Skip to main content

KRITIS Framework Act

|articles

15 min

KRITIS Framework Act: What Critical Infrastructure Operators Need to Know Now

On September 10, 2025, the Federal Cabinet approved the draft bill for the KRITIS Framework Act; on January 29, 2026, it passed the German Bundestag; and on March 6, 2026, the Bundesrat also approved the KRITIS Framework Act. It officially entered into force on March 16, 2026, and was published in the Federal Law Gazette. With this, Germany is implementing EU Directive 2022/2557 on the resilience of critical infrastructure (CER Directive). The goal is to establish a uniform national framework to better protect operators of critical infrastructure against disruptions, attacks, and disasters.

Critical infrastructure (KRITIS) refers to all facilities and systems that are indispensable to the functioning of the state, the economy, and society—ranging from energy and water supply to healthcare, transportation, and digital networks. If one of these structures fails, it can have serious consequences for public safety, the supply of essential services to the population, and economic life.

The CER Directive has been required to be transposed into national law since October 17, 2024. Germany had initially missed this deadline. With the Umbrella Act for Critical Infrastructure Protection (KRITIS) , this transposition has now been completed.

The Significance of the KRITIS Framework Act for Security of Supply and Resilience

The KRITIS Framework Act closes a gap: While NIS-2 focuses on cybersecurity, this law primarily addresses the physical resilience of critical facilities using an all-hazards approach. The all-hazards approach means that all types of hazards and threats that could impair the functionality of critical infrastructure must be taken into account, regardless of their cause or trigger. The aim, therefore, is not merely to consider individual scenarios (e.g., cyberattacks) in isolation, but to incorporate the entire spectrum of potential disruptions into the risk analysis.

This applies not only to IT systems but also to buildings, personnel, logistics, and supply chains. In this way, the law helps strengthen the government’s security architecture and makes requirements for operators more transparent and consistent.

 

Which sectors and operators fall under the KRITIS Framework Act?

The bill identifies sectors that are designated as critical sectors. Additional sectors may be added by regulation if they are essential to security of supply. The defined sectors are: 

  • Energy

  • Transportation and Traffic

  • Finance

  • Social security benefits and basic income support for job seekers

  • Health care

  • Water

  • Food

  • Information technology and telecommunications

  • Space

  • Municipal waste management

 

At what point is a facility considered critical?

Facilities are considered critical if they provide essential services to more than 500,000 people. In addition, facilities that are smaller but systemically important due to their function may be included. Operators must register and establish a point of contact that can be reached at any time.

 

Exceptions and Special Provisions

The KRITIS Framework Act generally applies to all operators of critical infrastructure in the defined sectors. However, the current draft also provides for exceptions and special provisions. For example, certain sectors such as finance and insurance are primarily subject to the European DORA Regulation, while parts of the information and telecommunications infrastructure, as well as waste management and social security, are subject to only limited regulation. Special rules also apply to the federal administration: agencies that perform tasks exclusively in the areas of national security, defense, or law enforcement are largely exempt. These differentiated regulations are intended to avoid overlaps and take existing sector-specific laws into account.

An Overview of Key Obligations Under the KRITIS Framework Act

  • Risk Analyses and Resilience Plans: Operators must conduct regular risk analyses that take into account all threats, ranging from natural disasters and terrorist attacks to supply chain disruptions. Based on these analyses, a resilience plan must be developed that combines technical, organizational, and structural measures.

  • Physical and Organizational Security Measures: Structural protective measures, access controls, protection of critical plant components, and staff training and awareness programs are required. The goal is to implement both preventive protective measures and emergency preparedness measures.

  • Reporting Requirements for Disruptions and Crises: Significant disruptions must be reported immediately. As a general rule, an initial report must be submitted within 24 hours, and a full report within one month. This is intended to enable authorities to respond at an early stage.

  • Supervision, Registration, and Points of Contact: The Federal Office for Civil Protection and Disaster Assistance (BBK) assumes central oversight in cooperation with the BSI and sector-specific supervisory authorities. Operators must register and establish a point of contact that is available at all times. Violations are subject to fines.

 

Management's Responsibility

Particular emphasis should be placed on the personal responsibility of management. According to Section 20 of the draft, managing directors and board members must ensure that resilience measures are implemented within the company. This includes establishing appropriate organizational structures, clearly assigning responsibilities, and monitoring compliance. Breaches of duty may result not only in fines for the company but also in liability for management under corporate law or special statutory provisions.

 

Documentation and Audit Requirements

In the future, operators must demonstrate that they have implemented the required risk analyses and resilience measures. This includes documentation in the form of resilience plans, which must be submitted upon request by the regulatory authorities. The Federal Office for Civil Protection and Disaster Assistance (BBK) and other competent authorities may review this documentation, order audits, and, if necessary, conduct on-site inspections. Different requirements apply to the energy sector: Here, the Energy Industry Act (EnWG) is supplemented by corresponding documentation requirements. In general, the regulatory authority takes a risk-based approach, under which operators at particularly high risk are subject to more intensive monitoring.

