THREAT BRIEFING · 15.07.2026 DEENFRES

Strategy & Governance

Weakest Supplier Opens Critical Facility

By Benedikt Langer · July 11, 2026 · 9 min read

A maintenance technician with a factory ID and remote access is not a guest at a substation or wastewater treatment plant. They are part of the attack surface. Since March 17, 2026, the KRITIS umbrella law has made this view mandatory: Anyone operating a critical infrastructure is responsible for the reliability of their suppliers, just like their own.

Key Takeaways

  • New framework for the physical side. The KRITIS umbrella law implements the EU CER directive and regulates the resilience of critical infrastructures at a federal level for the first time. It complements the IT obligations from NIS2 without replacing them.
  • The supplier is within the scope. Suppliers and service technicians with physical or digital access are subject to the same integrity and reliability requirements as their own employees.
  • The deadline starts in July. From July 17, 2026, operators will register on the joint platform of the BBK (Federal Office of Civil Protection and Disaster Assistance) and the BSI (Federal Office for Information Security), at the latest three months after being classified as a critical infrastructure.
  • Control instead of snapshot. A one-time supplier audit does not close the vector. Access, access rights, contracts, and restarts must continuously include the supply chain.

Related: The Cyber Resilience Act also affects your inventory  ·  Five key figures that the supervisory board really understands

What the Critical Infrastructure Protection Act Changes in the Supply Chain

The KRITIS Protection Act has been in effect since March 17, 2026. The cabinet had decided on it on January 29, and the Federal Council agreed. Legally, it implements the EU Directive 2022/2557 on the resilience of critical infrastructure, also known as the CER Directive. This creates a nationwide, cross-sectoral framework for the physical protection and resilience of critical facilities for the first time.

Important for classification: The law is the physical complement to the IT side, which is covered by NIS2 and the BSIG (Federal Office for Information Security). Around 1,300 operators fall under the scope of the CER logic and must in the future fulfill reporting obligations, provide business continuity management, demonstrate physical security and personnel reliability, and operate a robust crisis management system. The supply chain is included in each of these areas, not as an appendix, but as part of the facility.

The CER Directive consciously thinks of resilience in a broad sense. It does not only mean cyberattacks, but also failures in general: through sabotage, through a natural event, through the loss of a supplier, or through a combination of these. At this point, the physical world meets the digital world. A manipulated remote maintenance access is a cyber incident with physical effects, and a cut cable is a physical incident with digital effects. The operator must know both chains, as both ultimately lead to a supplier.

July 17

Start of registration on the platform of BBK (Federal Office of Civil Protection and Disaster Assistance) and BSI (Federal Office for Information Security) (2026)

1,300

Operators within the scope of the CER implementation

3 months

Deadline for registration after being classified as a critical facility

The Supplier Suddenly Falls Under the Scope

The sentence that separates procurement from security is eliminated with the umbrella legislation. Suppliers and service technicians with physical or digital access to a critical facility are subject to the same integrity and reliability requirements as internal employees. The remote maintenance access of a manufacturer, the technician in the control room, the cloud service behind the process control system: all three are, from the facility’s perspective, insider-near, not external.

For operators, this shifts a responsibility. Previously, the service provider was a procurement issue with a framework contract. Now, it is a security issue with access control, access rights, background checks, and a clear understanding of who was in which system at what time. Anyone who delegates this responsibility to the supplier and leaves it there has not fulfilled it.

Definition · Critical Facility

A facility whose failure would significantly disrupt the supply of essential services to the population, such as energy, water, healthcare, or transportation. The umbrella legislation makes its resilience an operator’s obligation and draws its suppliers into the same obligation.

Why an Audit List Doesn’t Close the Vector

A supplier can be thoroughly vetted, approved, and checked off, yet still leave the system vulnerable. The remote maintenance channel remains in place, the technician’s laptop moves from customer to customer, and the subcontractor may not even be mentioned in the contract. A snapshot in the procurement process fails to capture any of these states, creating a false sense of security and merely checking a box in the table.

