Auditors, lawyers, tax consultants and management consultants: Four perspectives. One solution. Worldwide. Find out …
Our clients entrust us with their most important legal matters. Learn more about our legal services!
Tax laws are complex and dynamic. We face the challenge of tax law together with you - find out more.
Company shares to employees: Gift or salary?
BAG overturns forfeiture clause for share options after termination
Baker Tilly advises biotech startup Real Collagen GmbH investment by US investor
Countdown to September – The EU Data Act and its implications
Electronic salary statements: BAG allows purely digital provision
Baker Tilly starts the year 2025 with 23 new Directors
Industry-specific knowledge is essential in order to create the best conditions for customised solutions. Find out …
After ECJ ruling: Financial investors still have no direct access to medical care centers
Hospital reform: New exemption from merger control in the hospital sector
Benefit from bundled interdisciplinary competencies, expert teams and individual solutions. Learn more!
In November, the German government passed the KRITIS-DachG. Once it comes into force, operators of critical infrastructures will be subject to new regulations. They must register with the BBK and BSI and take protective measures. The law sometimes affects unexpected sectors and also harbors the potential for regulatory overlaps.
In Germany, critical infrastructures from power supply to water supply and communication networks are crucial to daily life and the functioning of society. In order to protect these infrastructures from increasing threats, for example, from acts of sabotage, terrorist attacks or climate change, the KRITIS umbrella law (law implementing Directive (EU) 2022/2557 and strengthening the resilience of critical facilities) was introduced.
But what exactly does the law regulate? Who is affected and what do companies need to do now in order to meet the new requirements? In this article, we take a look at the KRITIS-DachG’s key aspects and provide practical answers to important central questions.
The German government passed the KRITIS-DachG in November in order to strengthen the protection and resilience of critical infrastructures in Germany. Critical infrastructures are facilities whose disruption or destruction could have a serious impact on society and the economy. These include energy supply, water supply, healthcare and public administration. As part of the law, operators of critical infrastructures are obliged, among other things, to ensure the physical security of their facilities. Operators must register on a joint platform of the Federal Office of Civil Protection and Disaster Assistance (“BBK”) and the Federal Office for Information Security (“BSI”) by July 2026. Furthermore, they must report any incidents immediately via the joint reporting office set up by these federal agencies.
A central component of the law is the “all-hazards approach”, which takes into account all conceivable risks – from natural disasters to terrorist attacks. Operators are obliged to draw up resilience plans in order to be able to act quickly in the event of disruptions.
Generally, all operators of facilities that are essential for public supply are affected. The exact classification is based on quantitative and qualitative criteria, such as the number of people supplied or the dependence of other sectors on a particular infrastructure. Specific threshold values will be defined in an ordinance yet to be issued.
Typically affected sectors include energy supply, water management, healthcare, transportation and traffic as well as IT and telecommunications infrastructure. It is not only the state that has a duty. Private companies, especially those that supply a large number of people or systemically relevant economic sectors, are affected as well.
Industries that are not immediately considered “critical” at first glance may also be affected. These include, for example, large food producers or logistics companies that are responsible for a stable food supply or the movement of goods. Smaller infrastructure operators that play a key role in a particular sector must also ensure that they meet the requirements.
Critical infrastructure operators have until July 2026 to register.
Registration takes place on a joint platform of the BBK and the BSI. Operators of critical infrastructures must provide various details, such as
Attention! Violations of the registration obligations constitute an administrative offense and can be punished with a fine of up to EUR 500,000.
In addition, the operator of critical entities is obliged to take measures to ensure resilience and to present these in a resilience plan. The resilience plan must specify the considerations on which the measures are based.
Companies are therefore advised to carry out a detailed inventory of their systems and their criticality in advance. This could involve obtaining technical reports or consulting risk management and IT security experts.
The measures to ensure functionality must meet the specific requirements of the respective sector. They must ensure that the infrastructure continues to function or can be restored as quickly as possible even in the event of disruptions.
The KRITIS-DachG does not mention specific measures, as the measures that are suitable for ensuring resilience can vary from sector to sector and from company to company.
Possible measure may include, for example:
Companies must prove that they have implemented suitable measures and regularly review their effectiveness. It is important that the measures are fully and comprehensibly documented. This is the basis for audits by supervisory authorities.
Operators must ensure that they properly document all measures taken. For example, they should be able to provide detailed records of
Insufficient documentation or missing evidence can lead to sanctions. Uncertainties could also arise when implementing safety measures, as the legislator does not clearly define which standards are considered “suitable”. For operators of critical facilities, this involves pitfalls if they do not provide sufficient evidence of their resilience measures’ suitability. Companies should work proactively with experts in order to avoid mistakes.
The KRITIS umbrella law is not the only set of regulations in order to increase resilience that could affect companies. It is important to understand the interactions with other existing and upcoming regulations such as the NIS-2 Directive (Network and Information Security) and DORA (Digital Operational Resilience Act).
Companies must therefore keep an eye on potential regulatory overlaps and ensure that they meet all requirements.
A proactive approach is key to the successful implementation of measures The KRITIS-DachG introduces new, cross-sector requirements for operators of critical infrastructures that require a comprehensive risk management strategy. Companies must prepare for the registration and implementation of protective measures in order to act in a legally compliant manner and avoid penalties.
A proactive approach to planning and implementing resilience measures is the key to efficiently meeting requirements and ensuring the long-term functionality of your own infrastructure.
At the same time, it is important to understand the interactions with other regulations such as NIS-2 and DORA to avoid redundant efforts and regulatory conflicts. The potential for regulatory overlaps can be a challenge as companies need to ensure that they meet all requirements and avoid regulatory conflicts. Companies are well advised to align their compliance strategy with these overlaps and seek legal advice. Please feel free to contact us.
Alexandra Sausmekat
Partner
Attorney-at-Law (Rechtsanwältin), Certified Tax Advisor
Michelle Reddiar, LL.M.
Senior Manager
Attorney-at-Law (Rechtsanwältin)
Contact now
Contact us
View all news