Germany is on the verge of a major shift in how it regulates critical infrastructure. With the new KRITIS Umbrella Act (KRITIS-Dachgesetz or KRITISDachG), the rules of the game for operators of critical facilities are about to change fundamentally. This is not just another compliance exercise. The Act will reshape the legal obligations around governance, risk management and operational resilience for a wide range of organizations. Business leaders, in-house counsel and IT/security managers need to understand now what is coming – because only then can they ensure compliance and materially strengthen their resilience against all types of hazards, whether natural or man‑made, accidental or intentional.
This blog post will guide you through the complexities of the KRITIS Umbrella Act. We will explore the context behind the law, detail the new obligations your business may face, and provide a practical roadmap to help you prepare for compliance.
The “Why” – Background and Context
The KRITIS Umbrella Act is Germany’s national implementation of the European Union’s Directive on the Resilience of Critical Entities (CER Directive (EU) 2022/2557). Its primary goal is to enhance the “physical” resilience of critical systems by adopting an “all-hazards approach”. This enables operators to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from incidents that could disrupt the provision of their essential services.
The new legislation will operate alongside the EU’s updated cybersecurity rules, the NIS2 Directive ((EU) 2022/2555), which has been separately transposed by amending the German IT Security Law and the corresponding sector-specific regulations (see our recent blog post “Germany implements NIS2 – What you need to know now”).
Together, the KRITIS Umbrella Act and the NIS2 provisions create a comprehensive framework designed to bolster the overall resilience of critical infrastructure. This framework provides a holistic and robust protective shield for Germany’s most vital sectors, thereby maintaining the continuity of essential services for the public and the economy.
The “What” – New Rules and Obligations for Companies
The KRITIS Umbrella Act will apply to operators of critical facilities in ten specified sectors, including energy, transport, healthcare, drinking water, finance, and for the first time, municipal waste disposal and aspects of public administration. The Federal Ministry of the Interior (Bundesministerium des Innern) will specify the critical services for each sector by statutory ordinance (Rechtsverordnung).
The Act aims to strengthen the resilience of operators of these critical facilities, addressing the prior lack of uniform federal legislation. Rather than imposing detailed, sector- or industry-specific rules, the KRITIS Umbrella Act establishes a comprehensive process. Its key provisions for operators include:
Registration:
- A key administrative requirement is the mandatory registration of critical facilities with the relevant federal authority, primarily the Federal Office of Civil Protection and Disaster Assistance (Bundesamt für Bevölkerungsschutz und Katastrophenhilfe) (Sec. 8 KRITISDachG).
- Operators will also need to designate a central contact point to streamline communication with regulatory bodies (Sec. 8(1) No. 6 KRITISDachG).
Risk Analysis and Assessment:
- Operators of critical facilities must perform a comprehensive risk analysis and assessment based on national risk analyses and assessments provided by the German authorities.
- This must be carried out at least every four years, or more frequently if necessary, taking into account specific considerations (Sec. 12 KRITISDachG).
Risk Management and Resilience Measures:
- Operators must develop and implement comprehensive resilience plans. These plans must be designed to prevent incidents, ensure the adequate physical protection of properties and critical facilities, respond to and repel incidents while limiting their negative effects, and guarantee the rapid restoration of critical services following disruption (Sec. 13(1) KRITISDachG).
- To achieve these objectives, operators must implement “appropriate and proportionate” and “state-of-the-art” technical, security-related, and organisational measures to ensure their resilience (Sec. 13(2) KRITISDachG). The measures must be based on comprehensive risk analyses and assessments that consider both natural and man-made hazards, including those with cross-sector or cross-border implications (Sec. 13(2) Sent. 1, and Sec. 12(1) KRITISDachG). These measures should cover everything from physical security and access controls to crisis management procedures and staff training (Sec. 13(3) KRITISDachG).
- The resilience plan must be documented in a way that enables the operator to provide evidence of compliance to the competent authority if requested (Sec. 16(2) KRITISDachG).
Reporting:
- The KRITIS Umbrella Act introduces stringent reporting obligations for significant security incidents. Operators must submit an initial notification of any incident that significantly disrupts or could disrupt their services “without delay” and no later than 24 hours after becoming aware of it (Sec. 18(1) Sent. 1 KRITISDachG).
- A more detailed report must follow no later than one month after the incident (Sec. 18(1) Sent. 3 KRITISDachG).
Responsibilities:
- The KRITIS Umbrella Act explicitly places responsibility on management. Critical facility operators are obligated to implement the described resilience measures and ensure their implementation through appropriate organisational measures (Sec. 20(1) KRITISDachG).
