KRITIS Certification Body: Selection, Audit and Evidence Obligation

The choice of certification body decides whether the evidence procedure succeeds. An unsuitable auditor extends the procedure by months and produces defect reports that the executive board must acknowledge in writing. This article summarises the requirements from §8a BSIG, the upcoming KRITIS-Dachgesetz (KRITIS Umbrella Act) and audit practice from 2024 and 2025. The audience are security managers and compliance officers who are subject to evidence obligations for the first time or again in the 2026 cycle.

KRITIS Certification Body: Legal Framework

§8a Para. 3 BSIG obliges operators to submit evidence of appropriate measures to the BSI every two years. Evidence is provided through security audits, inspections or certifications by a qualified certification body. The BSI-Kritisverordnung defines thresholds and the form of evidence.

The KRITIS-Dachgesetz extends the evidence obligation from 2026 onwards to physical resilience, not only IT. Bundestag-Drucksache 20/9262 introduces the all-hazards approach: natural hazards, technical failure, hybrid threats and sabotage are considered with equal weight.

Certification bodies must demonstrate sector-specific competence, for example for energy, water, healthcare or transport. Accreditation is not granted by the BSI itself, but through professional suitability assessment via DAkkS or sector-specific associations. The BSI maintains a list of recognised bodies, but formal registration is no guarantee of sectoral suitability.

Concrete next step: review the KRITIS requirements overview before approaching a certification body.

Accreditation Requirements for Certification Bodies

Auditors require at least three years of professional experience in information security or physical protection. Proof of ISO 27001 Lead Auditor, BSI IT-Grundschutz consultant or equivalent qualification is mandatory. For Dachgesetz auditing, qualifications in physical protection are added: Sicherheitsfachkraft, Werkschutzmeister or Sachkundeprüfung §34a combined with documented audit experience.

Certification bodies must document independence from the operator. No consulting services in the past 24 months. Whoever built the ISMS may not audit it. This separation is explicitly queried in audit reports and verified by the BSI on a sample basis.

The branchenspezifischer Sicherheitsstandard (B3S) must be mastered by the auditor and referenced in audit reports. For energy, the BDEW whitepaper applies, for hospitals the B3S of the Deutsche Krankenhausgesellschaft, for water the DVGW standard. An auditor without sectoral B3S experience produces formal defects in the BSI procedure.

Evidence of professional indemnity insurance is a precondition for recognition by the BSI. Typical coverage amounts are EUR 5 to 10 million per incident.

Selection Criteria for Operators

Review the reference list within your own KRITIS sector. At least five comparable audits in the past three years should be documented. A water utility that commissions an auditor with exclusively energy references risks discussions about standard application and sectoral risks.

Set the fee range realistically: EUR 35,000 to 90,000 per audit cycle, depending on facility size. The BDSW publishes comparison figures for adjacent security services. Quotes below EUR 30,000 for mid-sized facilities indicate reduced audit scope, which the BSI later flags as incomplete.

On-site audit duration: typically 5 to 12 days, longer cycles for multi-site operators. Clarify whether the certification body also audits physical security and perimeter protection or only IT components. This question decides whether a second audit becomes necessary for the Dachgesetz requirements.

Define a contractual clause on the rectification period for defects. Standard is 90 days until re-inspection, with a surcharge fee of 15 to 25 percent of the base audit price.

Concrete next step: use the Dachgesetz checklist with 14-week plan as a preparation basis.

Audit Scope: IT and Physical Resilience

This is where the most common misconception lies in practice. An ISMS according to ISO 27001 or B3S covers only the organisational and IT-related layer. Entering the Dachgesetz procedure with an ISO 27001 certificate does not satisfy the evidence requirement.

Physical measures such as perimeter protection, access control and detection systems become audit-relevant under the Dachgesetz. The BBK is responsible for identifying and registering critical facilities in the physical domain and helps define which protection classes apply to which facility types.

Autonomous patrol systems are recognised in the audit as compensating measures for 24/7 guarding if they meet defined requirements: complete patrol coverage, sensor logging, alarm forwarding to a staffed control centre. They do not replace an ISMS or organisational security. They close a specific physical gap.

Documentation obligation for every sensor incident: timestamp, classification, escalation path, response time. Auditors require logs for at least 12 months, retention-capable storage is a precondition. Systems without forensically usable log archiving produce a defect, regardless of their technical performance.

