BaFin - Navigation & Service

Go to:

Topic Risk management Critical infrastructure

Article from BaFin's 2017 annual report

Operators in the financial sector: identification and requirements

Major attacks on corporate IT systems have laid bare the vulnerability of critical infrastructure (see info box "Critical infrastructure"). As early as 2015 – even before the European Directive on Security of Network and Information Systems (NIS Directive)1 entered into force – German legislators created corresponding regulations, which they inserted into the German Act on the Federal Office for Information Security (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik) by way of the German IT Security Act (IT-Sicherheitsgesetz).

In the Regulation Amending the German Regulation on the Identification of Critical Infrastructure (Änderungsverordnung zur BSI-Kritis-Verordnung)2 of 21 June 2017, legislators have specified in greater detail the criteria according to which financial sector companies qualify as operators of critical infrastructure.

Critical infrastructure

Critical infrastructure within the meaning of the Act on the Federal Office for Information Security comprises facilities, systems or parts thereof belonging to the energy, information technology and telecommunications, transport, health, water, food, finance or insurance sectors and are essential for the functioning of society, because their failure or disruption would lead to considerable supply shortages or risks to public safety and security in Germany.

Pursuant to sections 8a and 8b of the Act on the Federal Office for Information Security, operators of critical infrastructure therefore have to meet a number of requirements. They have to identify themselves as operators of critical infrastructure by notifying the Federal Office for Information Security of a point of contact within the company that has to be reachable around the clock.

Moreover, they have to demonstrate every two years that they have taken appropriate organisational and technical measures to avoid disruptions to the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes.

The Regulation on the Identification of Critical Infrastructure has identified the following services in the financial sector as critical: cash supply, card-based and conventional payment transactions in the banking sector, clearance and settlement of securities and derivatives transactions as well as the contract management, benefit, claim and payment systems of insurance undertakings.

Joint supervision of operators of critical infrastructure in the financial sector

Banks, insurance undertakings, payment institutions and IT services providers qualifying as operators of critical infrastructure are subject to supervision by both the Federal Office for Information Security and BaFin. BaFin and the Federal Office for Information Security try to keep any additional workload that could result from this dual responsibility to a minimum as far as legally possible. The aim is to pool the technical expertise of the Federal Office for Information Security and BaFin's operational supervisory powers to ensure resources are used efficiently.

  1. 1 Directive (EU) 2016/1148, OJ EU L 194/1.
  2. 2 BSI stands for the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik).

Did you find this article helpful?

We appreciate your feedback

Your feedback helps us to continuously improve the website and to keep it up to date. If you have any questions and would like us to contact you, please use our contact form. Please send any disclosures about actual or suspected violations of supervisory provisions to our contact point for whistleblowers.

We appreciate your feedback

* Mandatory field

Publications on this topic

Format Article Erscheinung: from 24.06.2024 ”Start get­ting ready for DO­RA now”

(BaFinJournal) Throughout Europe, companies in the financial sector are being called on to protect themselves more effectively against IT risk. Jan Kiefer from BaFin’s IT Supervision explains what this means for risk management.

Format Article Erscheinung: from 20.06.2024 “Now is the time to pre­pare”

(BaFinJournal) Many credit institutions are reporting very strong profits. But the risk of credit defaults is rising, warns Adam Ketessidis, head of BaFin’s Directorate for Risk Analysis, Macro-Prudential Supervision and Crisis Management.

Format Article Erscheinung: from 14.06.2024 The risks are on the rise

(BaFinJournal) Floods, forest fires and other natural catastrophes are expected to occur more frequently in future. And they could cause even greater losses. Can insurers bear the risks?

Article by Robert Ganz, Dr Marco Henkel, Jörg Müller, Max Schuppelius and Dr Filip Uzelac-Schüler, BaFin Insurance Supervision

Format Article Erscheinung: from 24.05.2024 Out­sourc­ing in the fi­nan­cial sec­tor: Greater trans­paren­cy means greater se­cu­ri­ty

(BaFinJournal) Companies within the financial sector are outsourcing more and more services to specialised providers. Although this has many advantages, outsourcing also makes the financial market more vulnerable. That is why it is necessary to report outsourcing to BaFin. The data submitted reveal how closely intertwined certain companies are with each other. By Dr Sibel Kocatepe, IT Supervision …

Format Measure Erscheinung: from 04.03.2024 An­nounce­ment re­gard­ing Umwelt­Bank AG

On 26 February 2024, the Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht BaFin) appointed a special commissioner for UmweltBank. The special commissioner will monitor how the institution ensures that it has in place a proper business organisation.

All documents