Background Checks in Critical Infrastructure: What Operators Need to Review Now

KRITIS operators (critical infrastructure operators) are among the most heavily regulated companies in Germany. This guide shows which background checks are required for which positions under the BSI Act, the KRITIS Umbrella Act, and the IT Security Act 2.0.

What is KRITIS?

Critical infrastructures (KRITIS) are organizations and facilities whose failure or impairment would have significant impacts on public safety.

KRITIS sectors according to the BSI:

• Energy (electricity, gas, oil, hydrogen)

• Information technology and telecommunications

• Transport and traffic

• Health (hospitals, pharmaceutical manufacturers)

• Water (water supply, wastewater)

• Food

• Finance and insurance

• Government and administration

• Municipal waste disposal

• Media and culture

From certain thresholds (e.g., more than 500,000 people supplied), companies are classified as KRITIS and are subject to special obligations.

The legal foundations

BSI Act (BSIG)

Regulates the IT security of critical infrastructures. KRITIS operators must:

• Implement appropriate organizational and technical safeguards

• Report security-relevant incidents to the BSI

• Provide regular audit evidence

IT Security Act 2.0

Expands the BSI obligations:

• Intrusion detection systems are mandatory

• Reporting obligations have been tightened

• Fines have been increased significantly

KRITIS Umbrella Act (KRITIS-DachG)

Takes effect and expands requirements to physical security:

• Protection against physical attacks

• Personnel security (background checks!)

• Crisis management

• Resilience

NIS2 Directive

EU directive, implemented into German law since October 2024. Expands the KRITIS concept to additional sectors (including postal and courier services, production of certain goods).

Which positions require background checks?

Mandatory screening for:

• Management of KRITIS operators

• IT security officers (legally required in many sectors)

• Operations staff in security-relevant areas

• System administrators with privileged access rights

• External service providers with access to KRITIS systems

Recommended screening for:

• All employees with access to business-critical data

• Maintenance staff with physical access

• Project and construction managers on infrastructure projects

• Data center employees

Which checks are required?

1. Security clearance (SÜ)

Under the Security Clearance Act (SÜG) for employees with access to classified information. There are three levels:

• Ü1: Basic security clearance (for CONFIDENTIAL)

• Ü2: Extended security clearance (for SECRET)

• Ü3: Extended security clearance with security investigations (for TOP SECRET)

SÜG checks are carried out by the Federal Office for the Protection of the Constitution (BfV) — not by the employer itself.

2. Pre-employment screening (supplementary)

In addition to security clearance or for less sensitive roles:

• Identity verification (ID, documents)

• Verification of qualifications and certificates

• Employment history

• Criminal record extract / extended certificate of good conduct

• Sanctions list screening (EU, UN, OFAC)

• PEP screening

• Adverse media screening

• Reference checks

3. Ongoing monitoring

• Sanctions list matching (weekly)

• PEP status monitoring

• Adverse media alerts

• Compliance violations (ongoing reports)

Critical infrastructure in Switzerland, Austria, and across the EU

Switzerland — NCSC and ISchV

The Swiss equivalent to the BSI is the National Cyber Security Centre (NCSC). Legal basis: Information Security Act (ISG), Cyber Risk Ordinance (CyRV), and Information Protection Ordinance (ISchV). Switzerland has not formally implemented NIS2, but it is aligned with EU standards. For banks and financial institutions, FINMA requirements on operational security and personal suitability also apply.

Austria — NIS Act + NIS2 implementation

Austria has transposed EU NIS2 with the NIS-G (Network and Information Systems Security Act). Responsible authorities: GovCERT Austria and the respective sector authority for each industry (e.g., E-Control for energy). The scope of critical and important entities has been significantly expanded by NIS2: it now also includes postal services, production of pharmaceutical raw materials, wastewater operators, and many other sectors.

EU-wide — NIS2 Directive + DORA

The NIS2 Directive (2022/2555) must be implemented across the EU since October 2024. It significantly expands the number of "essential" and "important" entities. For the financial sector, the Digital Operational Resilience Act (DORA) also applies, since January 2025, with explicit requirements for background checks for critical third-party IT service providers (Art. 28 DORA). Both regulations require: personnel security, background checks for sensitive roles, ongoing monitoring, and audit-proof documentation.

Common gaps in KRITIS practice

1. Only a one-time check at hiring

Many operators only screen at the time of hiring — and never again. But employees can become radicalized, face criminal proceedings, or be added to sanctions lists. Ongoing monitoring is crucial.

2. External service providers overlooked

Maintenance technicians, external IT consultants, cleaning staff in data centers — often not screened. But they often have more access than some internal employees.

3. No documentation

The BSI audit asks: “When did you check which employee against which lists?” Without audit-proof documentation, the process is worthless.

4. Underestimating the insider threat

Studies show that a large share of security-relevant incidents are caused by current or former employees. Background checks are the first line of defense.

Consequences of a violation

BSI fines

Up to €20 million or 4% of global annual revenue — whichever is higher.

Personal liability

Managing directors can be held personally liable if BSI requirements are implemented poorly — regardless of whether damage has occurred.

Reputational damage

Security incidents at KRITIS operators become public. A single incident can undo years of trust-building.

Loss of operating license

In severe cases: operating bans imposed by supervisory authorities (BSI, Federal Network Agency, state authorities).

Best practice: How to set up KRITIS-compliant background checks

1. Role-risk matrix

• Which roles have access to critical systems?

• Which external parties also have access?

• What level of screening is required for each role?

2. Standardize the review process

• Consent process

• Review modules by role

• Escalation path for irregularities

• Documentation requirement

3. Use automation

Manual screening for 100+ security-relevant positions does not scale. Automated tools like Indicium handle:

• Pre-employment checks

• Ongoing sanctions list and PEP monitoring

• Adverse media alerts

• Audit-proof documentation (BSI-audit-ready)

4. Involve external service providers

Include maintenance technicians, consultants, and service staff in the screening process as well.

5. Ongoing audit

Annual review of the process by internal audit or an external auditor.

How Indicium supports KRITIS

• All pre-employment checks in one workflow

• Ongoing sanctions list and PEP monitoring

• Adverse media screening with a focus on Germany

• Audit-proof documentation for BSI audits

• GDPR-compliant, servers in the EU

• Integration into existing HR systems

• All compliance documents in the Trust Center

Conclusion

KRITIS operators will be required in 2026 to implement personnel security professionally. Background checks are not optional; they are mandatory. Manual screening for 100+ roles does not scale. Automated tools with audit-proof documentation are the only practical way.

Book a demo and discuss KRITIS-compliant processes with us in detail.