Reading time: 15 minutes
With the draft of the KRITIS Umbrella Act (KRITIS-Dachgesetz, KRITIS-DachG), adopted by the German Federal Cabinet on 10 September 2025, the German government is implementing the European requirements of the CER Directive (EU 2022/2557) and, for the first time, establishing a uniform approach across all sectors. The aim is to strengthen the resilience of critical facilities – that is, their ability to withstand disruptions, attacks or natural disasters without permanently restricting their essential services. In this article the author aims to summarize the consequences of the act for operators of critical infrastructure in Germany. It serves as a contextual reference for international readers interested in the German regulatory environment.
Sectors such as energy supply, water, food, health, transport, telecommunications and administration – in fact, almost all areas of daily life – depend on highly complex and interconnected systems. The increasing number of natural events, acts of sabotage and hybrid threats – most recently, targeted attacks on energy facilities and IT systems – has highlighted the necessity for a coherent legal framework in Germany.
While the NIS2 Directive (EU 2022/2555) addresses cybersecurity, the KRITIS Umbrella Act focuses on physical and organisational resilience. It thus complements the existing IT security framework by adding a dimension that in Germany has so far only been regulated in a sectoral and inconsistent manner.
After years of discussions between the Federal Government, the federal states and industry associations, the draft legislation now marks the transition from a conceptual framework to binding obligations for operators of critical facilities. The German government emphasises that “modern resilience management” should become as standard as fire protection or data protection – a paradigm shift that concerns particularly energy, transport, water and communications companies.
The following article highlights the key contents of the draft act and outlines the requirements operators can now expect.
Legal Basis and Objectives
The KRITIS Umbrella Act (KRITIS-DachG) for the first time establishes an overarching legal basis for the identification and protection of critical infrastructure in Germany. Whereas previous regulations mainly covered IT security, this act sets a framework for physical, organisational and procedural resilience measures across all relevant sectors.
Main objectives of the Act:
1. Protection of critical infrastructure from disruptions and failures
The draft follows the principle that essential infrastructure must be secured not only against cyberattacks but also against natural disasters, accidents, sabotage or terrorist acts. The goals are clear: prevent incidents, limit consequences and ensure restoration of operational capability.
2. Binding resilience obligations for operators
Operators of critical facilities are required to create, implement and regularly update resilience plans. These measures cover technical, organisational and personnel aspects – from structural protection and access controls to surveillance systems, emergency planning and staff training.
3. Integration of risk analyses
The Act defines a close link between government and internal company risk analyses. Federal and state ministries must prepare national risk analyses, updated every four years. Operators of critical facilities in turn conduct their own risk analyses, tailored to their specific circumstances and taking account of government requirements.
4. Cross-sector minimum standards
The Act introduces uniform, cross-sector minimum standards for resilience measures. These can be supplemented by sector-specific standards, developed with industry associations and expert bodies. This keeps the framework flexible while recognising the sector-specific requirements.
5. Connection with NIS2 and EU law
The KRITIS-DachG is closely aligned with the NIS2 Directive and European requirements. The aim is a harmonised approach, aligning IT security and physical resilience obligations, making EU compliance easier and avoiding conflicting requirements.
6. Mandatory registration and oversight
Operators must register their facilities with the Federal Office of Civil Protection and Disaster Assistance (BBK). This enables authorities to conduct risk-based checks, require audits and monitor compliance with resilience obligations.
The draft law underscores the responsibility of company management to actively support and monitor resilience measures. Breaches can result in corporate and legal consequences.
These provisions set a clear framework: the KRITIS Umbrella Act provides both operators and authorities with a structured basis for systematically and transparently ensuring the physical security of critical infrastructure.
Affected Sectors (§4) and Threat Situation
The Act targets operators of infrastructure deemed essential for supply security and the functioning of society. This includes not only classic sectors such as energy, transport and IT, but also health, finance, water, food, waste management and space services. Sectors are selected based on economic significance, interconnection and potential vulnerability.
