Strengthening cybersecurity and resilience of critical infrastructures
Advancing digitalisation opens up huge economic and social potential but also brings new risks. Companies and organisations are responsible for their own protection; in the case of critical infrastructures, protection is also the responsibility of the state (National Economic Supply Act).
The Federal Office for National Economic Supply (FONES) has developed preventive measures and general and sector-specific ICT minimum standards to strengthen the resilience of critical ICT infrastructures.
A ICT minimum standard underlines the state’s responsibility to protect citizens, the economy, institutions and public administration.
As an experienced consulting firm, we support operators of critical infrastructures and other affected organisations in introducing, implementing and sustainably embedding these applicable minimum standards. We analyse the current situation, identify areas for action and provide practical support during implementation – for effective protection of your ICT systems and compliance with regulatory requirements.
The following are the existing industry-specific ICT minimum standards:
Binding
The relevant ICT minimum standard has been binding for the electricity sector since 1 July 2024 and for gas suppliers since 1 July 2025.
Electricity
| Binding | since 1 July 2024 |
| PDF download only german (from ncsc.admin) | ICT minimum standard for electricity |
| Target group | Operators and managers in the electricity sector, such as electricity producers, network operators and other critical utility companies. |
| Content | Minimum requirements for IT security, preventive measures, emergency plans, risk analyses and strategies for securing critical systems. |
| Application | Integration into existing security concepts, regular reviews, practical emergency drills and ongoing staff training. |
Gas
| Binding | since 1 July 2025 |
| PDF download only german (from ncsc.admin) | ICT minimum standard for gas supply |
| Target group | Gas supply providers who operate critical gas infrastructure. |
| Content | Minimum requirements for IT security, preventive cyber measures, risk analyses and comprehensive emergency management. |
| Application | Integration into existing security strategies, regular audits and continuous training to increase resilience against cyberattacks. |
Voluntary
Für diese Branchen ist der IKT-Minimalstandard freiwillig:
Water supply
| PDF download only german (from ncsc.admin) | ICT minimum standard for water supply |
| Target group | Water supply companies, waterworks and their operators. |
| Content | Minimum requirements for IT security, preventive cyber measures, risk analyses and emergency management to ensure the integrity and availability of the water supply. |
| Application | Integration into existing security concepts, regular reviews and training to continuously optimise the systems. |
| Useful in | Betrieben, die eine stabile und sichere Businesses that need to ensure a stable and secure water supply and where failures would have serious consequences. |
Wastewater industry
| PDF download only german (from ncsc.admin) | ICT minimum standard for wastewater |
| Target group | Operators of wastewater treatment plants, sewage treatment plants and other wastewater disposal facilities. |
| Content | IT security requirements, risk analyses, preventive measures and emergency and crisis management to prevent business interruptions and cyberattacks. |
| Application | Integration into ongoing operations, regular testing and audits, and targeted staff training. |
| Useful in | Facilities where continuous and uninterrupted wastewater treatment is essential for public health and the environment. |
Food supply
| PDF download only german (from ncsc.admin) | ICT minimum standard for food supply |
| Target group | Food production, distribution, wholesale and retail companies, as well as logistics service providers. |
| Content | IT security measures to protect data integrity and availability, risk management and protection against cyberattacks to ensure the smooth running of food supply chains. |
| Application | Integration into operational processes, regular security audits and training to identify and manage risks at an early stage. |
| Useful in | Businesses that need to ensure a stable supply chain for essential foodstuffs and where failures could have far-reaching consequences. |
Public transport
| PDF download only german (from ncsc.admin) | ICT minimum standards for public transport |
| Target group | Transport companies, operators of rail networks, bus companies and other public transport services. |
| Content | Minimum requirements for IT security, emergency and crisis management, preventive measures and risk analyses to protect critical transport infrastructure. |
| Application | Implementation in existing security concepts, regular reviews and practical exercises, and ongoing staff training. |
| Useful in | Businesses that are responsible for the mobility of the population and whose failures would lead to major disruptions in public transport. |
Waste disposal
| PDF download only german (from ncsc.admin) | ICT minimum standard for waste disposal |
| Target group | Companies and businesses in the waste management sector and waste disposal service providers. |
| Content | IT security requirements, risk analyses, preventive cyber measures and emergency management to ensure smooth operations in waste disposal. |
| Application | Integration into existing processes, regular audits and tests, and targeted training for employees to identify weaknesses at an early stage. |
| Useful in | Facilities where continuous waste disposal services are of central importance to public infrastructure. |
District heating and cooling
| PDF download only german (from ncsc.admin) | ICT minimum standard for district heating and cooling systems |
| Target group | Operators of district heating and cooling networks and utility companies that provide heating and cooling services. |
| Content | Minimum requirements for IT security, preventive measures, emergency plans and risk analyses to avoid supply disruptions. |
| Application | Integration into existing operating procedures, regular security checks, system updates and crisis management training. |
| Useful in | Businesses where a reliable heating and cooling supply is essential to ensure the comfort and safety of the population. |
Digital cultural property
| PDF download only german (from ncsc.admin) | ICT minimum standard for digital cultural property |
| Target group | Cultural institutions such as museums, archives, libraries and other institutions that manage and archive digital cultural assets. |
| Content | IT security measures for the protection of digital content, risk analyses, preventive measures and emergency plans to ensure the long-term preservation of digital cultural data. |
| Application | Integration into existing digitisation strategies, regular security audits and staff training to optimise protection against cyberattacks. |
| Useful in | Facilities that digitally archive cultural heritage and thus make an important contribution to preserving cultural history. |