KRITIS Umbrella Act in Force: What Operators of Critical Facilities Must Implement by July 2026
⏱ 12 min Reading Time
With the Bundesrat’s approval on March 6, 2026, the KRITIS Umbrella Act has officially come into force. For approximately 2,000 operators of critical infrastructures in Germany, the countdown has now begun: By July 17, 2026, they must register with the Federal Office of Civil Protection and Disaster Assistance (BBK) – and must demonstrate far more than just IT security. For the first time, the law mandates cross-sector physical and organizational protection measures that go well beyond existing NIS2 requirements.
TL;DR
- The KRITIS Umbrella Act was passed by the Bundesrat on March 6, 2026, and enters into force in stages – the first mandatory registration deadline is July 17, 2026
- Around 2,000 operators of critical facilities across 11 sectors are affected – from energy and healthcare to transport
- For the first time, physical protection measures, business continuity management (BCM), and reporting obligations are legally mandated across sectors
- The KRITIS Umbrella Act complements NIS2: While NIS2 governs digital cybersecurity, the Umbrella Act addresses physical and organizational resilience
- Operators should immediately begin with a gap analysis and prepare for mandatory registration – missing deadlines risks fines up to 10 million Euro
What the KRITIS Umbrella Act Regulates – and Why Now
The EU Directive on the Resilience of Critical Entities (CER Directive, 2022/2557) requires all member states to establish national regulations for the physical protection of critical infrastructures. Germany is implementing this requirement through the KRITIS Umbrella Act – the first federal law to make physical security and organizational resilience binding across sectors.
Until now, Germany’s protection of critical infrastructures focused primarily on BSI regulations in the digital domain (IT Security Act, now NIS2). Physical risks such as sabotage, natural disasters, or supply shortages were either regulated on a sector-specific basis or not regulated at all. The 2022 Nord Stream pipeline attacks, targeted sabotage against rail infrastructure, and the growing hybrid threat landscape have significantly increased political pressure.
The result: a law that bundles physical security, personnel protection, crisis management, and reporting obligations into a single regulatory framework – deliberately extending beyond pure IT security.
“Critical infrastructures are the backbone of our society. Their protection is a national task that must integrate physical and digital resilience.”Federal Ministry of the Interior, on the adoption of the KRITIS Umbrella Act
The 11 KRITIS Sectors at a Glance
The KRITIS Umbrella Act defines eleven sectors considered critical infrastructures. For each sector, the BBK sets specific thresholds determining whether an operator falls under the regulation:
● Energy: Electricity, gas, oil, district heating – generation, transmission, and distribution. In addition to major utilities, municipal utilities and network operators above the thresholds are also affected.
● Transport and Mobility: Airports, ports, rail infrastructure, and road traffic. Sabotage incidents targeting Deutsche Bahn have highlighted the vulnerability of this sector.
● Banking and Financial Market Infrastructure: Systemically important banks and exchange infrastructure. Significant overlaps exist with DORA.
● Healthcare: Hospitals, laboratories, pharmaceutical companies, and medical device manufacturers above the thresholds.
● Drinking Water and Wastewater: Water supply and sewage treatment – a sector particularly dependent on physical security.
● Digital Infrastructure: Data centers, DNS services, IXPs – strong overlap with NIS2, where the KRITIS Umbrella Act complements digital requirements at the physical level.
● Public Administration: Federal and state authorities providing critical services.
● Space: Satellite infrastructure and ground facilities – a sector explicitly included only through the CER Directive.
● Food: Large-scale production, processing, and distribution of food.
● Manufacturing: Production of critical goods – such as medical devices, electronics, or chemicals.
● Research: Research institutions relevant to public safety or supply.
KRITIS Umbrella Act vs. NIS2: What Regulates What?
The distinction between the KRITIS Umbrella Act and NIS2 is the central question operators must understand. Both laws may affect the same companies – but regulate different risk areas.
NIS2 (implemented in Germany via the NIS2 Implementation and Cybersecurity Strengthening Act) governs digital cybersecurity: network security, incident response, vulnerability management, and secure IT supply chains. In contrast, the KRITIS Umbrella Act addresses physical and organizational resilience: perimeter protection, access controls, personnel screening, business continuity management, and crisis communication.
