The term ‘critical infrastructure’ refers to companies that are of the utmost importance for any functioning society. Outages and disturbances would have grave consequences for the country’s population and economy. Because of these companies’ responsibility towards society, they are often bound by law to set particularly high data security standards and be protected against unauthorised access (for example, public transport companies operating an Intermodal Transport Control System - ITCS or a fare management system). They have to have their IT security at the cutting edge of technology and if required constantly improve it. Not only that, they often have to agree to inform their national cybersecurity agency (e.g. the BSI in Germany, the CPNI in the United Kingdom or the CISA in the United States) about the state of their IT security and are obliged to get it regularly checked by the agency’s experts.