On May 03, 2016, the Ordinance to identify critical infrastructures under the Act on the Federal Office for Information Security (BSI-KritisVO) entered into force. The BSI-KritisVO defines the concept of "critical infrastructures" under the Act on the Federal Office for Information Security. Due to changes in the Act on the Federal Office for Information Security by the IT Security Act, critical infrastructure operators are obligated to comply with a minimum IT security standard and must report significant security incidents to the Federal Office for Information Security.

The BSI-KritisVO to identify critical infrastructures under the Act on the Federal Office for Information Security contains criteria for critical infrastructures in the energy, IT and telecommunications, water and food sectors. Until the beginning of 2017, appropriate specifications for the sectors of transportation and traffic, health, and finance and insurance are to follow.

Critical infrastructure operators now have two years to take appropriate organizational and technical measures to protect systems, components, and processes relevant for the critical infrastructures operated. Indirectly, the BSI-KritisVO is also relevant for IT providers, however, as critical infrastructure operators will contractually obligate IT providers in the future to respect the appropriate minimum standards, in order to meet their legal obligations under the Act on the Federal Office for Information Security.