KRITIS security standards
Sector-specific requirements (e.g. energy, IT, transport) for protection of critical components and proof of effective security measures.
KRITIS · NIS2
Resilience testing for KRITIS and essential services
Operators of energy, water, transport, healthcare, and other essential facilities carry obligations under KRITIS and NIS2. VORNAC validates the OT/IT boundary and production systems with exploit-proven findings, audit-ready for BSI and sector regulators.
What KRITIS and NIS2 require
Germany’s KRITIS umbrella and the NIS2 Directive set concrete security and incident obligations for operators of essential services.
NIS2 Article 21 measures
Risk management, incident handling, supply chain security, and testing of cybersecurity defenses for essential and important entities.
Incident & reporting
Timely detection, response, and notification. Regulators expect evidence that controls work under real attack conditions.
OT / IT convergence
Increasing connectivity between operational technology and corporate IT expands the attack surface. Both must be validated.
Sampling is not resilience.
KRITIS audits fail when the “representative scope” misses exactly the segment an attacker moves through. VORNAC tests the full attack surface, every cycle.
97%
Attack surface coverage per cycle.
How VORNAC helps operators
- 1
BSI-aligned evidence
Findings structured for KRITIS and NIS2 supervisory dialogue. Not generic scanner output.
- 2
Continuous cadence
Validate after every infrastructure change and release. Not once per audit cycle.
- 3
Made & hosted in Germany
Data and operations stay in German jurisdiction. Required for operators of national infrastructure.