The German Bundestag has passed the KRITIS Umbrella Act (KRITIS-Dachgesetz). For the first time, Germany now has a cross-sector, nationwide legal framework designed to systematically strengthen the resilience and physical protection of critical infrastructure.
The political context is clear: today’s threat landscape goes far beyond traditional IT risks. Sabotage, extremism, terrorism, natural hazards, and growing dependence on a small number of highly interconnected nodes have turned continuity of supply into a security issue. The Act implements the EU CER Directive (EU 2022/2557) on the resilience of critical entities into German law.
The KRITIS Umbrella Act defines which companies and facilities qualify as critical infrastructure and which minimum requirements they must meet. The Federal Government explicitly lists the covered sectors, including energy; transport and traffic; finance; social security services and basic income support for jobseekers; healthcare; water; food; information technology and telecommunications; space; municipal waste management; and public administration.
1) Risk analyses and risk assessments as the basis for physical protection measures
2) Mandatory resilience and protection measures for operators, such as perimeter security, access and vehicle-entry control, and additional safeguards
3) Reporting obligations for security-relevant incidents. Incidents must be reported to a joint reporting point operated by BBK and BSI—no later than within 24 hours. The aim is to improve the overall situational picture of attacks and disruptions, strengthening warnings, coordination, and oversight.
A key enforcement mechanism is the sanction regime: fines have been substantially increased. In serious cases, they can now reach up to €1,000,000.
A nationwide threshold (often cited as affecting more than 500,000 people) can be too high in practice. What may appear replaceable in a metropolitan area can be vital in rural regions, where redundancy is limited. This is where the opening clause comes in: it allows Germany’s federal states to bring smaller facilities under the Act if they are of particular regional importance.
With the opening clause, the role of the federal states is explicitly considered: they gain more influence over which facilities are classified as critical at regional level, and therefore which operators must comply with the obligations.
For critical infrastructure operators, the key message is: resilience and physical security become mandatory and must be demonstrable. The most important fields of action can be summarized as follows:
Develop and maintain resilience plans: These must be concrete, not theoretical, and include sector-specific measures. This explicitly covers physical security, such as securing sites, consistently controlling access points and vehicle entry, and defining clear intervention and recovery processes.
Conduct regular risk assessments: Potential threats, like sabotage, natural hazards, outages, attacks, must be systematically identified, evaluated, and translated into measures.
Establish reporting processes: Operators are required to report security-relevant incidents without delay. In practice, this requires defined internal thresholds, responsibilities, and decision-making paths.
Strengthen personnel security: Training and security checks help ensure that key personnel recognize risks, understand procedures, and remain capable of acting during incidents.
Ensure auditability and evidence: Implementation, effectiveness, and continuous improvements must be documented.
For operators, the conclusion is clear: the requirements should be implemented now—not only to avoid fines and supervisory consequences, but above all to prevent physical risks and attacks effectively. Organizations that consistently control access and vehicle entry, reduce vulnerabilities at sites, establish robust emergency and reporting processes, and regularly test and review measures increase day-to-day security—and remain operational and capable of delivery when it matters most.