KRITIS umbrella law: New requirements for operators of critical systems

The Kritis roof law brings new requirements.
Categories:
,
Picture of Aristotelis Zervos

Aristotelis Zervos

Aristotelis Zervos, Editorial Director at 2B Advice, combines legal and journalistic expertise in Data protectionIT compliance and AI regulation.

The KRITIS Umbrella Act (KRITIS-DachG) was passed by the Federal Government in the fall of 2025 and adopted by the Bundestag on January 29, 2026. The aim of the law is to establish uniform minimum requirements for the physical protection of critical facilities and to ensure their implementation through coordinated support and supervisory measures. The regulations supplement existing IT security regulations by pursuing an all-hazards approach. They therefore offer protection against natural hazards, technical faults, sabotage, terrorism and other non-IT-related threats. Below you will find an overview of the most important points of the KRITIS-DachG.

Definitions of terms: Critical service, Critical assets, Resilience, Incident

To enable companies to assess whether they are affected by the KRITIS-DachG, it is worth taking a look at central Definitions in the law:

  • Critical service: This refers to a service to supply the general public in certain sectors. For example, energy, transportation and traffic, finance and insurance, social services (social insurance and basic security), healthcare, water (drinking water/wastewater), food, information technology and telecommunications, space infrastructure or waste disposal. A failure or significant impairment of such services would lead to supply bottlenecks or threats to public safety.

  • Critical system: A facility is any operating site or installation (stationary or mobile). An installation is considered critical if it is essential for the provision of a critical service. In concrete terms, this means If this system fails, the essential service is at risk. Operators of critical systems can be private companies or public bodies that have a decisive influence on the system.

  • Resilience: The KRITIS-DachG defines resilience as the ability of a critical facility to prevent an incident, protect itself against it, ward it off, respond to it, limit the consequences, absorb the incident and then recover. It is therefore a holistic approach to resilience, from preventive measures and emergency responses to the restoration of normal operations.

  • Incident: An incident within the meaning of the KRITIS-DachG is an event that significantly affects or could affect the provision of a critical service. Important: Pure cyber incidents (IT security incidents) that fall under the BSI Act do not count as an incident within the meaning of this Act. The KRITIS-DachG is primarily aimed at physical hazards and classic supply crises. Examples would include natural disasters, large-scale power outages, acts of sabotage or failures caused by human error, provided these significantly disrupt the supply. Cyberattacks remain subject to reporting and treatment under the BSIG, although there may of course be overlaps (e.g. combined attacks).

Obligations for operators of critical systems

The KRITIS Umbrella Act imposes extensive new obligations on operators of critical facilities. These are intended to ensure that they take precautions to prevent and manage crises. These include in particular

  • Registration of systems and operators: All operators who fall under the KRITIS-DachG must register themselves and their critical systems in a central register at the Federal Office of Civil Protection and Disaster Assistance (BBK). This is done via a joint online platform of the BBK and BSI in order to avoid overlaps with the existing BSIG registration. The registration includes information on the operator (name, legal form, contact), the facility (location, sector, service area) and the critical service provided. A 24/7 contact point must also be named. Deadlines: Existing critical installations must be registered by July 17, 2026 at the latest. New installations must be registered within three months of classification. If registration is missed, the BBK can enter the operator in the register itself after a hearing.

  • Risk analysis and risk assessment: Operators are obliged to regularly carry out a systematic risk analysis of all hazards for their critical systems. All relevant risks should be considered: From natural hazards (e.g. floods, pandemics) to technical failures and deliberate attacks. The analysis must be used to carry out a risk assessment in order to prioritize the risks according to probability of occurrence and extent of damage. The EU directive requires these operator risk analyses to be carried out within 9 months of identification. It is important that companies adapt their existing risk and BCM models to the all-hazards approach. Many industries already have standards for emergency and crisis management. These can be integrated and expanded.