“Whoever views NIS2 as purely an IT project and the KRITIS Umbrella Act as merely a facility management issue will fail to meet both compliance goals. The laws are interdependent and require an integrated resilience strategy.”
In practice, this means an energy provider must demonstrate both NIS2-compliant IT security and the physical protection requirements of the KRITIS Umbrella Act. The good news: companies already operating a functional ISMS under ISO 27001 have a solid foundation. The bad news: physical security, BCM, and personnel screening are often not at the level now required by law.
For a comprehensive overview of NIS2 requirements, see our article NIS2 in Germany: What Companies Need to Know and Implement Now.
The Five Core Obligations of the KRITIS Umbrella Act
The law defines five central obligation areas every affected operator must fulfill:
1. Mandatory Registration with the BBK
By July 17, 2026, all operators of critical facilities must register with the Federal Office of Civil Protection and Disaster Assistance (BBK). The registration includes information about operated facilities, critical services provided, and existing protection measures. Based on this data, the BBK will create a national overview of all KRITIS operators – for the first time with this level of completeness.
2. Risk Assessment and Resilience Planning
Operators must conduct a comprehensive risk assessment covering not only cyber risks but also physical threats: natural disasters, sabotage, terrorism, pandemics, and supply shortages. Based on this assessment, a resilience plan must be developed, defining concrete protective measures.
3. Physical Protection Measures
The law requires technical, organizational, and personnel measures for physical protection: perimeter security, access control systems, video surveillance, detection systems, and structural protective measures. The extent depends on the facility’s criticality and the results of the risk assessment.
4. Business Continuity Management (BCM)
Operators must establish a BCM system ensuring the continuity of critical services during disruptions or outages. This includes business impact analyses, emergency plans, recovery procedures, and regular drills. The ISO 22301 BCM standard serves as a reference.
5. Reporting Obligations
Security incidents that impair or could impair the delivery of critical services must be reported to the BBK. The initial report must be submitted within 24 hours, followed by a detailed report within 72 hours. These requirements parallel NIS2 reporting obligations to the BSI – but involve different reporting systems and contact points.
Personnel Screening: The Underestimated Workload
One area many operators have not yet considered is personnel screening. The KRITIS Umbrella Act requires staff in security-relevant roles to undergo reliability checks. This applies not only to internal employees but also to service providers and contractors with access to critical facilities.
Details of the screening process will be defined in a separate ordinance. However, it is already clear: operators must establish processes ensuring only vetted personnel gain access to security-sensitive areas. In sectors with high staff turnover or many external contractors – such as logistics or healthcare – this represents a significant organizational burden.
The Roadmap: What Must Be Completed By When
Implementation of the KRITIS Umbrella Act follows a phased timeline. Here are the key milestones:
● March 2026 – Immediate: Determine whether your company falls under the KRITIS definition. Thresholds are defined in the implementing ordinance – drafts are already available.
● April-May 2026: Conduct a gap analysis. Which of the five core obligations are already met (e.g., through ISO 27001, ISO 22301, or sector-specific regulations)? Where are the gaps?
● June 2026: Prepare registration documents. BBK registration requires detailed information on facilities, services, and protection measures – it is not a form you can complete in an hour.
● July 17, 2026: Mandatory registration deadline. From this date, all affected operators must be registered with the BBK.
● Q3-Q4 2026: Develop risk assessments and resilience plans. The BBK will provide guidelines and templates, but operational implementation remains the operator’s responsibility.
● 2027: First BBK audits. The federal office may conduct audits and require corrective actions for deficiencies.
Leverage Synergies with Existing Standards
The good news for companies already regulated or voluntarily adhering to recognized standards: many requirements of the KRITIS Umbrella Act can be met through existing management systems.
● ISO 27001 (ISMS): Covers risk assessment, access controls, and incident management – primarily for information security. Physical security is only partially covered (Annex A.7 and A.11).
● ISO 22301 (BCM): Directly applicable to the KRITIS Umbrella Act’s BCM requirements. Business impact analysis, recovery strategies, and drills are already defined.
● BSI Basic Protection: The BSI compendium includes modules for physical security (INF modules) and emergency management that can be directly mapped to KRITIS requirements.
● Sector-specific standards: EnWG (energy), IT-SRRL (telecommunications), or KHG (hospitals) already contain sector-specific protection requirements that can serve as a foundation.