True resilience is only achieved when access is continuously managed. This includes implementing least privilege for external parties, time-limited access, logged remote maintenance, and an incident reporting chain that kicks in even when the incident originates with the service provider. This is not a one-time project, but an ongoing operational mode.

The channel doesn’t end with the direct supplier, either. Their own cloud provider, remote maintenance platform, and subcontractors extend the chain with links that often aren’t even included in the contract. Those who only scrutinize the contractual partner see the risk ending one level too soon. For critical systems, it’s precisely this hidden depth of the supply chain where reliability on paper and actual operational reliability diverge.

Responsibility Remains at the Top

The umbrella legislation addresses operators, not their service providers. This direction is intentional. The responsibility for the resilience of a critical facility lies with its management and cannot be transferred by contract. An operator can purchase services, but they cannot buy liability for their security with it.

For management, this means a duty to provide evidence. They must be able to demonstrate that supplier risks have been identified, assessed, and controlled. A register that documents this review makes all the difference in a serious case between proven due diligence and an open accusation. The regulatory authority will not ask whether a service provider has failed, but rather whether the operator had them under control.

What Operators Must Regulate in the Supply Chain Now

The first step is straightforward: creating an honest map of who has physical or digital access to the facility from the outside. This yields five levers that the law demands.

The deadline is not a mere formality.

17. März 2026
KRITIS umbrella law comes into effect
17. Juli 2026
Registration on the BBK and BSI platform begins
+3 Monate
Registration requirement after being classified as a critical facility

The three months may seem like a buffer. In practice, the time passes with what was previously lacking: a complete picture of one’s own suppliers. Those who do not have this map today should create it before the deadline, not afterwards.

Frequently Asked Questions

Every question is locked. A tap unlocks the answer.

What does the KRITIS umbrella law regulate?

It implements the EU CER (Critical Entities Resilience) Directive and creates a nationwide framework for the physical resilience of critical infrastructure: reporting requirements, Business Continuity Management, physical security, personnel reliability, and crisis management. The IT obligations under NIS2 (Network and Information Security 2) remain unaffected by this.

When are operators required to register?

Registration on the joint platform of BBK (Federal Office of Civil Protection and Disaster Assistance) and BSI (Federal Office for Information Security) will be possible starting July 17, 2026. It will become mandatory at the latest three months after being classified as a critical infrastructure.

Do suppliers really fall under the same requirements?

Suppliers and service technicians with physical or digital access to the facility are subject to the same integrity and reliability requirements as internal employees. The operator remains responsible, even if they have outsourced the service.

How does the DACH-specific “Dachgesetz” (Roof Act) relate to NIS2, the European Union’s Network and Information Security Directive?

NIS2 and the BSI Act (Federal Office for Information Security Act) cover IT security, while the Umbrella Act (Dachgesetz) addresses the physical aspect and organizational resilience. For many operators, both regimes apply in parallel. They should be considered as one governance system, rather than two separate projects.

What is the first concrete step?

A comprehensive directory of all external personnel with access to the facility, including sub-contractors. Without this register, it is not possible to properly manage contracts, control access, or regulate authorization.

Editor’s Picks

Editor’s PickSupply Chain Risk Is a Program, Not an Audit ChecklistEditor’s PickWhat Management Must Document Under NIS2Editor’s PickWhich CISO Decision Rights Must Be Set Out in Writing

More from the MBF Media Network

Digital ChiefsGeopolitics Meets the Data Center Roadmap: What CIOs Must Secure NowMyBusinessFutureEU AI Act from August 2026: What labelling obligations really affect SMEscloudmagazinXFS4IoT Meets the Cloud: The ATM Becomes a Platform

Further reading

News · July 2, 2026

When Attackers Are Faster Than the Patch

Between disclosure and exploitation of a vulnerability, only days often pass today. The State of Vulnerabilities Report 2026 reveals what matters now.

A magazine by Evernine Media GmbH