DENIC Once Again Proves Its Expertise As Competent Critical Infrastructure Operator

DENIC Once Again Proves Its Expertise As Competent Critical Infrastructure Operator

Successful security strategies in the digital space are vital for the modern Internet and a reliable infrastructure is crucial to ensure that the Internet with all its functionalities is available anytime. As the operator responsible for this critical infrastructure, DENIC continuously embraces the challenges posed by the BSI Act (Act for the Federal Office on Information Security) and the IT Security Act in this context. In this article, we describe how DENIC masters its leading role as an administrator of authoritative DNS servers and the Top-Level Domain Name Registry, and thus guarantees the security and stability of the Internet in Germany.

DENIC as a Critical Infrastructure Operator

Part of the infrastructure operated by DENIC has been categorised as "facilities of critical relevance regarding public utility and safety in Germany" since 2016. As the operator of such critical infrastructure, DENIC has to meet the strict requirements of the BSI Act, which were further extended by the IT Security Act 2015. Among other things, we have set up a contact point and established a process for reporting significant IT disruptions to the BSI (Federal Office for Information Security) within the small statutory time window.

Audits Are Performed At 2-Year-Intervals

To meet the high security standards, DENIC must further render proof every two years that it has state-of-the-art technical and organisational measures for disruption prevention in place. The principles of information technology are the guideline here: confidentiality, integrity, availability and authenticity.

Auditors and Audit Items

An independent auditing body, such as the TÜVIT team, performs the audit as neutral auditor to ensure that all legal requirements are implemented properly and effectively. Has DENIC correctly defined the BSI scope? Has a risk analysis been carried out and is there a process for dealing with risks that is compliant with the law? Are the certificates submitted, e.g. ISO/IEC 27001, ISO/IEC 22301, relevant and meaningful?

The audit of these documents is complemented by an on-site audit according to the dual-control principle. Since 2022, the audit has also included the system category "Top-Level Domain Name Registry", which was newly introduced with the BSI-KritisV Amendment Ordinance.

The 2024 Audit

The audits have become almost routine for DENIC by now. After successful results in 2018, 2020 and 2022, the check was due for the fourth time in January 2024. However, the BSI's requirements are constantly evolving, so there was a lot to consider in the comprehensive preparation for the latest audit, especially for the new category and the "attack detection systems" that have been mandatory since May 2023.

The 2024 Outcome

DENIC has successfully mastered the challenge. During the two-day on-site audit, the technical teams impressed the TÜVIT audit team with their competent and effective implementation of the KRITIS requirements. Thus, the result was quite pleasing: The TÜVIT team made a few suggestions for continuous improvement but did not identify any major deficiencies. DENIC is now awaiting the final audit report, which will reaffirm the successful fulfilment of the legal requirements according to Section 8a (3) BSIG.

DENIC Stands For Security

DENIC's latest success once again confirms its role as a reliable pioneer regarding the security of critical infrastructures. Its ability to adapt to dynamic security requirements and its commitment to strict standards, strengthens the confidence in a secure and stable Internet in Germany.