 

Timeline: Deadlines and Transitional Provisions for Operators

The CER Directive entered into force at the EU level on January 16, 2023. The deadline for transposition into national law, which was October 17, 2024, was not met by Germany. With the delayed, but now completed, national implementation of the CER Directive through the KRITIS Framework Act, the focus for operators of critical infrastructure has shifted significantly: away from regulatory monitoring and toward concrete implementation. What is crucial now are robust resilience measures, clear responsibilities, and transparent documentation of the precautions taken.

 

Specific implementation deadlines for operators

In addition to the general CER implementation deadline, the KRITIS umbrella law also provides for detailed transition periods:

  • Registration as an operator: within three months after the facility is designated as critical, but no earlier than June 17, 2026

  • Risk analysis: no later than nine months after registration

  • Resilience measures, resilience plan, and reporting requirements: no later than ten months after registration 

 

Which government agencies oversee implementation?

Oversight of the KRITIS Framework Act is shared among several entities and follows a federal oversight structure. The goal is to consolidate responsibility on a sector-by-sector basis while ensuring national coordination.

This results in a multi-tiered system in which the BBK and the BSI ensure overarching coordination, while specialized and state authorities assume oversight in their respective areas. For operators, this means that, depending on their industry and location, they must adapt to different oversight channels.

Interaction with NIS-2 and Practical Implications for Operators

 

 

While the NIS 2 Directive primarily regulates the security of network and information systems—and thus focuses on protection against cyberattacks, IT outages, and data manipulation—the KRITIS umbrella law takes a different approach. It supplements the purely digital perspective with binding requirements for the physical resilience of critical infrastructure. These include structural protective measures, access controls, organizational precautions, and emergency plans designed to ensure that critical services can be maintained even in the event of natural disasters, sabotage, or supply shortages.

For many operators, this means that in the future they will have to comply with multiple regulatory frameworks simultaneously: NIS-2 for the digital sector, the KRITIS umbrella law for physical protection, and—depending on the sector—other laws such as the DORA Regulation for financial institutions or the Energy Industry Act (EnWG) for operators in the energy sector. This is precisely why it is crucial to leverage synergies between the various requirements. An integrated approach prevents duplication of effort and increases efficiency. For example, information security management systems (ISMS), which are required under NIS 2 anyway, can be combined with the requirements for risk analyses, resilience plans, and reporting processes from the KRITIS Framework Act. This creates a holistic security and resilience management framework that addresses digital, physical, and industry-specific risks collectively while simultaneously simplifying the process of providing evidence to regulatory authorities.

With the KRITIS Framework Act, operators of critical infrastructure face not only increased regulatory requirements at the overarching level. §13 is particularly relevant for practical implementation, as this section specifies the operational resilience obligations. It makes it clear that physical protection, monitoring, detection, responsiveness, and documented contingency planning are no longer optional individual measures, but rather integral components of a systematic approach to resilience.

§ 13 KRITIS Framework Act: What Operators Need to Do Now in Practice

§ 13 of the KRITIS Framework Act specifies the resilience obligations of operators of critical infrastructure. Operators must take measures to prevent incidents, provide adequate physical protection for critical infrastructure and facilities, respond effectively to disruptions, and quickly restore the affected critical service following an incident. The measures must be risk-based, proportionate, and state-of-the-art. They are based on national risk analyses as well as the operator’s individual risk analysis. The specific measures required therefore depend on the risk, the criticality of the facility, and the economic conditions.

§ 13 specifically lists the following: emergency preparedness, structural, technical, and organizational security measures, surveillance of the surrounding area, detection devices, access controls, risk and crisis management procedures, procedures in the event of an alarm, measures to maintain operations, and precautions to ensure a faster resumption of service. Security management for employees and external service providers, as well as training and drills, are also explicitly included in the requirements.

Another key requirement is the resilience plan. Operators must document, implement, and regularly update their measures. The plan must clearly explain the risk considerations on which the measures are based and how they contribute to the resilience of the critical facility.

The requirements explicitly listed in § 13 regarding physical security, monitoring, detection, and response capabilities are therefore particularly relevant for technical solutions.

 

PHYSEC SEAL in the Context of the KRITIS Framework Act

 

PHYSEC SEAL helps operators of critical infrastructure monitor the physical integrity of facilities and components, detect tampering at an early stage, and document security-related events in a traceable manner. In doing so, the solution specifically addresses requirements that are particularly relevant in the context of the KRITIS umbrella law: monitoring, detection, and traceability.

SEAL is not an isolated standalone system, but rather a complementary component within a holistic security architecture. While traditional systems control access to facilities or secure the surrounding environment, SEAL adds an additional layer: the integrity verification of the critical infrastructure itself. This makes security-related changes visible in areas where conventional protection systems often lack sufficient transparency.

