Regulation | Critical Infrastructure

KRITIS Umbrella Act:
Physical & Operational
Resilience for Critical Entities

The KRITIS Umbrella Act (KRITIS-Dachgesetz) implements the EU CER Directive (EU 2022/2557) into German law, requiring operators in 11 sectors to achieve physical and operational resilience. The all-hazards approach covers sabotage, terrorism and natural disasters.

Schedule Resilience Analysis Existing KRITIS Regulation

Last updated: March 2026 · Reviewed by certified experts

Sectors

From Energy to Public Administration

EU Basis

CER Dir.

Directive (EU) 2022/2557

Approach

All-Hazards

Cyber + Physical + Operational

Threshold (typical)

500,000

Supply units per sector

Regulated under KRITIS Umbrella Act: 11 Sectors; Regulated under KRITIS Umbrella Act
Supply Threshold (Persons): 500,000; Supply Threshold (Persons)
Bundestag Adoption: Jan. 2026; Bundestag Adoption
Approach: Cyber + Physical: All-Hazards; Approach: Cyber + Physical

Background

What is the KRITIS Umbrella Act?

The KRITIS Umbrella Act (KRITIS-Dachgesetz) is Germany's national implementation of the EU CER Directive (Critical Entities Resilience, EU 2022/2557). It creates for the first time a unified legal framework for the physical and operational resilience of critical infrastructure operators in Germany - equivalent in scope to the EU CER Directive requirements across all member states.

The key distinction from existing KRITIS regulation under §31 BSIG and NIS2 lies in its focus: while NIS2 regulates cybersecurity, the KRITIS Umbrella Act addresses physical threats - sabotage, terrorism, natural disasters, technical failure. The all-hazards approach requires an integrated view of all risk sources.

The competent supervisory authority is the Federal Office for Civil Protection and Disaster Assistance (BBK), which coordinates with sector authorities. The Bundestag adopted the law on January 29, 2026.

KRITIS Umbrella Act at a Glance

EU Directive: CER Directive EU 2022/2557
Bundestag: January 29, 2026
Sectors: 11 sectors (Energy to Space)
Threshold: 500,000 supplied persons
Authority: BBK (Federal Office for Civil Protection and Disaster Assistance)
Approach: All-Hazards: Cyber + Physical + Operational

NIS2 vs. KRITIS Umbrella Act

NIS2 = Cybersecurity of IT systems.
KRITIS Umbrella Act = Physical and operational resilience.
Many operators must fulfill both.

Scope

The 11 Regulated Sectors

The KRITIS Umbrella Act covers operators of critical facilities in 11 sectors if they supply at least 500,000 persons or have equivalent societal significance. Classification is performed by the competent sector authority.

Supply Threshold

500,000

Supplied persons - primary criterion for applicability

Total Sectors

11 Sectors

From Energy to Space - all essential areas

All-Hazards

Integrated

Cyber + Physical + Operational in one risk analysis

Energy

Electricity, gas, district heating, oil, hydrogen, EV charging infrastructure

Transport

Aviation, rail, maritime, road transport, public transit

Finance & Insurance

Credit institutions, financial market infrastructures, insurance

Health

Hospitals, laboratories, pharmaceutical manufacturers, emergency services

Drinking Water

Water supply, treatment, distribution

Wastewater

Wastewater treatment, disposal, sewage plants

Waste Management

Waste treatment, recycling, hazardous waste

IT and Telecommunications

Data centers, cloud, telecom networks, internet exchange points

Food

Food production, processing, wholesale

Space

Operators of ground infrastructure for space-based services

Public Administration

Federal and state authorities with critical functions

Obligations

8 Key Obligations for Operators

The KRITIS Umbrella Act establishes eight core obligations. The all-hazards approach integrates physical and cyber threats into a single risk analysis and resilience framework.

Risk Analysis - Physical and Cyber Integrated

Affected operators must conduct a comprehensive risk analysis covering physical risks (sabotage, natural disasters, terrorism) and cyber risks equally (all-hazards approach). The risk analysis must be documented and regularly updated. It forms the basis for all further resilience measures.

Penetration Testing for Risk Assessment

Physical Security Measures

Operators must implement appropriate physical security measures: access control, perimeter protection, monitoring systems, securing utility lines. The all-hazards approach also requires protective measures against natural disasters, fire, flooding and technical failures.

Incident Reporting Obligations

Incidents that could significantly impair the continuity of the critical infrastructure must be reported to the BBK. The reporting obligation applies to physical incidents - cyberattacks remain primarily subject to NIS2 and the BSI Act. For overlapping incidents, coordinated reporting to both authorities is required.