Resilience measures and resilience plan

Based on the risk analysis, suitable and proportionate technical, organizational and personnel measures must be taken to protect the critical systems. The spectrum ranges from structural safety precautions (e.g. access controls, redundant systems) to organizational measures (emergency plans, employee training, securing spare parts and fuel stocks) and cooperation with authorities and partners in the event of a crisis. All measures taken must be documented in a resilience plan. This plan contains the company's strategy for maintaining operations in the event of a crisis, the defined protective measures and the results of the previous risk analysis. The BBK provides samples and templates to help companies draw up this plan.

The resilience plan must be applied and kept up to date. Regular reviews and adjustments to new threat situations are therefore mandatory.

Although all measures must be planned when registration takes place, some of them may still be in the process of being implemented. In any case, companies should start planning at an early stage, as implementing and establishing a resilience strategy can be time-consuming.

Contact points and reporting obligation

  • Designation of contact points: As already mentioned, the law requires the appointment of a permanent contact point for each operator. This is intended to ensure that authorities can quickly reach a contact person in the event of a crisis or suspicion. In practice, this will usually be a round-the-clock emergency hotline or a corresponding on-call service. The contact details must be provided during registration and always kept up to date. For internationally active companies, it may make sense to establish a central point of contact for all CRITIS issues internally.

  • Obligation to report significant incidents: If an incident occurs despite all precautions, the reporting obligation of the KRITIS-DachG applies. Every significant incident must be reported to the responsible body immediately, at the latest within 24 hours of becoming known. A joint BBK and BSI reporting office will be set up for this purpose. All incident reports are to be submitted via this central online portal. Duplicate reports (e.g. separately to BBK and BSI) are thus avoided. If the initial report still contains incomplete information (typical in an acute situation), it must be updated on an ongoing basis if faults persist.

    No later than one month after the incident becomes known, the operator must submit a detailed final report that sheds light on the causes and all effects.

    The content of reports must at least include the type and cause of the incident, the affected area, the duration and the extent of the disruption to supply (number of users affected, etc.). The BBK evaluates these incident reports and, if necessary, informs other member states or the EU Commission if the incident has cross-border significance. Important: This reporting obligation applies in addition to any sector-specific regulations. For example, energy suppliers may still have to inform the Federal Network Agency at the same time, healthcare services their supervisory authorities, etc., provided that corresponding requirements exist. However, the KRITIS-DachG does not create any public „naming and shaming“: reports are treated confidentially. Only if it is in the public interest can the BBK inform the public after hearing the operator, for example to warn the population.

In addition to these core obligations, the law provides for further requirements, such as participation in government resilience programs.

KRITIS supervision

Compliance with these obligations is monitored by a multi-level supervisory system. The central point of contact is the Federal Office of Civil Protection and Disaster Assistance (BBK), which serves as the central point of contact. Depending on the sector, various competent authorities are also designated: the Federal Network Agency for electricity, gas, hydrogen and telecommunications, the Federal Railway Authority for rail transport, the Federal Office for Information Security (BSI) for IT/telecommunications services, the health ministries (federal/state) for healthcare facilities, etc.

The responsible authorities work closely with the BBK and the BSI to avoid overlaps. For example, there will be a joint reporting office and the BBK and BSI will also work together on registration and auditing through an online platform and coordinated procedures.

The authorities have extensive powers to monitor the implementation of resilience measures. They can request evidence and information from operators, such as access to the resilience plan or internal documentation. The supervisory authorities follow a risk-based approach: priority inspections are primarily carried out at those companies whose size, risk exposure or potential impact is particularly high.

Operators must submit audit results on request if they have had external inspections carried out. The authority can carry out on-site inspections itself or commission independent Third to do so. Companies are obliged to grant the inspectors access to operating rooms, relevant systems and facilities and to provide information. If deficiencies are identified, the authority can oblige the operator to submit a plan to rectify the deficiencies within a certain period of time and to implement the corresponding measures.