 

  • Monitoring of Critical Assets and Environments: Manual monitoring alone is time-consuming, especially for distributed, decentralized, or hard-to-access facilities. SEAL enables continuous or condition-based monitoring, thereby providing greater transparency into the actual security status.

  • Detection of Physical Tampering: A key strength of SEAL lies in the early detection of physical tampering, unauthorized access, and security-related changes. This closes a security gap that often persists between traditional physical security and IT security monitoring.

  • Audit-Ready Event Logging: For operators, it is not only crucial that an incident be detected, but also that it can be documented in a traceable manner. SEAL supports this with time-stamped, audit-ready event and status logging, thereby improving the ability to provide evidence to auditors, inspection bodies, and regulatory authorities.

 

Where additional measures are still needed

PHYSEC SEAL specifically addresses requirements related to surveillance, tamper detection, and auditability. Other mandatory areas of the KRITIS umbrella law must still be implemented through supplementary technical and organizational measures. These include, in particular, access control and identity verification, structural and perimeter security, business continuity management, organizational risk management, as well as supply chain, human resources, and training processes.

SEAL is therefore not a substitute for comprehensive KRITIS resilience management, but rather a specialized component that supplements a level of physical security that has often been inadequately addressed to date.

Recommendations for Operators: These Steps Are Crucial Now

  1. Start a gap analysis: The first step should be a systematic assessment of the current situation. What structures, processes, and protective measures are already in place, and in which areas are there discrepancies with the requirements of the CER Directive and the KRITIS Framework Act? This also includes analyzing existing documentation, emergency and crisis plans, and internal responsibilities. A gap analysis provides clarity on what needs to be done and helps set priorities.

  2. Update risk assessments: Operators should not limit their risk analyses to traditional threats such as natural disasters or technical failures, but should also take into account dependencies on third-party providers and supply chains. Especially in the energy and water supply sectors, external partners or subcontractors can represent critical vulnerabilities. A robust risk analysis should integrate physical, digital, and organizational risks.

  3. Developing the Resilience Plan for Operational Implementation: Based on the risk assessment, the resilience plan should be refined and put into practice. It is crucial that technical, structural, and organizational measures are not only documented but also supported by defined responsibilities, procedures, and evidence. The resilience plan should thus serve both as an internal management tool and as a robust foundation for interactions with regulatory authorities.

  4. Practice reporting processes: Reporting requirements stipulate short deadlines. Operators should simulate these processes in advance so that information can be collected, assessed, and disseminated in a timely manner in the event of an incident. It is advisable to conduct test runs that cover both technical procedures and organizational aspects such as alerting, escalation, and responsibilities.

  5. Establish implementation and legal monitoring: The KRITIS Framework Act has now been enacted, approved by the Bundesrat, and has been in effect since March 17, 2026. For operators, the focus is therefore no longer on monitoring the parliamentary process, but rather on the concrete implementation and ongoing monitoring of further detailed regulations, deadlines, clarifications, and industry-specific requirements. Continuous monitoring of legal developments and implementation helps keep measures up to date and ensure that new requirements are addressed early on. 

    Arrange a non-binding consultation now.

FAQ on the KRITIS Framework Act – Brief Answers to the Most Important Questions

The KRITIS Framework Act is a law implementing the EU CER Directive that establishes nationwide minimum standards for the protection of critical infrastructure.

 

The draft bill defines ten sectors: energy, transportation, finance, social security benefits and basic income support for job seekers, health care, water, food, information technology and telecommunications, space, and municipal solid waste management.

 

Operators of critical infrastructure are defined as companies that provide essential services and serve more than 500,000 people, or that are systemically important due to their function.

 

These obligations include risk assessments, resilience plans, physical security measures, reporting requirements, registration, and cooperation with supervisory audits.

 

To date, there is still no uniform, nationwide legal framework for physical protection. Instead, regulations vary widely across individual sectors. The KRITIS Framework Act closes this gap by establishing, for the first time, cross-sector and binding requirements for the physical protection of critical infrastructure. It supplements the existing provisions of the BSI Act—which have thus far focused primarily on IT security—by addressing key aspects of resilience.

 

The Federal Office for Civil Protection and Disaster Assistance (BBK) is responsible for central coordination. The Federal Office for Information Security (BSI) and other sector-specific regulatory agencies support and monitor implementation within their respective areas of responsibility.

 

Failure to comply with these obligations may result in fines, the amount of which depends on the severity of the violation. In addition, official orders and restrictions on operations may be imposed.

 

Companies classified as operators of critical infrastructure must register with the federal government within three months of being identified as a critical facility. For more information on registration, please refer to the PDF provided by the BSI: https://mip2.bsi.bund.de/en/media/flatpages/KRITIS-Registrierung.pdf

 

Back