Business Continuity Management (BCM)

Operators must create, test and regularly update plans to maintain operations during disruptions. BCM covers: emergency manuals, backup systems, alternative supply routes, crisis organization. Regular exercises (tabletop exercises, crisis drills) are mandatory.

BCM Consulting

Personnel Vetting and Background Checks

Personnel working in security-critical areas must undergo reliability checks. This includes employees with access to critical systems and facilities as well as security personnel. Requirements are modeled on §7 Aviation Security Act and §12b Energy Industry Act.

Registration with the BBK

Affected operators must register with the Federal Office for Civil Protection and Disaster Assistance (BBK). Registration includes information about the critical infrastructure, responsible contact persons, sector affiliation and basic resilience information. The BBK coordinates supervision with sector authorities.

Security Officer and Contact Point

Operators must designate a contact point with the BBK and appoint an officer responsible for physical resilience. This person acts as a liaison with authorities, coordinates the implementation of resilience obligations and prepares the required plans and reports.

Resilience Plan and Report

Affected operators must create a resilience plan documenting all measures to strengthen physical and operational resilience. The plan must be submitted to the competent authority (BBK and sector authority) and reviewed regularly. Supplementary resilience reports must also be prepared.

Resilience Consulting

Case Studies

Why Physical Resilience Matters: Real Incidents

These incidents demonstrate why the KRITIS Umbrella Act goes beyond pure cybersecurity - physical threats to critical infrastructure have real and potentially life-threatening consequences.

University Hospital Dusseldorf - Ransomware, Patient Lives at Risk

September 2020

The University Hospital Dusseldorf was brought down by a ransomware attack (Emotet/Ryuk). 30 servers were encrypted, the emergency room had to be closed. A critically ill patient was redirected to a more distant hospital - for the first time a possible causal link between a cyberattack and a fatality was raised. The KRITIS Umbrella Act specifically requires integrated BCM plans for such scenarios to ensure operational continuity during system failures.

Colonial Pipeline - 5-Day Outage, USD 4.4 Million Ransom

May 2021

Colonial Pipeline, which supplies 45% of the US East Coast with fuel, was shut down for 5 days by a DarkSide ransomware attack. The company paid USD 4.4 million in ransom, of which USD 2.3 million was recovered by the FBI. Gas stations ran out of fuel and panic buying was reported. In the EU, such an operator would fall under both NIS2 and the KRITIS Umbrella Act.

Nord Stream Sabotage - Physical Infrastructure as Attack Target

September 2022

The explosions of the Nord Stream 1 and Nord Stream 2 pipelines in the Baltic Sea demonstrated that critical infrastructure can be deliberately destroyed through physical attacks. This incident was the trigger that politically accelerated the CER Directive and the KRITIS Umbrella Act. It shows: cyber and physical security cannot be considered separately.

Stadtwerke Rodgau - Ransomware Hits Municipal Infrastructure

December 2022

The municipal utility Stadtwerke Rodgau (Hesse) was hit by a ransomware attack. The supply of electricity, gas and water to the population was temporarily at risk. The incident shows that smaller municipal KRITIS operators are also targeted.

Oldsmar Water Treatment - Remote Access, Chemical Manipulation

February 2021

An attacker gained remote access to the control system of the Oldsmar, Florida water treatment plant via TeamViewer and increased the sodium hydroxide concentration to 111 times the normal level. An alert employee noticed the mouse movement and interrupted the process. The KRITIS Umbrella Act specifically requires physical security measures and access control for such systems.

„The KRITIS Umbrella Act fills a critical gap: while NIS2 protects IT systems, physical attacks on power plants, water systems or transport infrastructure can have just as catastrophic consequences. Both dimensions must be addressed in a coordinated resilience strategy.“

Chris Wojzechowski

Auditor with §31 BSIG Audit Qualification · AWARE7 GmbH

Frequently Asked Questions about the KRITIS Umbrella Act

Answers to the most common questions about Germany's KRITIS Umbrella Act, the EU CER Directive and obligations for critical infrastructure operators.

What is the difference between the KRITIS Umbrella Act and NIS2?

NIS2 and the KRITIS Umbrella Act regulate two different protection objectives that complement each other: NIS2 (Directive EU 2022/2555, implemented through NIS2UmsuCG) focuses on cybersecurity - the security of network and information systems. The KRITIS Umbrella Act (implementing CER Directive EU 2022/2557) focuses on physical and operational resilience - protection against sabotage, terrorism, natural disasters and technical failures. Both regulations can apply to the same operator - they must then be fulfilled in parallel. The competent authority for NIS2 is the BSI; for the KRITIS Umbrella Act it is the BBK.