The KRITIS Umbrella Act will empower the relevant authorities to conduct audits and inspections, and to order remedial action if deficiencies are identified (Sec. 16 KRITISDachG). Failure to comply with several obligations (particularly reporting, registration, documentation, audit, access and information obligations, partly in connection with enforceable orders by the relevant authority) carries significant administrative fines (Bußgelder) (Sec. 24(1) KRITISDachG).
In addition to these fines, the internal liability of a company’s management in the event of a breach of duties under the KRITIS Umbrella Act is based on general principles (Sec. 20(1) KRITISDachG, e.g. Sec. 93 of the German Stock Corporation Act (AktG)). For legal entities for which no such liability exists under applicable company law, the Act provides a catch-all provision to hold management personally liable (Sec. 20(2) KRITISDachG).
The dual risk of substantial fines and potential personal liability for management means that compliance with the KRITIS Umbrella Act is a critical consideration, with significant implications not only for operators and their management but also for D&O insurers.
The “How” - Practical Advice for Compliance
To avoid the consequences of non-compliance and proactively safeguard critical facilities, preparedness is paramount. We recommend a structured, four-step approach to navigating your compliance journey:
Step 1: Conduct a Scoping Assessment
The first and most important step is to determine whether your organisation falls within the scope of the KRITIS Umbrella Act. This involves carefully analysing your business activities against the sectors and thresholds defined in the legislation. The Act affects organisations whose failure would have a significant impact on public safety, with the KRITIS Umbrella Act generally setting a threshold for this impact at serving a population of 500,000 inhabitants or more (Sec. 5(2) Sent. 2 KRITISDachG). According to the Federal Ministry of the Interior, it is expected that approximately 1,700 facilities will fall within the scope of the Act.
Step 2: Register and Perform a Gap Analysis
After confirming your status as an operator of critical facilities, the next steps are to (a) register the facility with the competent federal authority and (b) conduct a comprehensive gap analysis. Compare your existing security and resilience measures against the new legal requirements set out in the Act. This analysis should cover your risk management framework, physical security protocols, incident response plans, and business continuity procedures. The goal is to identify any deficiencies that need to be addressed to achieve compliance.
Step 3: Update Policies and Procedures
Based on the findings of your comprehensive gap analysis, you will need to update your internal policies and procedures. This will likely involve:
- Revising your risk management framework to meet the resilience objectives and incorporate the “all-hazards approach” mandated by the Act by also implementing a comprehensive risk analysis and assessment.
- Updating your incident response plans to align with the new 24-hour reporting deadline towards the competent authority.
Step 4: Assign Responsibility
Compliance with the KRITIS Umbrella Act is not a one‑off exercise; it requires ongoing oversight and active management. Board‑level supervision of KRITIS matters is essential. To ensure that requirements are implemented effectively in practice, clear responsibilities and decision‑making lines must be defined. This includes allocating ownership for driving necessary changes, monitoring regulatory developments and acting as the designated point of contact for the authorities. These roles must be properly mandated and empowered – only then can continuous, sustainable compliance be achieved.
Conclusion and Call to Action
The German KRITIS Umbrella Act marks a paradigm shift in critical infrastructure regulation, broadening its scope from a primary focus on cybersecurity to a holistic view of both digital and physical resilience. The new law will introduce significant new obligations for affected businesses, demanding strategic planning and substantial resources. Now is the time to prepare.
The good news is: you do not have to tackle this alone. Navigating the KRITIS Umbrella Act – and its interaction with the NIS2 Directive – is complex, not least because of the extensive use of delegated legislation. Various ministries can issue ordinances (for example, the Federal Ministry of the Interior on cross‑sector minimum requirements), so compliance is not a “set and forget” exercise. It requires a clear strategy, careful prioritization and ongoing monitoring.
Targeted legal advice will be key to designing a compliance approach that is not only formally correct, but also workable in practice and tailored to your organization’s specific risk profile, structure and sector. We support businesses in:
- interpreting and implementing the KRITIS Umbrella Act and NIS2 requirements,
- designing governance, processes and documentation that stand up to regulatory scrutiny, and
- using compliance as a lever to strengthen operational resilience rather than as a pure cost factor.
If you would like to discuss what the KRITIS Umbrella Act means for your organization in concrete terms and what a sensible roadmap could look like, we would be pleased to work through this with you. Taking these steps now will help you secure your operations, mitigate regulatory and operational risk, and build a resilient foundation for your future business.