Companies that consistently leverage these standards can significantly reduce the implementation effort for the KRITIS Umbrella Act. The key lies in integration: a unified management system that combines physical security, IT security, and BCM under one roof, rather than running three parallel compliance projects.
“Companies that view the KRITIS Umbrella Act as an opportunity to consolidate their entire resilience strategy will ultimately face less effort than those merely ticking off the minimum requirements.”
Fines and Liability: Consequences of Non-Compliance
The KRITIS Umbrella Act provides for severe penalties. Operators who fail to register, conduct risk assessments, or comply with reporting obligations risk fines of up to 10 million Euro – on par with NIS2 penalties and intended to underscore the regulation’s seriousness.
Moreover, management bears personal liability for compliance. Executives and board members can be held personally accountable for violations. This personal liability is a strong incentive not to delegate the issue solely to technical departments and forget about it.
For insights on how companies can protect themselves financially against the consequences of security incidents, see our article Cyber Insurance 2026: What Companies Need to Know.
Concrete Recommendations for Operators
What should affected companies do now? Here’s a practical action plan:
● Start impact assessment immediately: Use sector definitions and thresholds to determine whether your company falls under the law. When in doubt, consult the BBK – better to ask once too often than miss the registration deadline.
● Define responsibilities: The KRITIS Umbrella Act requires a designated resilience officer. Clarify now who will take on this role and what authority and resources they will have.
● Conduct gap analysis against the five core obligations: Use the five obligation areas as a checklist and honestly assess your company’s current status. Physical security and personnel screening are often underdeveloped in many companies.
● Leverage NIS2 synergies: If you are already implementing NIS2, integrate KRITIS requirements into the same project framework. Duplication can be avoided with the right governance structure.
● Involve suppliers and service providers: Physical security doesn’t end at the factory gate. Identify which external providers have access to critical facilities and begin personnel screening processes.
● Secure budget early: Establishing BCM, implementing physical protection, and conducting personnel screenings require funding. Companies starting the budget process only in June 2026 will miss the July deadline.
Outlook: KRITIS Protection as a Competitive Advantage
The KRITIS Umbrella Act is more than just another compliance obligation. It forces companies to systematically address their resilience – at a time when hybrid threats, geopolitical tensions, and climate events daily expose the vulnerabilities of critical infrastructures.
Companies using this law as an opportunity to elevate their physical and organizational security to a professional level will not only be compliant. They will also outperform competitors who merely meet the minimum requirements – especially in tenders, insurance premiums, and customer trust.
The deadline is set: July 17, 2026. That’s four months. Those who don’t start now won’t finish in time. For more on the cybersecurity trends shaping 2026, read our overview Cybersecurity Trends 2026: Seven Developments.
Frequently Asked Questions
Who is affected by the KRITIS Umbrella Act?
Operators of critical facilities in eleven sectors exceeding specific thresholds: energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, public administration, space, food, manufacturing, and research. Approximately 2,000 operators in Germany are affected.
What is the difference between the KRITIS Umbrella Act and NIS2?
NIS2 governs digital cybersecurity (networks, IT systems, incident response). The KRITIS Umbrella Act addresses physical and organizational resilience (perimeter protection, BCM, personnel screening, crisis communication). Both laws can apply to the same company and are complementary.
What are the specific deadlines?
Mandatory registration with the BBK must be completed by July 17, 2026. Risk assessments and resilience plans must follow afterward. Initial BBK audits are planned from 2027 onward. Exact deadlines for individual measures will be defined in the implementing ordinance.
What happens for violations of the KRITIS Umbrella Act?
Fines of up to 10 million Euro are possible. In addition, management is personally liable for compliance. The BBK may conduct audits and order corrective actions for deficiencies.
How do the KRITIS Umbrella Act and DORA relate?
DORA (Digital Operational Resilience Act) applies as lex specialis to the financial sector, addressing digital operational resilience. The KRITIS Umbrella Act may additionally apply if a financial institution is classified as a KRITIS operator – such as systemically important banks or exchange infrastructure. In such cases, both regulations must be fulfilled simultaneously.
Editor’s Reading Tips
More from the MBF Media Network
Header Image Source: Pexels / Markus Spiske