Who is affected by the KRITIS Umbrella Act?

The KRITIS Umbrella Act applies to operators of critical facilities in 11 sectors if they supply at least 500,000 persons or have an equivalent significance for public safety. Those affected include: operators of electricity, gas and water supply; hospitals and health care; food suppliers (production and wholesale); financial infrastructures; transport infrastructures (airports, rail, ports); telecommunications and IT infrastructures; and public administration at federal and state level with critical functions. The exact scope is defined through sector-specific ordinances.

What does "All-Hazards Approach" mean in the KRITIS Umbrella Act?

The all-hazards approach (Art. 13 CER Directive) requires operators to protect not only against specific known threats, but against all relevant risk sources: human threats (sabotage, terrorism, insider threats), natural disasters (flooding, storms, earthquakes), technical failures (control system errors, infrastructure failures), and systemic risks and dependencies (cascade effects). This approach marks a fundamental departure from previous sector-specific thinking and requires integrated risk analysis across all threat sources.

Which authority is responsible for the KRITIS Umbrella Act?

The Federal Office for Civil Protection and Disaster Assistance (BBK) is the primary supervisory authority under the KRITIS Umbrella Act. The BBK coordinates implementation with sector authorities: the BSI for IT/telecommunications aspects, the Federal Network Agency for energy and telecommunications, the Federal Maritime and Hydrographic Agency (BSH) for ports, and state authorities for sectorally regulated infrastructures (e.g., healthcare). Operators subject to both NIS2 and the KRITIS Umbrella Act effectively have two supervisory authorities.

When did the KRITIS Umbrella Act enter into force in Germany?

The Bundestag adopted the KRITIS Umbrella Act on January 29, 2026. It implements the EU CER Directive (EU 2022/2557) into German law; the transposition deadline was October 17, 2024 - Germany significantly exceeded this deadline. For most obligations, a transition period of 12 to 18 months applies after entry into force to allow operators to implement the requirements. Registration and designation of a contact point with the BBK should occur promptly.

What is the difference between the KRITIS Umbrella Act and §31 BSIG (KRITIS)?

The existing KRITIS regulation under §31 BSIG required critical infrastructure operators to implement cybersecurity measures (technical and organizational) and report cyber incidents to the BSI. The KRITIS Umbrella Act adds the physical dimension: it mandates physical security measures, BCM for physical outages, personnel vetting and integrated risk analyses. Both regimes will exist in parallel - for many operators this means: cyber obligations under §31 BSIG/NIS2 plus physical obligations under the KRITIS Umbrella Act.

Must all KRITIS operators create a resilience plan?

Yes - affected operators must create a resilience plan in accordance with Art. 12 CER Directive documenting all measures to strengthen resilience. The plan must include the results of the risk analysis, identified measures, responsibilities, timelines and testing procedures. It must be submitted to the competent authority (BBK and sector authority) and reviewed and updated at least every 4 years.

What synergies exist between the KRITIS Umbrella Act and ISO 22301 (BCM standard)?

ISO 22301 (Business Continuity Management Systems) structurally covers many requirements of the KRITIS Umbrella Act: business impact analysis (BIA), BCM plans, exercises, recovery objectives. An ISO 22301 certification can serve as evidence for BCM obligations under the KRITIS Umbrella Act if it includes physical threat scenarios. Combined with ISO/IEC 27001 (information security), this provides a comprehensive picture that largely covers NIS2 and the KRITIS Umbrella Act. AWARE7 provides consulting on both standards in combination.

What penalties apply for violations of the KRITIS Umbrella Act?

The KRITIS Umbrella Act provides for regulatory offenses for operators who violate reporting obligations, fail to conduct risk analyses, or fail to implement required resilience measures. Specific fine frameworks will be defined in national implementing legislation - the CER Directive itself requires effective, proportionate and dissuasive penalties. Additionally, regulatory orders to implement measures and potentially operational prohibitions in case of acute threat to public safety are possible.

Aus dem Blog

Alle Artikel

Security Awareness

Neue Technologie beschleunigt das Faktorisieren enorm - Bedrohung für RSA-Verschlüsselung?

Jan Hörnemann9 Min.

Compliance & Standards

Von Notfallhandbüchern, Krisenübungen und Rollenspielen des BSI

Jan Hörnemann7 Min.

Prepare Your Resilience Under the KRITIS Umbrella Act

AWARE7 guides critical infrastructure operators through the all-hazards risk analysis, physical security measures, BCM planning and BBK registration - integrated with existing NIS2 and §31 BSIG obligations.

Schedule a Free Initial Consultation

Kostenlos · 30 Minuten · Unverbindlich