IT-Sicherheitskatalog / EnWG - Certification Center Security -

IT security catalog / EnWG

1. Overview

The Energy Industry Act (Energiewirtschaftsgesetz / EnWG) Section 11 (1a) and the associated IT security catalog form the legal basis for ensuring the security and reliability of the energy supply in Germany. The focus here is on the IT systems and digital infrastructures of operators of critical energy supply grids. The EnWG defines the requirements and responsibilities for the operators of such infrastructures. The IT security catalog further specifies these requirements and sets the standards for the implementation of appropriate security measures. The certification body of Würth IT GmbH, ccSec is accredited by the German Accreditation Body (DAkkS).

2. EnWG Section 11 (1a) at a glance

Section 11 (1a) of the EnWG defines the legal requirements for IT security for operators of energy systems. The aim is to ensure the reliability, availability and security of the energy supply networks. Operators of critical infrastructures are obliged to take appropriate organizational and technical precautions to prevent IT disruptions that could endanger the energy supply.

3. IT security catalog overview

The IT security catalog, published by the Federal Network Agency (Bundesnetzagentur), specifies the requirements of Section 11 (1a) EnWG. It contains measures and standards that operators of critical energy infrastructures must implement in order to ensure a high level of IT security. The catalog covers various areas, including system integrity, access controls, data security and emergency planning.

4. Advantages of certification according to EnWG

Certification in accordance with the requirements of the EnWG not only demonstrates compliance with legal requirements, but also improves the security and resilience of the relevant systems. Certified companies and organizations benefit from increased trust among customers and business partners and minimized risk in the event of cyberattacks.

5. The certification process

The certification process begins with a preliminary review of important business data and an associated risk analysis. The certification then includes a detailed review of your ISMS by our auditors. After a successful audit and rectification of any deviations, the §11 (1a) EnWG certificate is issued. The certificate is usually valid for three years, with annual surveillance audits to maintain certification.

6. Contact us
For further information on EnWG certification or to start the certification process, please do not hesitate to contact us.

Frequently Asked Questions

1. What does an EnWG certification cost?

The price of an initial certification with subsequent annual surveillance audits depends heavily on the size of your organization and your ISMS. The decisive cost factor is the audit days, i.e. the time spent by the auditors. Please contact us for an individual offer.

2. How long does an EnWG certification take?

The basis for calculating the audit days, including preparation and follow-up time, is defined in a standard and is calculated by the certification body. Please contact us for an individual offer.

3. What requirements must my company fulfill?

The Federal Network Agency places various requirements on grid operators through the EnWG. These include unbundling, independence of management, non-discrimination, security, compliance and others. For Section 11 (1a) EnWG, the requirements from the current IT security catalog that have been met are particularly important.

4. Are there differences between municipal utilities managed by the company?

Grid operators in the constellation "operational management by third parties" must be self-certified, even if the operational management is taken over by third parties.

5. What is considered critical energy infrastructure?

Critical energy infrastructure refers to facilities, systems and parts thereof that are essential to the energy supply and whose failure or impairment would have a significant negative impact on public or economic security.

6. How long is a certification valid?

The certificate is valid for three years. After the initial certification, two surveillance audits take place, followed by a re-certification. In the case of initial certification, it should be noted that the first surveillance audit must be carried out within 12 months.

7. What happens in the event of a deviation?

For major nonconformities, the organization must submit a root cause analysis and a proposal for correction or a correction within a period defined in the certification rules. Further information can be found in our certification rules.

8. How often do security measures need to be updated?

The security measures used must meet minimum technical standards and be regularly reviewed and updated. Security measures may need to be adapted in line with technological developments and the changing threat landscape.

9. Are there differences in the requirements between the different types of energy?

The EnWG sets different requirements for different types of energy. For Section 11 (1a) EnWG, the security measures from the IT security catalog for electricity and gas are implemented.

10. What are appropriate safety measures?

Appropriate security measures follow the specification from the IT security catalog, are state of the art and adapted to the threat situation.

BNetzA - IT Security Catalogue for Energy Infrastructure

EnWG §11 Legal Text