BSI: Critical Infrastructures Particularly at Risk in 2024

2 min Reading Time

According to the BSI (Federal Office for Information Security), cybersecurity incidents targeting critical infrastructures, known as KRITIS, have significantly increased in 2024. Not all of these incidents are due to external attacks.

TL;DR

• 769 KRITIS incidents in 2024: A 43 percent increase from 537 reports in the previous year.
• Reporting obligation: Operators of critical infrastructures must report every incident to the BSI.
• Not all cyberattacks: Not every incident is the work of external attackers – technical failures and human errors also play a role.
• Affected sectors: Healthcare, energy, water, communication, transportation, and emergency services.
• NIS2 increases pressure: The EU directive will tighten requirements for KRITIS operators starting in 2025.

Critical infrastructures include those for healthcare, energy and water supply, information and communication, transportation and logistics, as well as emergency services and national security. These are increasingly targeted by cybercriminals and are also threatened by the negligence of employees.

The Federal Office for Information Security (BSI) reported receiving 769 notifications of KRITIS cybersecurity incidents in 2024. This information comes from a response by the German government to a query from the FDP parliamentary group in the Bundestag, as reported by heise online.

A 43 Percent Increase

This marks a significant 43 percent increase from the 537 incidents reported in 2023, while the increases in 2022 and 2021 were relatively modest at 13 and 12 percent, respectively. Cybercriminals have particularly exploited the COVID-19 crisis to intensify their attacks on businesses and government institutions. Operators of facilities and installations classified as critical infrastructures are obligated to report any incident to the BSI.

As the German government emphasized in its response to the FDP query, not every incident is necessarily the result of a cyberattack, and not every operator has been able to determine whether it was a cyberattack or if the security incident might be due to other causes. It is also unknown how many of the incidents were the work of state actors or human error.

Which Sectors Are Most Affected?

Although the German government has not published a detailed breakdown by sector, past experience and BSI situation reports from previous years show clear trends. The healthcare sector is particularly vulnerable – hospitals and clinics often work with outdated IT infrastructure and are under high time pressure, increasing their susceptibility to ransomware. The energy sector is exposed due to the increasing digitalization of grid control and smart grids. Water and wastewater utilities, which are often municipally operated, rarely have dedicated security teams.

NIS2 Tightens Requirements

With the EU directive NIS2, which will take effect in Germany through the NIS-2 Implementation Act starting in 2025, KRITIS operators will face significantly stricter obligations. These include expanded reporting requirements (24 hours for initial warnings), mandatory risk management, supply chain security, and personal liability for management. The number of affected companies will rise from the current approximately 4,500 to an estimated 30,000.

What Companies Should Do Now

KRITIS operators should review and adapt their incident response plans to meet NIS2 requirements. Key steps include establishing a Security Operations Center (SOC) or hiring a Managed Security Service Provider, conducting regular penetration tests, segmenting critical networks, and training all employees. The BSI offers the IT-Grundschutz-Kompendium as a structured guide.

Key Facts at a Glance

KRITIS incidents in 2024: 769 reports to the BSI

Increase from the previous year: +43 percent (2023: 537 incidents)

Increase in 2022: +13 percent, 2021: +12 percent

KRITIS sectors: Healthcare, energy, water, IT/telecommunications, transportation, emergency services, national security

NIS2: Expanded reporting requirements, risk management, management liability starting in 2025

Affected companies: From ~4,500 to ~30,000 (due to NIS2)

Source: BSI reports 2024, German government response to FDP query

Fact: The BSI recorded a total of 726 reports of IT security incidents in KRITIS operations in 2024 – an 18 percent increase from the previous year.

Fact: According to Dragos, 70 percent more attacks on industrial control systems (ICS) were recorded worldwide in 2024 compared to the previous year.

Frequently Asked Questions

What are critical infrastructures (KRITIS)?

KRITIS includes facilities and installations whose failure would have significant impacts on the public good. These sectors include healthcare, energy, water, IT and telecommunications, transportation, food, finance, and public administration. In Germany, the BSI Act regulates the reporting obligations.

Why have KRITIS incidents increased so significantly in 2024?

The 43 percent increase has several causes: The growing digitalization of KRITIS infrastructures expands the attack surface, ransomware groups specifically target facilities with high payment pressure, and awareness of reporting obligations has increased – more incidents are being identified and reported.

Are all KRITIS incidents cyberattacks?

No. The German government emphasizes that not every reported incident is the result of a cyberattack. Technical failures, misconfigurations, and human errors can also lead to reportable incidents. The cause of all incidents could not be definitively determined.

What changes does NIS2 bring for KRITIS operators?

NIS2 expands the circle of affected companies to an estimated 30,000 and tightens obligations: 24-hour initial reporting, mandatory risk management, supply chain security checks, and personal liability for management in case of violations. Fines can amount to up to 10 million Euros or 2 percent of annual turnover.

To whom do KRITIS operators report security incidents?

The central reporting authority is the Federal Office for Information Security (BSI). Operators are obligated to report significant disruptions immediately. The BSI evaluates the reports, coordinates responses if necessary, and publishes aggregated situation reports.

Further Reading in the Network

NIS2 in Germany – Action Required for Companies: NIS2: Act Now (Security Today)

Cloud Security for Critical Infrastructures: cloudmagazin.com

KRITIS Strategies at the C-Level: digital-chiefs.de

Related Articles

• Cyber Warfare 2026: When States Upgrade Digitally
• Palantir and the Future of Cyber Defense: AI as a Strategic Weapon
• Case Study: Hospital Stops Cyberattack Thanks to OT Segmentation

More from the MBF Media Network

cloudmagazin | MyBusinessFuture | Digital Chiefs

Header Image Source: Adobe Stock

About the author: Tobias Massow

More articles by Tobias Massow