Concrete next step: evaluate QR-3 with LiDAR and drone detection against stationary guarding.

Common Defects in Evidence Audits

Missing or outdated risk analysis, particularly without consideration of hybrid threats. A risk analysis from 2021 that does not address drones, cyber-physical attacks and state actors is considered out of date in 2026.

Gaps in 24/7 protection: stationary guarding with break windows is classified as a critical finding. If the Posten is unmanned between 02:00 and 02:30 because the only guard is on break, the requirement is violated. Auditors verify this through shift plans and Streife logs.

Insufficient drone detection at operators with airborne threat exposure. Energy facilities, waterworks and traffic hubs without a documented detection concept receive notes, in some cases defects.

No documented response time between detection and intervention. Target value below 4 minutes for initial response. Whoever demonstrates detection without a subsequent intervention chain has a formal gap.

Missing exercise records: emergency plans without an annual command staff exercise are categorised as a defect. One exercise per two-year cycle is the minimum, annual is standard.

Schedule and Audit Cycles

Initial audit within 6 months of KRITIS classification by the BBK. Whoever is identified as a KRITIS facility in January 2026 must provide initial evidence by July 2026.

Follow-up evidence every two years, documentation deadline at the BSI maximum 4 weeks after audit completion. Late submission triggers an administrative procedure, usually with hearing and deadline setting.

Interim inspections are required for material changes to the facility or threat situation. Examples: expansion by a new sub-facility, change of security service provider, documented sabotage attempt.

Reaction to defect findings: action plan within 30 days, evidence of implementation within 90 days. Whoever misses these deadlines loses the effect of the audit.

Fine risk for late evidence: up to EUR 20 million or 2 percent of group turnover under NIS-2. The NIS-2 Directive provides for fines of up to EUR 10 million or 2 percent of global annual turnover for essential entities, German implementation laws go beyond this in parts.

Concrete next step: review the BBK registration step by step before the audit cycle begins.

Cost Structure and TCO Classification

Audit costs range between EUR 35,000 and 90,000. Added to this are internal preparation costs averaging 80 person-days, distributed across security management, IT, Werksschutz and the documentation team. At an average hourly rate of EUR 75, this equals a further EUR 48,000.

Defect remediation typically causes 5 to 10 times the effort of the audit itself. An audit for EUR 60,000 that identifies five critical defects can trigger EUR 300,000 to 600,000 in follow-up investment. This order of magnitude must be planned in the capex budget.

Stationary 24/7 guarding costs EUR 15,000 to 25,000 per month per Posten, often three to five Posten per site. Annual cost for a mid-sized site: EUR 540,000 to 1,500,000.

A QR-3 patrol with LiDAR and drone detection comes in at EUR 3,800 per month and covers KRITIS audit requirements at the physical detection layer. It does not replace the last staffed Posten needed for intervention. It replaces 24/7 Streife and reduces personnel demand while closing gaps.

A hybrid model of reduced guarding plus robotics typically lowers annual protection costs by 40 to 60 percent. Precondition: the audit capability of the robotics system is clarified and documented in advance.

Concrete next step: run the TCO comparison for guard services against the Robotics-as-a-Service model.

Audit Preparation

14-week preparation plan: update the risk analysis, consolidate the measures catalogue, finalise documentation, conduct an internal pre-audit. Whoever undercuts this period risks producing avoidable defects in the main audit.

A pre-audit by an independent third party reduces the defect rate in the main audit by an average of 60 percent. Cost ranges from EUR 8,000 to 18,000 and is economic in nearly all cases, measured against the follow-up costs of undetected defects.

The executive board must formally commission the evidence audit and acknowledge the audit result in writing. Board liability under NIS-2 shifts personal responsibility significantly upwards. Pure delegation to the security manager no longer protects the management board.

The security manager coordinates the interface to IT, Werksschutz, HR and the external certification body. A central audit file with clear versioning prevents contradictions between department statements.

Supply chain partners with access to the critical facility are included in the audit scope. Review contracts with cleaning service providers, maintenance companies and external security service providers in advance. Clauses on access control, background checks and reporting obligations must be in place.

Next Step

The choice of certification body is a strategic decision with a two-year echo. Whoever has thought through auditor, audit scope and compensating measures before the first meeting shortens the procedure by weeks and avoids six-figure follow-up costs. The operational basis is the KRITIS requirements overview. It guides through sector assignment, thresholds and the separation between IT evidence and physical inspection under the Dachgesetz.