Inquiry
KRITIS facility

Security Solutions for
Critical Infrastructures

Protecting Your Critical Infrastructure

Operators of critical infrastructures play a vital role in ensuring supply security in Germany. This makes it all the more important to protect their facilities, premises, buildings, and employees from attacks and sabotage using modern security solutions.

Interflex access control solutions support cross-sector compliance with legal requirements and obligations imposed by supervisory authorities.

Objective: A high level of physical and digital security.

Industries and Sectors of
Critical Infrastructure

Critical Infrastructure companies (KRITIS) include infrastructure operators. Since 2021, this has encompassed ten sectors such as energy, food supply, waste management, transport and traffic, and water. Their mission is to ensure the secure provision of essential services in Germany.

Reliable physical protection of facilities and the safeguarding of sensitive areas within companies are therefore essential. Operators are legally required to ensure the reliable operation of their systems and to regularly report on their security concepts to supervisory bodies such as the Federal Office for Information Security (BSI).

With the implementation of the EU NIS2 directive and the KRITIS umbrella law (EU RCE), sectors and operator structures in Germany will fundamentally change starting in October 2024. In addition to existing operators of critical infrastructure (KRITIS), medium-sized and large enterprises will also be classified as critical entities.

Kritische-Infrastrukturen (KRITIS) Grafik
  • Aerial view of an industrial park

    Chemistry

  • Power pole

    Energy

  • Grocery store

    Food Industry

  • Garbage can

    Municipal waste disposal

  • Aircraft loading

    Transport & Mobility

  • Water treatment plant

    Water

  • Security Is Not Optional:
    What Matters for Critical Infrastructure Companies (KRITIS)

    Companies operating critical infrastructure are increasingly targeted by cybercriminals, falling victim to sabotage and digital espionage. It is high time to review and update existing security concepts. Due to recent legal regulations such as the IT Security Act 2.0, many facility operators are now officially classified as part of critical infrastructure.

    They are required to implement high security standards, including access control concepts. However, many affected companies still rely on outdated systems. Unpatched software and existing vulnerabilities further increase the risk, unnecessarily so.

    Protect your organization with Interflex’s holistic access control solutions, designed to help you meet today’s challenges and regulatory requirements effectively.

    Both digital and physical attacks on critical facilities, as well as unintended human error, can lead to incidents that undermine public trust in supply security.

    Key responsibilities of security officers include:

    • Prevention: Preventing unauthorized access and avoiding security incidents.
    • Compliance: Meeting legal security standards and binding regulations within the organization.
    • Protection: Ensuring safety for employees, customers, visitors, suppliers, and business processes.

    In the long term, the goal is to protect corporate assets, maintain the integrity of company premises, and ensure infrastructure resilience.

    Upgrade
    Your Work

    Do you have questions or need more information about our solutions?
    Use our contact form to get in touch. Our dedicated team will get back to you as soon as possible.

    Contact us now

    KRITIS Guidelines: High Security Requirements

    Operators of critical infrastructure are required to regularly assess the security of their systems, demonstrate compliance with security standards, and ensure that implemented measures remain up to date with the latest technological developments. The regulatory framework, with its extensive obligations and requirements, has been defined over the years through various legal provisions. The transposition of the EU directives NIS2 and RCE/CER into national legislation will significantly reshape KRITIS regulation in Germany in the coming years.

    KRITIS is regulated by the following laws:

    • KRITIS Umbrella Act (EU RCE/CER Directive)

      With the upcoming KRITIS Umbrella Act, the EU Directive on the Resilience of Critical Entities (CER Directive), adopted at the end of 2022, will be transposed into national law. For the first time, this legislation will establish binding requirements for the physical resilience and protection of critical infrastructure. As a result, operators within KRITIS sectors will likely face additional obligations.

      The government estimates that approximately 2,000 companies will be affected. The goal is to establish a legal foundation for protecting critical facilities. Physical security measures include access control, perimeter protection, surveillance, and systems for managing access rights. Since the law is still in draft form, the final details remain to be seen.

      Learn more at OpenKRITIS and the BSI:

    • NIS2 Implementation Act (EU 2022/2555)

      With the NIS2 Implementation Act, the existing BSI Act is expected to be replaced, fundamentally reshaping Germany’s regulatory framework for critical infrastructure. This law transposes the EU NIS2 Directive into national legislation. As of now, the act is still in draft form (as of spring 2023) and is expected to come into force on October 1, 2024. At its core, NIS2 defines minimum standards, requirements, obligations, and competencies for strengthening cybersecurity across a wide range of sectors.

      It is expected that, in addition to operators of critical infrastructure, a significantly larger number of companies and institutions will be required to meet and demonstrate compliance with security requirements in the future. The draft legislation outlines obligations aimed at strengthening cybersecurity, including risk management, technical safeguards, and incident reporting. Moreover, the requirements for critical infrastructure operators are likely to become more specific and more stringent.

      Learn more at OpenKRITIS:

    • BSI Act

      The Act on the Federal Office for Information Security (BSI Act) is one of the most important legal foundations for regulating critical infrastructure in Germany. In effect since 2015 and updated several times, it defines the responsibilities and obligations of both operators and supervisory authorities.

      At its core, the law determines which entities and facilities qualify as critical infrastructure and outlines the documentation and reporting requirements operators must fulfill in relation to the Federal Office for Information Security (BSI).

      The BSI Act identifies eight sectors, including essential service providers and utilities, and sets out minimum standards and security requirements. For example, detection systems for cyberattacks must meet current technological standards. The law also defines which types of disruptions must be reported.