Which facilities in Germany fall under the Act is determined by quantitative and qualitative criteria (§5). For example, a facility is considered critical if it is essential for Germany’s overall supply and serves more than 500,000 people. The extent of mutual dependencies between critical infrastructures is also considered: for example, all other sectors depend on the energy sector, while water and transport routes are essential for others.
The threat situation for critical infrastructure is complex and multi-layered. It includes:
- Natural risks – e.g. floods, storms, droughts or earthquakes. Climate change is increasing the frequency and intensity of such events.
- Technological risks – including system failures, accidents, fires, sabotage or malfunctions in automated processes.
- External threats – terrorist attacks, cyberattacks, wars or targeted sabotage. The current geopolitical situation, particularly the war in Ukraine, increases risks for German infrastructure.
These risks often do not occur in isolation and can have cascading effects. A failure in the energy sector, for example, can severely disrupt telecommunications, transport or supply chains. The interconnection of sectors makes cross-sector risk analysis essential.
Registration Requirement (§8)
All operators of critical facilities are obliged to register their facilities with the Federal Office of Civil Protection and Disaster Assistance no later than three months after their facility is classified as critical, but by 17 July 2026 at the latest, using the registration option under § 33 BSIG. As part of this registration, operators must provide, among other things, names, contact persons, facility details, sector and a contact point. Within two weeks of registration, the responsible supervisory authority is assigned.
Following registration, the following obligations and deadlines apply under the Act:
- Risk analysis (within 9 months)
- Resilience measures (within 10 months)
- Incident reporting system (within 10 months)
- Management (within 10 months))
National Risk Analyses and Assessments (§11)
Federal and state ministries are required to conduct national risk analyses and assessments, at least every four years and by 17 January 2026 at the latest. These form the basis for operators’ resilience measures and cover:
- Natural and man-made risks threatening supply security (e.g. extreme weather, pandemics, industrial accidents).
- Cross-sector and cross-border risks extending beyond Germany.
- Hybrid threats, such as terrorist activities, espionage, hostile interventions and other security-relevant actions by foreign states.
The Ministry of the Interior determines methodological requirements to ensure the analyses are standardised and comparable.
Operators’ Analyses and Assessments (§12)
Operators are required to carry out their own risk analyses and assessments, based on national analyses and other sources, at least every four years. These must account for:
- The degree to which their critical facilities depend on services provided by other operators, including those in neighbouring EU member states and third countries.
- The extent to which other sectors depend on the services they provide, including internationally.
Special features of maritime infrastructure must be taken into account. The Ministry of the Interior is authorised to prescribe content and methodological requirements, including templates, for these operator risk analyses.
Resilience Measures and Plans (§13)
As expected, the KRITIS Umbrella Act does not prescribe detailed measures directly but rather sets the statutory framework. The aim is to prevent disruptions and failures, limit their consequences and restore operation after an incident. Operators must respond to the specific risks identified in both the government and their own risk analyses with tailored measures, which can vary depending on local conditions and sector requirements. The Act enables operators to work with industry associations to develop common standards, specifying what constitutes appropriate and proportionate measures for their sector. This establishes minimum standards and closes gaps, while existing sector-specific regulations remain in force.
Specifically, the draft act requires operators of critical facilities to take suitable and proportionate technical, security-related and organisational measures to ensure their resilience, including:
- Preventing incidents
- Ensuring adequate physical protection of sites and facilities
- Responding to, mitigating and limiting the negative impact of incidents
- Restoring critical services after incidents
- Ensuring appropriate security management for staff, including external service providers
- Familiarising staff with these measures through information materials, training and exercises
Measures are considered proportionate if the effort to prevent or limit an incident is reasonable in relation to the risks, and the state of the art must be observed.
Specific Measures and Resilience Obligations (§14)
The Act does not specify all measures in detail but defines minimum requirements and objectives that must be implemented by operators. Measures are proportionate if the required effort matches the risk of an incident, and up-to-date technologies must be used.
1. Prevention of incidents
Emergency planning and preventive measures, structural and technical security measures, surveillance (e.g. video systems, drone detection, perimeter security), access controls and organisational security rules.
