B3S and IT Security Act for KRITIS operators in the water/wastewater sector
Operators of critical infrastructure (KRITIS) in the water/wastewater sector are subject to particularly strict legal requirements. The industry-specific security standard (B3S Water/Wastewater) plays a central role here, supplemented by the IT Security Act and the BSI Act with its BSI KRITIS Regulation. The Federal Office for Information Security (BSI) approved this set of rules in 2017 and has been continuously developing it ever since. Below, you will learn about the specific requirements and how you can best prepare your company for them.
Relevance of B3S and IT security laws for water/wastewater
- Legal obligation: According to Section 8a of the BSIG, KRITIS operators must prove that their IT security is state of the art.
- Industry focus: B3S Water/Wastewater (B3S WA) was developed specifically for operators of drinking water supply and wastewater disposal facilities. It contains practical guidelines for minimizing failures and security incidents.
- Current developments: The IT Security Act 2.0 has tightened the requirements for KRITIS operators. Regular audits and verification by the BSI are mandatory – violations are subject to heavy fines.
Key requirements for KRITIS operators
- ISMS implementation (information security management system): An ISMS in accordance with ISO 27001 or IT-Grundschutz forms the foundation of all security measures. It provides a structured framework for identifying, assessing, and continuously monitoring risks.
- Risk-based approach: B3S Water/Wastewater requires a comprehensive risk analysis: This determines the probability of occurrence and possible effects of threats. Prioritized protective measures are derived from this.
- Documentation and verification: For compliance, all steps must be documented in an audit-proof manner. This proves that your IT security measures are state-of-the-art and comply with the current B3S Water level.
- Staff training and awareness: Human error is one of the most common causes of IT security incidents. Regular training and awareness-raising for all employees—including those in specialist departments – is therefore essential.
QSEC – The GRC software for your success
With QSEC, you get a customized GRC (Governance, Risk & Compliance) solution that covers all important requirements. Whether ISMS according to ISO 27001, IT-Grundschutz, GDPR, or B3S requirements—QSEC supports you in:
- Introducing, implementing, and operating an ISMS
- Automated documentation of risks, measures, and audit processes
- Integrating all industry-specific standards and regulations
- Audit-proof documentation of your IT security measures
The result: An efficient, streamlined process that not only ensures compliance, but also conserves resources and strengthens your reputation.
Your advantages at a glance
What our customers say
In summary, we are very satisfied with the performance of QSEC and will continue to develop and use the software intensively in the future. The manufacturer of the software, Nexis GRC, is a reliable partner for us, always providing us with the best possible support thanks to its decades of experience in implementing global GRC and ISMS projects.
In the end, QSEC was convincing in the cost-benefit analysis and in terms of scalability as a single-source tool. QSEC supports the dissemination of a uniform understanding of processes. The system acts as a central platform in which all business processes are recorded.
In Nexis GRC, we have found a partner that speaks our "language" and responds openly to our requirements and ideas. The partnership with Nexis GRC has convinced me throughout the entire duration of the collaboration.
Auditing our infrastructure has become much easier and more efficient with the support of QSEC. Based on the auditors' positive assessment of the system's performance, we will continue to expand QSEC in line with our requirements.
The methods and processes already integrated in the standard QSEC have significantly supported us in the professional development and operation of our information security management system. The maturity assessment and development enable us to continuously operate, monitor and further develop our Techem ISMS with QSEC in a resource-saving manner.
ISMS, GRC, and data protection software QSEC:
QSEC – the information security management system (ISMS)
ISMS with QSEC means complete support for all processes relevant to information security management in accordance with the requirements
- of ISO 27001 and/or
- BSI IT-Grundschutz,
including the implementation of data protection requirements in accordance with GDPR.
This allows you to plan your information security management on a daily basis
- plan (Plan)
- implement (Do)
- check (Check) and
- improve (Law)
The ISMS tool QSEC guides users methodically and clearly through all task areas with workflow, wizard, and task support, and helps with the cost-saving and resource-optimized implementation of information security management through extensive content and best practices.
Selected success stories
DSW21 on the successful introduction of an Information Security Management System (ISMS) with QSEC
Cancom on the global introduction of an Information Security Management System (ISMS) in accordance with ISO/IEC 27001 with QSEC
Techem on the challenges and experiences in information security and risk management with QSEC
Harzklinikum Dorothea Christiane Erxleben on software-supported security management in accordance with B3S Health, ISO 27001 and GDPR with QSEC
HanseMerkur on the development of a holistic management system taking into account the insurance law aspects according to VAIT
Take action now: Take the next step with QSEC!
Rely on holistic information security management that meets your requirements - QSEC is a reliable partner at your side.
Request a live demo:
Experience QSEC in action and let us show you how our ISMS software solves your challenges.
Download ISO 27001 checklist: