Skip to main content
Perspective:
Perspective
09 Mar 2026
7 minute read

The KRITIS Umbrella Act: New Regulatory Framework for Critical Infrastructure Resilience

The KRITIS Umbrella Act (KRITIS-DachG), approved by the Bundesrat on March 6, 2026, marks a milestone in German security law. Germany is thereby implementing EU Directive (EU) 2022/2557 on the resilience of critical entities (CER Directive). For the first time, the KRITIS-DachG establishes a cross-sectoral framework for the physical and organizational protection of critical facilities against all hazards such as natural disasters, technical failures, sabotage, or terrorist attacks. Additionally, the act lays the foundation for a new national KRITIS resilience strategy, which will replace the outdated 2009 strategy and serve as the guideline for protective measures, risk assessments, and coordination between the federal government, states (Bundesländer), and operators.

The KRITIS-DachG seamlessly complements existing regulations such as the BSI Act (BSIG) on cybersecurity and NIS-2, without replacing them. While BSIG and NIS-2 primarily cover cyber threats, the KRITIS-DachG addresses physical resilience.

Who is affected?

The core addressees are operators of critical facilities responsible for delivering critical services in key sectors. Criticality is based on supply thresholds—typically starting at around 500,000 individuals served. Federally regulated sectors include energy, transport and traffic, financial and social insurance services, IT/telecommunications, space-ground infrastructure, and public administration. State-level sectors like healthcare, drinking water and wastewater management, food supply, and municipal waste disposal are subject to more flexible classification by state authorities.

Which specific facilities qualify as critical will be defined in a federal ordinance setting sector- and facility-specific thresholds, prospectively replacing the existing BSI-KRITIS Regulation. States may also designate additional facilities as critical within their competence.

What are the core obligations?

Affected companies must verify their scope, register if applicable, and implement various technical and organizational measures (TOMs):

Operators must register with the Federal Office of Civil Protection and Disaster Assistance (BBK) via a joint BBK/BSI portal (no later than three months after classification as critical, earliest by July 17, 2026). Information on the name and location of the facilities, contact details including a contact point that can be reached at any time, and information on critical components (the latter only to the BSI, Section 2 No. 23 BSIG) are required.

A two-tier process will apply:

  • National/administrative Risk Assessment: Federal and state governments develop a national risk analysis and sector-specific assessments, made available to operators.
  • Operator Risk Analyses & Resilience Plans: Based on the national/administrative risk assessment operators must perform their own analyses, identify vulnerabilities, and create plans with concrete organizational, technical, and structural measures (e.g., physical security/access controls, backup power/redundancy, crisis/emergency plans, supply chain analysis, staff training/exercises).

The process for incident reporting builds on IT security law, extended to physical resilience. Significant disruptions/incidents/threats must be reported to BBK without undue delay (within 24 hours the latest). BBK provides follow-up guidance (e.g., recommendations) and builds a national situational picture to be shared with other authorities.

Companies must document and demonstrate TOM implementation (e.g., access controls, backup power, crisis plans) and effective incident reporting processes (logs, documentation). Audits by authorities are risk-based (no fixed intervals). BSIG/NIS-2 IT security audits are recognized and retrievable by authorities to avoid duplication.

Financial sector and IT/telecom operators are largely exempt from operational obligations (incident reporting, prevention, evidence)—beyond registration—due to DORA and NIS-2/BSIG as special regimes. Operators in municipal waste and social insurance are exempt from most operational rules but must conduct a § 12 KRITIS-DachG risk analysis every four years, fully documented and available upon request.

The KRITIS-DachG empowers the Federal Ministry of the Interior to issue cross-sector minimum requirements via ordinance (e.g., emergency preparedness, crisis communication, physical security). Sector-specific standards from associations can be BBK-recognized. Oversight lies with federal/state authorities, leveraging existing security regulations, in particular BSIG, to avoid double checks and to minimize burdens.

What are the consequences of non-compliance?

The KRITIS-DachG establishes a graduated fine regime for violations. Serious breaches of resilience duties or audit refusal can incur fines up to € 1 million. Like the BSIG, it imposes implementation/oversight duties and personal management liability under corporate law.

Conclusion and Outlook

The KRITIS-DachG enters into force the day after publication in the Federal Law Gazette (expected late March/early April 2026). Companies should therefore proactively prepare for the requirements, starting with an impact assessment (identification of relevant facilities, review of thresholds) and, if necessary, preparation for registration. In order to realize synergies with regard to existing compliance requirements, further implementation should be designed as an integrated compliance and documentation concept (especially in connection with technical and organizational measures based on BSIG/NIS-2).

Did you find this useful?

Yes
No

Thanks for your feedback

Your feedback is important to us

To tell us what you think, please update your settings to accept analytics and performance cookies.

Need help updating cookies?

Reach out

Dr. Söntje Julia Hilberg, LL.M. (Fordham, NYC)

Dr. Söntje Julia Hilberg, LL.M. (Fordham, NYC)

Of Counsel | Digital Law
+49 170 7663 353
Dr. Till Contzen

Dr. Till Contzen

Partner | Lead Digital Law
+49 69 719188439

Recommendations

Bundestag discusses NIS2UmsuCG – Implementation of the NIS2 Directive is approaching

The NIS2 Directive aims to ensure a uniform minimum level of cybersecurity across the EU. The NIS2 Directive replaces the NIS Directive from 2016 and significantly expands its scope: In Germany alone, the scope of application will increase from the roughly 1,000 companies covered by the NIS Directive, to about 30,000 companies under the NIS2 Directive. The sectors covered have also been significantly expanded: In addition to the already regulated KRITIS sectors, companies in the manufacturing industry, for example, now also have to consider their cybersecurity measures.
Perspective
10 minute read

Artificial Intelligence (AI)

As part of our tailored advisory services in the field of Artificial Intelligence (AI), we support companies both in use-case specific individual assessments to legally secure individual applications and in the development of comprehensive governance structures for the responsible use of AI. We work hand-in-hand with Deloitte's AI specialists, ensuring that our advice is closely aligned with technical realities.
Service

Data & Data Security

Data and data protection law encompass comprehensive advisory and representation services in all matters related to the protection, processing, and lawful use of data, particularly personal data. Our goal is to enable clients to comply with regulatory frameworks while minimizing legal risks in their data management practices.
Service

Digital Law: Intangibles, Data & Technology

Digitalization and technology do not only foster today's growth and jobs, but are also essential for tomorrow’s innovation and competitiveness.
Service