      The BSI serves as the central supervisory authority and is granted extensive powers to conduct audits and enforce compliance.

      Learn more at Openkritis and at BSI:

    • IT Security Act 2.0 (2021)

      The Second Act to Increase the Security of Information Technology Systems (IT Security Act 2.0), in effect since May 2021, significantly expands the obligations and requirements for operators of critical infrastructure. Its core objective is to establish a new framework for improved information security in Germany.

      The law introduces enhanced cybersecurity obligations for KRITIS operators, including the mandatory implementation of attack detection systems. It also broadens the scope of critical infrastructure to include sectors such as municipal waste management, as well as companies of special public interest (UBI), such as defense manufacturers and producers of related IT products.

      The Federal Office for Information Security (BSI) is granted new powers to strengthen its role as Germany’s central cybersecurity authority. It is also designated as the national authority for cybersecurity certifications

      Learn more at the BSI:

    • KRITIS Regulations (2021 / 2023)

      The KRITIS regulations serve as a framework that enables operators of critical facilities to determine whether they fall under the definition of critical infrastructure and are therefore subject to specific legal obligations. These regulations define the applicable thresholds for facilities within each sector and specify which sectors are considered part of critical infrastructure.

      Essentially, the regulations provide the operational guidelines for implementing the legal requirements set out in the BSI Act and the IT Security Act.

      With the amendments introduced in January 2022, the thresholds for affected companies were significantly lowered. As a result, the number of organizations required to demonstrate cybersecurity measures by April 2024 has increased. Since March 2023, LNG facilities (liquefied natural gas) and submarine cable landing stations (IT infrastructure) have also been classified as critical infrastructure.

      Learn more at German Laws Online and Openkritis:

    KRITIS – What Now?
    Why Interflex Is the Right Partner

    Interflex access control is a fully integrated solution combining hardware, software, and in-house services – Made in Germany. It is designed to meet the BSI’s building security requirements and comply with strict legal regulations through a technically secure and IT-supported approach. For us, reliable physical protection is the foundation of a comprehensive security strategy.

    With our system software IF-6040 Access, implementing complex access control concepts for your company, facilities, and sensitive areas is straightforward – whether you need to manage security zones, integrate separation systems with two-factor authentication, or deploy biometric solutions. Time-consuming key management becomes a thing of the past. Thanks to centralized, semi-automated administration and real-time control, you can manage access transparently and in a data-efficient, GDPR-compliant manner. Combined with our hardware products, you gain efficiency and free up valuable time and resources needed for your responsibilities as a security organization.

    • Years of Trusted Expertise

      • Security partner for over 25 years, supporting KRITIS organizations from large SMEs to corporate groups
      • Expert consulting from solution selection to configuration, implementation, maintenance, and support

    • Flexible and Efficient Solutions

      • Operationally flexible and modularly expandable at any time
      • State-of-the-art security technologies including mobile credentials, wireless access, and biometrics
      • Available as on-premise or cloud services

    • Modern Identity and Access Management

      • Seamless implementation of complex access control concepts for security zones
      • Centralized, partially automated assignment and management of access rights – in real time
      • Transparent, auditable, and data-efficient in compliance with GDPR

    • High Security Standards

      • Software and hardware development aligned with current BSI security standards
      • Member of the “Alliance for Cybersecurity”
      • End-to-end solutions – from development to production – Made in Germany

    • Sustainable Investment Protection

      • High compatibility across product generations through coordinated hardware and software
      • Easy integration into existing environments thanks to modern interface architecture

    "Companies that focus solely on optimizing their cybersecurity measures often overlook the fact
    that attackers also attempt to gain physical access to infrastructure."    Bernhard Sommer, CEO of Interflex, in an interview with  SECURITY INSIGHT (SicherheitsPraxis 4/23)

    Why Critical Infrastructure Companies (KRITIS) Choose Interflex

    Maximum Security with Minimal Effort
    KRITIS organizations use Interflex to manage their access and authorization processes digitally, automatically, and efficiently. Whether it’s escalations, special approvals, or temporary access – clearly defined workflows ensure smooth operations and maximum security in day-to-day business.

    Legally Compliant and Audit-Ready
    All access events, movements, and changes are documented completely and in a revision-proof manner. This enables you to meet internal compliance requirements as well as legal obligations such as NIS2 and the KRITIS Regulation – ensuring you are always prepared for audits.

    Flexible, Scalable – and Tailored to KRITIS Requirements
    KRITIS companies need solutions that integrate seamlessly into existing security and IT infrastructures – without compromising availability or compliance. Interflex’s modular systems are designed precisely for these needs: scalable for growing infrastructures, flexible for individual processes, and future-proof in light of evolving regulations.

    • 0,
      0 Millionen

      Our systems manage around 5.8 million employees every day

    • > 0 Companies

      Many of the top 500 companies in Europe rely on Interflex

    • Zeiss logo
    • BASF logo
    • Raiffeisenbank Seefeld logo
    • Logo city Großenhain
    • LTB Leitungsbau logo
    • BZA Berlin Neukölln logo
    • Stadtwerke München Logo
    • DHL Logo
    • Ehrmann Logo
    • Rhenus Logistics Logo
    • E.ON Logo
    • Sparkassen Informatik Logo

    Curious to see how our security solutions perform in real-world scenarios?

    Take a look at our references and discover how companies from a wide range of industries have transformed their access and security processes in collaboration with Interflex.

    To the reference reports