Strengthening the resilience of critical infrastructures: What companies need to know about the new KRITIS umbrella law

In Germany, critical infrastructures from power supply to water supply and communication networks are crucial to daily life and the functioning of society. In order to protect these infrastructures from increasing threats, for example, from acts of sabotage, terrorist attacks or climate change, the KRITIS umbrella law (law implementing Directive (EU) 2022/2557 and strengthening the resilience of critical facilities) was introduced.

But what exactly does the law regulate? Who is affected and what do companies need to do now in order to meet the new requirements? In this article, we take a look at the KRITIS-DachG’s key aspects and provide practical answers to important central questions.

Background to the KRITIS-DachG and its regulations

The German government passed the KRITIS-DachG in November in order to strengthen the protection and resilience of critical infrastructures in Germany. Critical infrastructures are facilities whose disruption or destruction could have a serious impact on society and the economy. These include energy supply, water supply, healthcare and public administration. 
As part of the law, operators of critical infrastructures are obliged, among other things, to ensure the physical security of their facilities. Operators must register on a joint platform of the Federal Office of Civil Protection and Disaster Assistance (“BBK”) and the Federal Office for Information Security (“BSI”) by July 2026. Furthermore, they must report any incidents immediately via the joint reporting office set up by these federal agencies.

A central component of the law is the “all-hazards approach”, which takes into account all conceivable risks – from natural disasters to terrorist attacks. Operators are obliged to draw up resilience plans in order to be able to act quickly in the event of disruptions.

These sectors are affected – even if they only appear “critical” at second glance

Generally, all operators of facilities that are essential for public supply are affected. The exact classification is based on quantitative and qualitative criteria, such as the number of people supplied or the dependence of other sectors on a particular infrastructure. Specific threshold values will be defined in an ordinance yet to be issued.

Typically affected sectors include energy supply, water management, healthcare, transportation and traffic as well as IT and telecommunications infrastructure. It is not only the state that has a duty. Private companies, especially those that supply a large number of people or systemically relevant economic sectors, are affected as well.

Industries that are not immediately considered “critical” at first glance may also be affected. These include, for example, large food producers or logistics companies that are responsible for a stable food supply or the movement of goods. Smaller infrastructure operators that play a key role in a particular sector must also ensure that they meet the requirements.

Implementation of the law: Next steps for companies

Critical infrastructure operators have until July 2026 to register.

KRITIS operators must register by 2026

Registration takes place on a joint platform of the BBK and the BSI. Operators of critical infrastructures must provide various details, such as

• Name of the critical facility operator (including legal form and commercial register number),
• Address of the critical facility operator (including e-mail address, public IP address ranges and telephone number),
• Sector and industry to which the critical facility belongs,
• Contact details for reaching the operator of critical facilities.

Attention! Violations of the registration obligations constitute an administrative offense and can be punished with a fine of up to EUR 500,000.

Companies must draw up a resilience plan with suitable protective measures

In addition, the operator of critical entities is obliged to take measures to ensure resilience and to present these in a resilience plan. The resilience plan must specify the considerations on which the measures are based.

Companies are therefore advised to carry out a detailed inventory of their systems and their criticality in advance. This could involve obtaining technical reports or consulting risk management and IT security experts.

What are suitable measures to ensure functionality?

The measures to ensure functionality must meet the specific requirements of the respective sector. They must ensure that the infrastructure continues to function or can be restored as quickly as possible even in the event of disruptions.

The KRITIS-DachG does not mention specific measures, as the measures that are suitable for ensuring resilience can vary from sector to sector and from company to company.

Possible measure may include, for example: 

• Emergency preparedness,
• Monitoring of the environment, 
• Access controls,
• Emergency power supply.

Companies must prove that they have implemented suitable measures and regularly review their effectiveness. It is important that the measures are fully and comprehensibly documented. This is the basis for audits by supervisory authorities.

Documentation requirements and pitfalls

Operators must ensure that they properly document all measures taken. For example, they should be able to provide detailed records of

• Risk assessments and action plans,
• Test reports for emergency scenarios and their results,
• Training certificates for employees

Insufficient documentation or missing evidence can lead to sanctions. Uncertainties could also arise when implementing safety measures, as the legislator does not clearly define which standards are considered “suitable”. For operators of critical facilities, this involves pitfalls if they do not provide sufficient evidence of their resilience measures’ suitability. Companies should work proactively with experts in order to avoid mistakes.

Regulatory overlaps: KRITIS-DachG in conjunction with NIS-2 and DORA

The KRITIS umbrella law is not the only set of regulations in order to increase resilience that could affect companies. It is important to understand the interactions with other existing and upcoming regulations such as the NIS-2 Directive (Network and Information Security) and DORA (Digital Operational Resilience Act).

• NIS-2: This EU directive is also aimed at operators of essential services and prescribes cybersecurity measures. Companies that are already obliged by NIS-2 must ensure that their IT security measures also comply with the requirements of the KRITIS-DachG. This could lead to double compliance requirements, particularly with regard to documentation and regular risk analysis.
• DORA: This legal framework for digital operational resilience covers all regulated financial companies in the European Union. The subject of the directive is their ability to respond to IT failures. The KRITIS-DachG could place an additional burden on companies in the financial industry, as they have to meet the requirements of both DORA and the KRITIS-DachG. 

Companies must therefore keep an eye on potential regulatory overlaps and ensure that they meet all requirements.

A proactive approach is key to the successful implementation of measures
The KRITIS-DachG introduces new, cross-sector requirements for operators of critical infrastructures that require a comprehensive risk management strategy. Companies must prepare for the registration and implementation of protective measures in order to act in a legally compliant manner and avoid penalties.

A proactive approach to planning and implementing resilience measures is the key to efficiently meeting requirements and ensuring the long-term functionality of your own infrastructure.

At the same time, it is important to understand the interactions with other regulations such as NIS-2 and DORA to avoid redundant efforts and regulatory conflicts. The potential for regulatory overlaps can be a challenge as companies need to ensure that they meet all requirements and avoid regulatory conflicts. Companies are well advised to align their compliance strategy with these overlaps and seek legal advice. Please feel free to contact us.