KRITIS-Umbrella Act: What Operators of Critical Infrastructures Can Expect Besides NIS2
While the security world focuses on NIS2, the Federal Ministry of the Interior is simultaneously working on the KRITIS-Umbrella Act – the physical counterpart to cyber regulation. For the first time in Germany, minimum standards for the physical protection of critical infrastructures will be legally anchored nationwide. Operators face the double burden of digital and physical resilience.
TL;DR
- KRITIS-Umbrella Act implements EU Directive CER (Critical Entities Resilience)
- Nationwide physical protection standards for KRITIS operators for the first time
- Affects 11 sectors: Energy, Water, Health, Transport, Digital, and others
- Risk assessments, resilience plans, and reporting obligations for physical incidents
NIS2 Plus KRITIS-Umbrella Act: The Double Regulation
NIS2 regulates cybersecurity, the KRITIS-Umbrella Act physical protection – but the addressees overlap significantly. An energy supplier, for example, will have to comply with both sets of regulations in the future: cyber risk management according to NIS2 AND physical resilience plans according to the KRITIS-Umbrella Act.
For operators, this means: two compliance frameworks, two reporting obligations, potentially two supervisory authorities. The challenge lies in integrating both requirements into a coherent risk management system.
What the Law Specifically Requires
Core obligations for KRITIS operators: regular risk assessments (every 4 years), resilience plans with concrete protective measures, reporting obligations in case of incidents that significantly disrupt operations, background checks for employees in sensitive areas, and designation of a responsible contact person for the BBK (Federal Office of Civil Protection and Disaster Assistance).
New is the all-hazards approach: the risk assessment must include not only sabotage and terrorism but also natural disasters, pandemics, and technical failures. This includes climate adaptation as a security issue.
The 11 Affected Sectors
Energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration, space, and food. The precise delineation of which companies within these sectors are considered “critical facilities” is defined by threshold values.
Important for small and medium-sized enterprises: the threshold values are oriented towards supply relevance, not company size. A small municipal utility can be affected just as much as a DAX corporation.
Recommendation for Implementation: Integration Instead of Double Work
Companies already working on NIS2 compliance should not treat the KRITIS-Umbrella Act as a separate project. The recommendation: build an integrated resilience management system that covers both cyber and physical risks.
ISO 22301 (Business Continuity) offers a framework that combines both dimensions. Companies that certify their BCMS according to 22301 automatically meet a large part of the KRITIS-Umbrella Act requirements.
Key Facts
EU Basis: CER Directive (Critical Entities Resilience), to be implemented by October 2024
Sectors: 11 sectors with an estimated 2,000+ affected operators in Germany
Reporting Obligation: 24 hours for significant disruptions to operations
Frequently Asked Questions
Does the KRITIS-Umbrella Act also apply to IT companies?
Yes, the “Digital Infrastructure” sector includes data centers, DNS services, TLD registries, and IXPs. Cloud providers and managed service providers can also be affected, depending on threshold values.
How does this relate to the existing IT Security Act?
The IT Security Act 2.0 regulates cybersecurity for KRITIS (will be replaced by NIS2 implementation). The KRITIS-Umbrella Act complements the physical dimension. Both laws apply in parallel.
How much does implementation cost?
Depending on the maturity level: companies with existing BCM according to ISO 22301 have minimal additional effort. Without existing structures: 6-12 months project duration, €100,000-€500,000 for small and medium-sized enterprises (consulting, measures, documentation).
Related Articles
- Case Study: NIS2-Readiness in 6 Months – A Municipal Utility Shows How It’s Done
- Cybersecurity Trends 2026: The 7 Developments Security Decision-Makers Need to Know
- NIS2 Checklist 2026: What Companies Need to Implement Now
More from the MBF Media Network
cloudmagazinCloud MagazineMyBusinessFuturemyBusinessFutureDigital ChiefsDigital ChiefsHeader Image Source: Pexels / Efe Burak Baydar
