The KRITIS Umbrella Act: What Critical Infrastructure Operators Need to Know
2026-07-14 · by SECURITYSQUAD

Critical infrastructure (KRITIS) is the backbone of our society: energy, water, health, transport, finance and IT. When such services fail, human lives, public safety and the economy are directly affected. With the KRITIS Umbrella Act (KRITIS-Dachgesetz), the German legislator placed the protection of these facilities – physical and digital alike – on a common legal foundation for the first time in 2026. This article explains who is affected and what to do now.
What is KRITIS?
Critical infrastructures are organisations and facilities of major importance to the state and society, whose failure or impairment would result in lasting supply shortages, significant disruptions to public safety or other dramatic consequences. In Germany, whether a company qualifies as a KRITIS operator has so far not been a matter of self-assessment, but of objective criteria set out in the BSI Critical Infrastructure Ordinance (BSI-KritisV).
Sectors and thresholds
The BSI-KritisV names the regulated sectors and defines concrete thresholds for each category of facility:
- Energy (electricity, gas, fuel, district heating)
- Water (drinking water supply, wastewater disposal)
- Food (food supply)
- Information technology and telecommunications
- Health (hospitals, pharmaceuticals, laboratories)
- Finance and insurance
- Transport and traffic
- Municipal waste disposal
In many sectors the standard threshold is the supply of 500,000 people – translated, depending on the sector, into supplied residents, cases, customers or transactions. Examples: drinking water 500,000 supplied residents, health 30,000 inpatient cases per year, IT/telecommunications 100,000 customers. Operators must check annually – the reference date is 31 March – whether their facilities exceeded the thresholds in the previous year.
Obligations under the BSIG
Any organisation qualifying as a KRITIS operator is subject to the obligations of the BSI Act (BSIG). With the transposition of the NIS2 Directive, the BSIG was recast; the familiar obligations continue to apply, in some cases under new section numbering:
- Appropriate technical and organisational measures according to the state of the art to protect the relevant IT systems.
- Audit obligation towards the BSI: every two years, the implementation of security measures must be demonstrated through inspections, audits or certifications (now Section 39 BSIG, formerly Section 8a(3) BSIG old version).
- Attack detection systems (SzA): since 1 May 2023, KRITIS operators have been required to deploy appropriate attack detection systems and to demonstrate their use (formerly Section 8a(1a) BSIG). These systems cover the continuous logging, detection and assessment of security-relevant events.
- Reporting obligations: significant disruptions must be reported to the BSI without delay. Operators must also register and designate a point of contact.
The KRITIS Umbrella Act – status as of July 2026
The KRITIS Umbrella Act (KRITISDachG) transposes the European CER Directive (EU) 2022/2557 on the resilience of critical entities into national law. Following the cabinet draft, it passed through the parliamentary process in 2026: the Bundestag adopted the law on 29 January 2026, and the Bundesrat approved it on 6 March 2026. It can now be signed and promulgated and, for the most part, enters into force the day after promulgation.
The key difference from previous regulation: the umbrella act addresses not only cybersecurity but, for the first time, comprehensively the physical resilience of critical facilities – against sabotage, natural disasters, attacks or the failure of supply chains. It establishes cross-sector minimum standards and significantly expands the group of obligated entities: from around 4,500 to more than 30,000 facilities.
Key operator obligations under the umbrella act:
- Identification and registration as a critical entity with the responsible federal authority.
- Risk analyses and assessments covering all relevant threats – physical and digital.
- Resilience measures for the physical protection of facilities (e.g. site protection, access control, emergency and continuity management, personnel security).
- Incident reporting to the responsible authorities.
- Oversight by the BSI, combined with audit and evidence obligations as well as fines for violations.
During the parliamentary process, the federal states gained the authority to designate additional facilities below the nationwide threshold as critical; the evaluation period was shortened from five to two years.
Relationship to NIS2
The KRITIS Umbrella Act and NIS2 are two sides of the same coin. The NIS2 Directive (EU) 2022/2555, anchored in Germany's BSIG via the NIS2 Implementation Act, governs cybersecurity. The parallel CER Directive, implemented by the KRITIS Umbrella Act, governs physical resilience. Both legal acts were deliberately aligned and largely share the same group of addressees.
For many operators this means being subject to both regimes at once. Cyber and physical protection requirements should therefore not be handled in isolation but brought together in integrated security management – ideally within an overarching information security management system (ISMS).
What operators should do now
- Clarify applicability – use BSI-KritisV, NIS2 and the umbrella act to check whether and in which roles you are covered.
- Registration and evidence – keep deadlines in view, designate a point of contact, plan audit cycles.
- Implement SzA – introduce attack detection systems or demonstrate them in an audit-proof manner.
- Combine physical and digital risk – update risk analyses and emergency/continuity management.
- Build a management system – an ISMS based on ISO 27001 and IT-Grundschutz creates the audit-proof foundation for both regimes.
How SECURITYSQUAD supports you
As a provider certified to ISO 27001 on the basis of IT-Grundschutz and a member of the Alliance for Cyber Security, we support operators, public authorities and utilities on their path to compliance:
- Attack detection systems: with GUARDIANVIEW (Managed SIEM & SOC based on Wazuh), we implement the SzA obligation in a practical way – from continuous log analysis to alerting.
- IT-Grundschutz and ISMS: building and operating an audit-proof management system that brings together NIS2 and umbrella act requirements.
- External ISO/CISO as a service, pentests and awareness round off the picture – risk-based and pragmatic.
Unsure how the KRITIS Umbrella Act and NIS2 interact for your organisation? We give you clarity and the right next steps.
Read more: Expertise & Services · GUARDIANVIEW – Managed SIEM · NIS2 for SMEs