The new umbrella act for critical infrastructure protection
Following publication in the Federal Law Gazette on March 16, 2026, the umbrella act for critical infrastructure protection (“KRITIS Umbrella Act”, “KRITISDachG”) entered into force the following day. Germany has thereby implemented the Critical Entities Resilience (“CER”) Directive (EU) 2022/2557 with a delay of just under a year and a half. An earlier attempt at implementation failed due to the collapse of the traffic-light coalition and the resulting new elections, which caused the draft bill to fall victim to parliamentary discontinuity.
The KRITISDachG supplements the cybersecurity provisions in the NIS2 Implementation and Cybersecurity Strengthening Act (“NIS2UmsuCG”) with regulations on the physical protection of critical infrastructure, thereby establishing uniform federal minimum requirements for the first time. Following the attack on Berlin’s power infrastructure, the draft law became politically contentious. However, no significant changes were made compared to the previous government’s draft. The Federal Ministry of the Interior (“BMI”) estimates that approximately 1,700 critical facilities must meet all resilience requirements.
1. Scope
The KRITISDachG applies to operators of critical infrastructure in a specified number of sectors, including energy, transportation, healthcare, food supply, and information technology and telecommunications (Section 3(1) KRITISDachG). A critical facility is one that is essential for the provision of a critical service (Section 2(3) KRITISDachG), i.e., one whose failure or impairment would lead to significant supply bottlenecks or threats to public safety in the aforementioned sectors (Section 2(4) KRITISDachG).
The BMI determines by Statutory Instrument which critical services belong to the sectors (Section 4(3) KRITISDachG) and which facilities are significant based on which thresholds and reference dates (Section 5(1) KRITISDachG). The standard threshold is 500,000 residents to be supplied by a facility (Section 5(2) sentence 2 KRITISDachG). During the legislative process, the federal states had attempted to lower this threshold to 150,000 residents.
2. Companies’ new duties
The KRITISDachG lists various obligations for the affected companies without, however, specifying them in detail. Rather, the KRITISDachG contains a large number of authorizations for the issuance of Statutory Instruments intended to differentiate and specify these obligations. These instruments have not yet been issued.
2.1. Registration Requirement, Section 8
Pursuant to Section 8 of the KRITISDachG, the operator of a critical infrastructure facility is required to register it via a platform jointly established by the Federal Office for Civil Protection and Disaster Assistance (“BBK”) and the Federal Office for Information Security (“BSI”). In accordance with the “once-only” principle, the BSI reporting portal – which is also used for the NIS2 Directive – must be used for this purpose. Above all, address and contact details must be provided. The deadline for registration is July 17, 2026.
2.2. Risk Analysis and Assessment, Section 12
When necessary, but in any case, every four years, the facility operator must conduct a risk analysis. In doing so, the operator must consider the Federal Government’s national risk analysis and assessment, as well as extreme events, hybrid threats, and dependencies on other critical services (Section 12(1) KRITISDachG). The BMI may issue substantive and methodological regulations regarding the preparation of the analysis (Section 12(3) KRITISDachG). The first risk analysis must be conducted no later than nine months after registration (Section 8(7) KRITISDachG).
2.3. Resilience Requirements, Section 13
Based on the risk analyses, the facility operator must implement all proportionate technical, security-related, and organizational measures within ten months of registration to prevent incidents from occurring and to ensure adequate physical protection of the property/facility (Section 13(1) and (2) of the KRITISDachG). The operator must set forth and implement these measures in a resilience plan (Section 13(4), sentence 1, KRITISDachG). A resilience plan template is to be published by the BBK (Section 13(5) KRITISDachG). As of March 24, 2026, this has not yet occurred.
The Federal Government is authorized to define cross-sectoral and sector-specific minimum requirements by Statutory Instrument and thereby specify the resilience obligations (Section 14(1) and (3) KRITISDachG). Upon request, the BSI determines the suitability of industry-specific resilience standards for specifying the resilience obligation and subsequently publishes them (Section 14(2) KRITISDachG).
2.4. Reporting Obligations, Section 18
Incidents must be reported by the operator within 24 hours via the joint reporting center of the BBK and the BSI. The information available at the time of reporting that is necessary to determine the nature, cause, and possible effects of the incident must be reported. The BBK establishes the details of the reporting procedure. The reporting obligation takes ten months after registration.
2.5. Implementation and Monitoring Obligations for Management, Section 20
In line with the provisions of the NIS2UmsuCG, the responsibility for implementing resilience measures and ensuring their execution lies with company management. The management is liable to the company for this. Unlike the NIS2UmsuCG, the KRITISDachG does not explicitly require management to participate in regular training sessions.
3. Fines
Section 24 of the KRITISDachG implements Article 22 of Directive (EU) 2022/2557. In the event of violations, fines ranging from 50,000 euros to 1 million euros may be imposed, depending on the nature of the administrative offense.
4. Conclusion
As an “umbrella law” the KRITISDachG merely establishes a general framework for the compliance obligations of facility operators, which will be further specified by Statutory Instruments. Companies should nevertheless begin assessing now whether they are affected. If so, preparations should be made to implement due diligence obligations, such as registration data, risk analysis processes, and the resilience plan.