Key Takeaways<\/p>\n
- \n
- New legal framework since March 2026:<\/strong> The KRITIS umbrella law implements the EU Directive 2022\/2557 (CER) and obliges operators in ten sectors to physical resilience, from risk analysis to incident reporting.<\/li>\n
- Two pillars, one risk model:<\/strong> Cybersecurity according to the BSI Act and physical protection according to the umbrella law are interlinked. Those who manage both separately overlook the attacks that target exactly the seam.<\/li>\n
- The threshold is disputed:<\/strong> The standard threshold of 500,000 served inhabitants per facility is considered too high by many countries. Those just below it still check their own criticality, as it can also be determined independently of the threshold.<\/li>\n<\/ul>\n<\/div>\n
Related:<\/span>Zero Trust for Energy Suppliers<\/a> \/<\/span> DORA and NIS2 in Double Audit<\/a><\/p>\n
What the KRITIS Umbrella Law Demands from Operators<\/h2>\n
What is the KRITIS umbrella law?<\/strong> The KRITIS umbrella law is the first uniform federal legal framework for the physical protection of critical infrastructures in Germany. It implements the European CER Directive 2022\/2557 and obliges operators in ten sectors, including energy, water, healthcare, food supply, and transportation, to uniform minimum standards for the resilience of their facilities.<\/p>\n
Concretely, this means: affected operators must register with the competent authority, regularly conduct a risk analysis and risk assessment, implement technical and organizational resilience measures, and report significant disruptions. The specific design of individual procedures will be specified through subsequent ordinances. The classification is based on a standard threshold of 500,000 served inhabitants per facility. However, criticality can also be determined below this threshold if the failure would endanger a critical service.<\/p>\n
The parliamentary process was short and intense. The Bundestag passed the law on January 29, 2026, the Bundesrat approved it on March 6, and it was published in the Federal Law Gazette on March 16. Operators therefore have less time to prepare than the multi-year discussion might have suggested.<\/p>\n
Two pillars that belong together<\/h2>\n
For those responsible for security, the actual innovation is not the physical regulatory framework itself, but its coupling to the existing cyber regime. As a large EU country, Germany is developing both pillars in parallel. Both are aimed at the same facility.<\/p>\n
\n\n\n
\n \nDimension<\/th>\n BSI Act (Cyber)<\/th>\n KRITIS Umbrella Act (Physical)<\/th>\n<\/tr>\n<\/thead>\n \n Protected asset<\/strong><\/td>\n IT systems and networks<\/td>\n Buildings, facilities, and operations<\/td>\n<\/tr>\n \n EU basis<\/strong><\/td>\n NIS2 Directive<\/td>\n CER Directive 2022\/2557<\/td>\n<\/tr>\n \n Core obligation<\/strong><\/td>\n Cyber risk management, reporting obligation<\/td>\n Physical resilience, risk analysis, reporting obligation<\/td>\n<\/tr>\n \n Typical lead responsibility<\/strong><\/td>\n BSI<\/td>\n BBK<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n An attacker who wants to disable a substation does not ask whether the vulnerability lies in the firewall or in the door lock. This is precisely why the new law requires a common situation picture. The risk analysis under the umbrella law and the risk management under the BSI Act should access the same threat modeling instead of being conducted separately in two departments.<\/p>\n
![\"Substation](\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/06\/st-17945-kritis-umspannwerk.jpg\")
Critical infrastructure like a substation requires both physical and digital protection. Image: Pexels \/ Kris M\u00f8klebust<\/em><\/figcaption><\/figure>\n Where the law remains vulnerable<\/h2>\n
The regulatory framework also deserves a critical look. The threshold of 500,000 inhabitants served was criticized in the process because it leaves the classification of smaller but regionally indispensable suppliers unclear. Several countries considered it too high. Since criticality can also be established below the regular threshold, a gray area is created for some smaller suppliers in which they must reliably assess and document their own affectedness.<\/p>\n
In addition, there is the question of responsibility. Expert observers and voices from the parliamentary process criticize that the division of tasks between BBK for physical protection, BSI for cybersecurity, and the Federal Ministry of the Interior is not always clearly regulated. For operators, this means they should clarify early on which authority is their contact in the event of an incident.<\/p>\n
What Security Managers Need to Address in the Next 90 Days<\/h2>\n
From a logical perspective, the law provides a tight starting point that doesn’t require a large budget and sets the right course.<\/p>\n
\nThree Steps for the Next Quarter<\/div>\n\n\n1<\/div>\nClarify Impact.<\/strong> Based on the threshold and sector classification, check if your facilities fall under the umbrella law; in borderline cases, document and justify the criticality.<\/div>\n<\/div>\n\n2<\/div>\nCombine Risk Picture.<\/strong> Establish a common threat modeling for physical risk analysis and cyber risk management to make combined attacks visible.<\/div>\n<\/div>\n\n3<\/div>\nDefine Reporting Channels.<\/strong> Determine in advance which authority is responsible in the event of an incident, and then simulate the reporting process in a tabletop exercise.<\/div>\n<\/div>\n<\/div>\n<\/div>\nThis approach keeps the effort manageable and turns obligation into a robust plan. Those who now integrate the two regimes have a clear reporting channel and a common situation picture in the event of the first reported incident.<\/p>\n
Frequently Asked Questions<\/h2>\n
What is the difference between NIS2 and the KRITIS Umbrella Law?<\/h3>\n
NIS2 and its German implementation in the BSI Act regulate the cybersecurity of critical facilities. The KRITIS Umbrella Law implements the CER Directive and regulates the physical protection and general resilience of the same facilities. Both apply in parallel and intersect for many operators.<\/p>\n
When does the KRITIS Umbrella Law come into effect?<\/h3>\n
The law was announced in the Federal Law Gazette on March 16, 2026, and entered into force on March 17, 2026. The Bundestag had passed it on January 29, 2026, and the Bundesrat approved it on March 6, 2026.<\/p>\n
Which sectors are affected?<\/h3>\n
The law covers ten sectors with critical infrastructures, including energy, water, healthcare, food supply, transport, and traffic. The decisive factor is whether a facility provides a critical service for the population’s supply.<\/p>\n
What does the threshold of 500,000 inhabitants mean?<\/h3>\n
The standard threshold applies: a facility must supply at least 500,000 people. Facilities above this threshold usually fall under the law. However, criticality can also be established below this threshold, which is why smaller operators should also check their classification.<\/p>\n
Who is responsible for implementation?<\/h3>\n
For physical protection, the Federal Office for Civil Protection and Disaster Assistance is usually responsible, while the BSI is responsible for cybersecurity. The exact demarcation between the authorities is disputed in the expert community, which is why operators should clarify their specific contact person early on.<\/p>\n
What penalties are threatened in the event of violations?<\/h3>\n
The law provides for fines for breaches of duty, such as missing registration or failure to report. The specific amount depends on the individual case and the type of violation, which is why operators should take the obligation to provide evidence seriously from the outset.<\/p>\n
Editor’s Reading Tips<\/h3>\n
- Two pillars, one risk model:<\/strong> Cybersecurity according to the BSI Act and physical protection according to the umbrella law are interlinked. Those who manage both separately overlook the attacks that target exactly the seam.<\/li>\n