Background Checks in Critical Infrastructure: What Operators Must Check Now
KRITIS operators (critical infrastructures) are among the most heavily regulated companies in Germany. This guide shows which background checks are required for which roles under the BSI Act, KRITIS-DachG and IT Security Act 2.0.
What is KRITIS?
Critical infrastructures (KRITIS) are organizations and facilities whose failure or impairment would have significant effects on public safety.
KRITIS sectors according to the BSI:
Energy (electricity, gas, oil, hydrogen)
Information technology and telecommunications
Transport and traffic
Health (hospitals, pharmaceutical manufacturers)
Water (water supply, wastewater)
Food
Financial and insurance services
State and administration
Municipal waste disposal
Media and culture
From certain thresholds (e.g. over 500,000 people supplied), companies are considered KRITIS and are subject to special obligations.
The legal basis
BSI Act (BSIG)
Regulates the IT security of critical infrastructures. KRITIS operators must:
Take appropriate organizational and technical measures
Report security-relevant incidents to the BSI
Provide evidence of regular audits
IT Security Act 2.0
Expands the BSI obligations:
Intrusion detection systems are mandatory
Reporting obligations have been tightened
Fines have been significantly increased
KRITIS Umbrella Act (KRITIS-DachG)
Enters into force and extends requirements to physical security:
Protection against physical attacks
Personnel security (background checks!)
Crisis management
Resilience
NIS2 Directive
EU directive, transposed into German law since October 2024. Expands the KRITIS concept to additional sectors (including postal and courier services, production of certain goods).
Which positions require background checks?
Mandatory screening for:
Management of KRITIS operators
IT security officers (legally required in many sectors)
Operating staff in security-relevant areas
System administrators with privileged access rights
External service providers with access to KRITIS systems
Recommended screening for:
All employees with access to business-critical data
Maintenance staff with physical access
Project and construction managers on infrastructure projects
Data center employees
Which checks are required?
1. Security clearance check (SÜ)
Under the Security Clearance Act (SÜG) for employees with access to classified information. There are three levels:
Ü1: Basic security clearance (for CONFIDENTIAL)
Ü2: Extended security clearance (for SECRET)
Ü3: Extended security clearance with security investigations (for TOP SECRET)
SÜG checks are carried out by the Federal Office for the Protection of the Constitution (BfV) — not by the employer itself.
2. Pre-employment screening (supplementary)
In addition to the security clearance or for less sensitive roles:
Identity verification (ID, documents)
Qualification and certificate verification
Employment history
Criminal record extract / enhanced certificate of conduct
Sanctions list screening (EU, UN, OFAC)
PEP screening
Adverse media screening
Reference checks
3. Ongoing monitoring
Sanctions list matching (weekly)
PEP status monitoring
Adverse media alerts
Compliance violations (ongoing reports)
Critical infrastructures in Switzerland, Austria and EU-wide
Switzerland — NCSC and ISchV
The Swiss equivalent to the BSI is called the National Cyber Security Centre (NCSC). Legal basis: Information Security Act (ISG), Cyber Risk Ordinance (CyRV) and Information Protection Ordinance (ISchV). Switzerland has not formally implemented NIS2, but orients itself to EU standards. For banks and financial institutions, FINMA requirements on operational security and personal suitability also apply.
Austria — NIS Act + NIS2 implementation
Austria has implemented EU NIS2 with the NIS-G (Network and Information Systems Security Act). Responsible authorities: GovCERT Austria and the respective sector-specific authority (e.g. E-Control for energy). The scope of critical and important entities has been significantly expanded by NIS2: now also postal services, production of pharmaceutical basic substances, wastewater operators and many other industries.
EU-wide — NIS2 Directive + DORA
The NIS2 Directive (2022/2555) must be implemented across the EU since October 2024. It significantly expands the group of 'essential' and 'important' entities. For the financial sector, the Digital Operational Resilience Act (DORA) also applies, applicable since January 2025, with explicit requirements for background checks for critical third-party IT service providers (Art. 28 DORA). Both regulations require: personnel security, background checks for sensitive roles, ongoing monitoring, audit-proof documentation.
Common gaps in KRITIS practice
1. Only a single check at hiring
Many operators only check at hiring — never again. But: employees can radicalize, face criminal proceedings, or be added to sanctions lists. Ongoing monitoring is crucial.
2. External service providers overlooked
Maintenance technicians, external IT consultants, cleaning staff in data centers — often not screened. But: they often have more access than some internal employees.
3. No documentation
BSI audit asks: 'When did you check which employee against which lists?' Without audit-proof documentation, the process is worthless.
4. Underestimating the insider threat
Studies show: a large share of security-relevant incidents originates from your own employees or former employees. Background checks are the first line of defense.
Consequences of violations
BSI fines
Up to €20 million or 4% of global annual revenue (whichever is higher).
Personal liability
Managing directors are personally liable if BSI requirements are implemented poorly — regardless of whether damage has occurred or not.
Reputational damage
Security incidents at KRITIS operators become public. A single incident can undo years of trust-building.
Loss of operating authorization
In serious violations: prohibition of operations by supervisory authorities (BSI, Federal Network Agency, state authorities).
Best practice: How to set up KRITIS-compliant background checks
1. Role-risk matrix
Which roles have access to critical systems?
Which external parties do as well?
What depth of screening is required per role?
2. Standardize the screening process
Consent process
Screening modules per role
Escalation path for anomalies
Documentation requirement
3. Use automation
Manual screening for 100+ security-relevant positions is not scalable. Automated tools like Indicium handle:
Pre-employment checks
Ongoing sanctions list and PEP monitoring
Adverse media alerts
Audit-proof documentation (BSI-audit capable)
4. Involve external service providers
Also include maintenance technicians, consultants and service personnel in the screening process.
5. Ongoing audit
Annual review of the process by internal audit or an external auditor.
How Indicium supports KRITIS
All pre-employment checks in one workflow
Ongoing sanctions list and PEP monitoring
Adverse media screening with a focus on Germany
Audit-proof documentation for BSI audits
GDPR-compliant, servers in the EU
Integration into existing HR systems
All compliance documents in the Trust Center
Conclusion
KRITIS operators are required in 2026 to implement personnel security professionally. Background checks are not optional, but mandatory. Manual screening for 100+ roles is not scalable. Automated tools with audit-proof documentation are the only practical way.
Book a demo and discuss KRITIS-compliant processes with us in concrete terms.
Read more — related articles
Nabil El Berr