Reading tip: DORA guidelines on the supervision of critical third-party providers

Liability and sanctions for KRITIS breaches

Liability of the management: Section 20 KRITIS-DachG, which emphasizes the responsibility of company management, is noteworthy. The management of an operator (i.e. the board of directors, management or comparable bodies) is obliged to implement resilience measures and anchor them in the organization. If the management culpably neglects this duty, it is liable to the company for any damage incurred. This civil law Liability applies on a subsidiary basis, unless company law provisions (e.g. duties of care under company law) already apply in such cases. For decision-makers, this means that resilience is a matter for the boss. Anyone who deliberately ignores requirements risks personal liability claims. This is similar to what is known from data protection or labor law, where compliance violations can also result in Liability of the management.

Administrative offenses and fines: To ensure enforcement, the law contains a catalog of fines. Violations, such as a lack of registration, failure to carry out a risk analysis, no resilience plan or failure to report an incident, can result in severe fines. Depending on the severity of the breach, the maximum amounts are staggered at €50,000, €100,000, €200,000 and €500,000. The maximum fine of € 500,000 is likely to be applied in the event of gross or repeated breaches of duty (e.g. complete disregard of resilience requirements). In addition, any willful violation of official orders can be considered a Administrative offense be punished. This increases the pressure.

Industry-specific consequences: Regardless of the KRITIS-DachG, sector-specific supervisory laws remain valid. In highly regulated sectors (energy, telecommunications, transport, etc.), regulatory measures, including the withdrawal of licenses, could be taken in the event of blatant non-compliance with protection obligations. This would be the extreme measure and is not explicitly standardized in the KRITIS-DachG. However, an energy supplier that persistently violates security requirements could ultimately risk losing its operating license.

Overall, however, the legislator is signaling that the new obligations are to be taken seriously, both through fines and by emphasizing management responsibility.

Source: Act implementing Directive (EU) 2022/2557 and strengthening the resilience of critical facilities (KRITIS Umbrella Act)

Kritis makes resilience a top priority

The KRITIS umbrella law brings with it new, quite demanding obligations for critical companies: from registration and risk analyses to reporting processes. At the same time, it offers the opportunity to bring your own crisis management up to date and arm it against a wide range of threats.

Decision-makers should act proactively, use official guidelines and take a step-by-step approach to implementation. With good planning and support, the requirements can be met, ultimately increasing security of supply and ensuring legal compliance. The motto is: „Resilience is feasible if you make it a top priority and get everyone involved on board.”

Are you an operator of critical systems or do you suspect that your company falls within the scope of the KRITIS umbrella law? Then it's worth creating clarity at an early stage and starting the implementation in a structured manner. 2B Advice provides you with practical support: from the impact assessment to the organizational structure to the audit-capable Documentation.

We help you in particular with

  • Scope & impact analysis (critical services, critical systems, dependencies, interfaces to BSIG/NIS-2)
  • Risk analysis & risk assessment according to the all-hazards approach (methodically resilient, capable of making management decisions)
  • Resilience plan & program of measures (prioritization, implementation path, governance, evidence)
  • Reporting processes & crisis organization (24-hour reporting logic, templates, exercises, communication concept)
  • Audit readiness (record keeping, internal controls, preparation for inspections by authorities/on-site checks)


If you wish, we can arrange a brief initial meeting to assess your status quo and develop a concrete roadmap. Simply write to us - and within a short time you will receive an assessment of which next steps will have the greatest impact for your company.

Aristotelis Zervos is Editorial Director at 2B Advice, a lawyer and journalist with profound expertise in data protection, GDPRIT compliance and AI governance. He regularly publishes in-depth articles on AI regulation, GDPR compliance and risk management. You can find out more about him on his Author profile page.

Contact us
Tags:
, , , ,
Share this post :

Popular categories

Newsletter

Subscribe to our data protection newsletter to receive the latest updates, tips and insights straight to your inbox.
Subscribe

Latest posts