Penetration tests are mandatory for operators of critical infrastructures. In the BSI law under paragraph “8a Security in the information technology of critical infrastructures”, companies are obliged to take appropriate organizational and technical measures to protect their critical infrastructure.
The actual law is typically general and abstract. The wording itself does not require penetration tests for KRITIS companies to be conducted. But in the BSI publication of the controls to be carried out in order to adhere to the german law, penetrationtests are required.
