radius that fixed cameras do not cover. The reference standard for autonomous mobile systems is EN ISO 13482.

Continuous patrol logging produces tamper-proof records for the BSI audit. Every movement, every detection, every sensor value with GPS and timestamp. Auditors receive data, not the recollections of individual guards.

The QR-2 thermal sensor detects persons in zero visibility and at night without dependence on lighting. This closes a known gap in classic video surveillance: a failed floodlight is no longer a blind spot.

Clarification: robotics does not replace the guard service. It eliminates static Posten. Intervention personnel with §34a Sachkunde remain necessary. Claiming in an audit that a robot fully replaces a Posten will not survive questioning on the intervention chain.

Commercial: the Robotics-as-a-Service model delivers the QR-3 at 3,800 euros per month. No CapEx, 48-hour delivery, 24-month contract. Software updates, maintenance and recognition-relevant firmware versions are included.

B3S and the KRITIS-Dachgesetz: What Changes in 2026

The KRITIS-Dachgesetz under Bundestag-Drucksache 20/9262 requires, for the first time, integrated proof for physical and cyber security. Previously these were two tracks with two sets of documentation. From 2026 it is one.

From 2026, B3S must explicitly document physical protection measures for facilities and perimeter. Associations are revising their standards. Operators applying the current B3S should know the issuer's revision schedule. That schedule belongs in the operator's own re-evaluation cycle.

The responsible person under the Dachgesetz is personally liable for B3S conformity. Fines for breach up to 10 million euros or 2 percent of global annual turnover Bundestag-Drucksache 20/9262, Art. X. Consistency with Article 21 NIS-2 is intentional: NIS-2 requires technical and organisational measures including physical security of facilities.

Transition periods range from 12 to 24 months depending on sector and operator size. Energy and water first, smaller sectors later.

The BBK takes over registration, the BSI keeps the B3S recognition. Two agencies, one proof. Operational implementation of registration is described in BBK registration step by step.

Audit Reality: What BSI Inspectors Actually Want to See

Audits are not theory exams. What fails in the audit does not fail because of missing documents. It fails because of missing evidence of lived practice.

Inspectors take samples from detection logs over the past 24 months. Not just cut-off date documents. An operator introducing a new system three weeks before the audit has no history and must evidence the predecessor system.

Proof of the response chain: detection, alarm, intervention, documentation. Four links. Each link with timestamp, each link with named responsibility. A detection without documented alarm is an audit finding.

Training records for personnel with access to critical zones, individually traceable. Group signatures on a participant list are not enough. Auditors want, per person, the date, the topic, the trainer, the test result.

Functionality of redundancy: failure tests with documented results. At least annually. Claiming a backup system is operational requires showing when it was last activated and how long switchover took.

Supplier evidence for deployed security technology including CE conformity and standards reference. For autonomous robotics this means: declaration of conformity and standard reference EN ISO 13482. Add risk assessment under the Machinery Directive and a data protection impact assessment.

Cost Comparison: B3S-Compliant Guarding, Classic Versus Hybrid

Classic 24/7 guarding of one Posten costs between 15,000 and 25,000 euros per month under the BDSW tariff structure. The range reflects tariff region, qualification (§34a versus Sachkundeprüfung) and surcharges for night, Sunday and holiday.

Three Posten for a mid-sized facility: 540,000 to 900,000 euros per year in pure personnel costs (BDSW tariff structure). Excluding technology, turnover and training effort.

Hybrid model with two QR-2 plus one intervention Posten: around 22,000 euros per month. Same area coverage, higher sensor density, continuous logging.

Saving of 60 to 70 percent without reduction in B3S detection performance [internal Quarero pilot data, available on request]. On the contrary, detection quality rises because sensors do not tire and logs are machine-readable.

On the balance sheet, RaaS OpEx is favourable against security CapEx with depreciation over five to eight years. There is no capitalisation and no write-down on technology change. Costs are fully tax-deductible in the year incurred.

Deeper analysis in guard service cost versus robotics.

Implementation Roadmap for Security Managers

A 15-week roadmap to a B3S-compliant perimeter structure. Pragmatic, sequential, auditable.

Weeks 1 to 2: clarify scope, identify the applicable B3S, start gap analysis. Which facilities fall under KRITIS? Which threshold? Which sector B3S? Which version?

Weeks 3 to 6: perimeter audit with suppliers, map sensor coverage against the B3S requirement. Name gaps, evaluate technical options, prepare the investment decision.

Weeks 7 to 10: pilot with robotics in the most critical zone. Check detection logs against requirements. Measure false alarm rate, exercise the response chain.

Weeks 11 to 14: prepare documentation for BSI proof, run internal training, consolidate supplier evidence. Redundancy test with protocol.

Week 15 onward: scale to further zones, establish continuous effectiveness checks. Quarterly review of detection statistics, annual failure tests.

Supplementary detail planning in the KRITIS-Dachgesetz checklist with 14-week plan.

If the scope of your B3S is not yet fully determined, start with the full KRITIS requirements overview. It states which threshold applies in which sector and which B3S is applicable.