2. Incident response
Development of risk management and crisis protocols, defined alarm procedures, maintaining operations via emergency power and alternative supply chains, minimising knock-on effects on other sectors.
3. Staff security management
Qualified training and exercises, provision of information materials and security guidelines, involving external service providers in resilience measures.
4. Resilience plans
Drawing up a resilience plan documenting these measures, regularly updated and based on risk analyses and assessments. Templates and samples will be provided by the Federal Office of Civil Protection and Disaster Assistance (by 17 January 2026 at the latest).
Operators must present these measures in a resilience plan and apply them. The plan must show the reasoning behind the measures and refer to the operator’s risk analysis and assessment. It must be updated as needed and after each risk analysis or assessment. The Federal Office of Civil Protection and Disaster Assistance will provide templates and samples for resilience plans on its website by 17 January 2026.
Evidence, Inspections and Audits (§16 and §17)
Implementation is reviewed on a risk-based basis; authorities select which operators to audit or inspect based on risk exposure, facility size and potential impact of incidents.
Regular mandatory evidence checks are not prescribed. However, the authority may:
- Request documents and resilience plans
- Conduct audits as required
- Appoint qualified third parties for inspections if necessary
Energy suppliers are subject to special rules under the Energy Industry Act, not the general evidence requirements of the KRITIS Umbrella Act.
Audits serve to check compliance with resilience measures under §13. Operators must:
- Provide results, including identified shortcomings
- Submit documentation
- Grant authorities access to premises, systems and records
- Support authorities during inspections
If deficiencies are found, the authorities can order a remediation plan and require proof of implementation.
Incident Reporting (§18)
Operators of critical facilities must report incidents that significantly disrupt, or could significantly disrupt, the provision of critical services to the reporting office under §32(1) BSIG no later than 24 hours after becoming aware of them. A detailed report must be submitted no later than one month after learning of the incident.
Reports must include all available information necessary to determine the nature, cause and possible, including cross-border, effects and consequences of the incident. In particular, operators must specify the number and proportion of people affected, the current and expected duration of the disruption, and the affected geographic area, taking into account whether the area is geographically isolated.
The Federal Office of Civil Protection and Disaster Assistance may pass on relevant follow-up information to operators. Details of reporting procedures and content are agreed by the Federal Office in conjunction with the Federal Office for Information Security and published on the Civil Protection Office’s website.
Management Obligations (§20)
Senior management of KRITIS operators bears central responsibility: they must ensure the implementation of resilience measures and internal organisational measures to meet resilience obligations. Failure to fulfil these duties may result in liability for damage caused by negligence, under the applicable corporate law.
Conclusion on the KRITIS Umbrella Act
The KRITIS Umbrella Act represents a decisive step forward for the protection and resilience of critical infrastructure in Germany. For the first time, it establishes a uniform, cross-sector legal framework addressing both physical and organisational resilience of facilities and buildings. Operators are required to conduct comprehensive risk analyses, meet industry-specific and technical minimum standards, and prepare and regularly update resilience plans. The responsibility of management is clearly emphasised, and breaches may lead to legal consequences.
The Act responds to an increased threat landscape caused by natural events, sabotage and hybrid attacks, and implements the European requirements of the CER and NIS2 Directives. The introduction of reporting obligations, audits and central registration ensures transparency and oversight. At the same time, the framework remains flexible enough to accommodate sector-specific requirements and integrate existing regulations.
Overall, the KRITIS Umbrella Act offers a structured and transparent basis to ensure supply security and the functioning of society even during crises. It calls for modern resilience management from all parties involved and thus sets a new standard for security architecture in Germany.
Important notice: Please note that this is a German law applicable only in Germany. The information provided here is provisional and relates to ongoing legislative proceedings. This article does not claim to be complete or correct, does not constitute legal advice and cannot replace qualified legal advice in individual cases. While it has been prepared and reviewed with care, errors cannot be entirely ruled out. The author therefore assumes no guarantee for the completeness and accuracy of this article.
