KRITIS-Dachgesetz: When Resilience Becomes a CISO’s Mandatory Duty

7 Min. Reading Time

As of March 17, 2026, the KRITIS umbrella law has come into effect. For the first time, uniform federal minimum standards apply to the physical protection of critical facilities, parallel to the cyber regime of the BSI Act. For CISOs, this means a shift: resilience can no longer be divided into an IT column and a building column.

Related:Zero Trust for Energy Suppliers  /  DORA and NIS2 in Double Audit

What the KRITIS Umbrella Law Demands from Operators

What is the KRITIS umbrella law? The KRITIS umbrella law is the first uniform federal legal framework for the physical protection of critical infrastructures in Germany. It implements the European CER Directive 2022/2557 and obliges operators in ten sectors, including energy, water, healthcare, food supply, and transportation, to uniform minimum standards for the resilience of their facilities.

Concretely, this means: affected operators must register with the competent authority, regularly conduct a risk analysis and risk assessment, implement technical and organizational resilience measures, and report significant disruptions. The specific design of individual procedures will be specified through subsequent ordinances. The classification is based on a standard threshold of 500,000 served inhabitants per facility. However, criticality can also be determined below this threshold if the failure would endanger a critical service.

The parliamentary process was short and intense. The Bundestag passed the law on January 29, 2026, the Bundesrat approved it on March 6, and it was published in the Federal Law Gazette on March 16. Operators therefore have less time to prepare than the multi-year discussion might have suggested.

Two pillars that belong together

For those responsible for security, the actual innovation is not the physical regulatory framework itself, but its coupling to the existing cyber regime. As a large EU country, Germany is developing both pillars in parallel. Both are aimed at the same facility.

An attacker who wants to disable a substation does not ask whether the vulnerability lies in the firewall or in the door lock. This is precisely why the new law requires a common situation picture. The risk analysis under the umbrella law and the risk management under the BSI Act should access the same threat modeling instead of being conducted separately in two departments.

Where the law remains vulnerable

The regulatory framework also deserves a critical look. The threshold of 500,000 inhabitants served was criticized in the process because it leaves the classification of smaller but regionally indispensable suppliers unclear. Several countries considered it too high. Since criticality can also be established below the regular threshold, a gray area is created for some smaller suppliers in which they must reliably assess and document their own affectedness.

In addition, there is the question of responsibility. Expert observers and voices from the parliamentary process criticize that the division of tasks between BBK for physical protection, BSI for cybersecurity, and the Federal Ministry of the Interior is not always clearly regulated. For operators, this means they should clarify early on which authority is their contact in the event of an incident.

What Security Managers Need to Address in the Next 90 Days

From a logical perspective, the law provides a tight starting point that doesn’t require a large budget and sets the right course.

This approach keeps the effort manageable and turns obligation into a robust plan. Those who now integrate the two regimes have a clear reporting channel and a common situation picture in the event of the first reported incident.

Frequently Asked Questions

What is the difference between NIS2 and the KRITIS Umbrella Law?

NIS2 and its German implementation in the BSI Act regulate the cybersecurity of critical facilities. The KRITIS Umbrella Law implements the CER Directive and regulates the physical protection and general resilience of the same facilities. Both apply in parallel and intersect for many operators.

When does the KRITIS Umbrella Law come into effect?

The law was announced in the Federal Law Gazette on March 16, 2026, and entered into force on March 17, 2026. The Bundestag had passed it on January 29, 2026, and the Bundesrat approved it on March 6, 2026.

Which sectors are affected?

The law covers ten sectors with critical infrastructures, including energy, water, healthcare, food supply, transport, and traffic. The decisive factor is whether a facility provides a critical service for the population’s supply.

What does the threshold of 500,000 inhabitants mean?

The standard threshold applies: a facility must supply at least 500,000 people. Facilities above this threshold usually fall under the law. However, criticality can also be established below this threshold, which is why smaller operators should also check their classification.

Who is responsible for implementation?

For physical protection, the Federal Office for Civil Protection and Disaster Assistance is usually responsible, while the BSI is responsible for cybersecurity. The exact demarcation between the authorities is disputed in the expert community, which is why operators should clarify their specific contact person early on.

What penalties are threatened in the event of violations?

The law provides for fines for breaches of duty, such as missing registration or failure to report. The specific amount depends on the individual case and the type of violation, which is why operators should take the obligation to provide evidence seriously from the outset.

Editor’s Reading Tips

• The Emergency Plan Nobody Has Tested
• RSA Conference 2026: DACH CISOs’ Homework
• Oracle PeopleSoft: Actively Exploited Vulnerability

More from the MBF Media Network

Image source: AI-generated (June 2026)

About the author: Benedikt Langer

More articles by Benedikt Langer