The German KRITIS umbrella act: strengthening physical infrastructure resilience
German law regarding critical infrastructure has entered the next round with the goal of increasing the physical resilience of critical facilities (The Directive uses the word "entities", but, as the wording of the KRITIS Act states, the German legislator has expressly chosen to use a word that translates as "facilities": hereinafter, the term “critical facility” or “operators of critical facilities” will be used instead of “critical entities”). An outline for a German umbrella act for critical infrastructure protection (KRITIS-Dachgesetz – the “KRITIS Umbrella Act”) (available for example here in German only) to implement the EU Critical Entities Resilience Directive (CER Directive) has come to light. Its primary objective is to mitigate non-cyber-related risks. Figuratively speaking, the KRITIS Act focusses on the outer “shell” of critical systems. If this outer “shell” is fragile, digital IT security measures are practically useless. The KRITIS Act governs various sectors such as energy, transport, health care and information technology.
This article is to provide answers to the most important questions regarding this new law.
What is the KRITIS Umbrella Act?
The KRITIS Umbrella Act is a supplement to the German Act on the Federal Office for Information Security (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik – “Cybersecurity Act”), which governs cybersecurity in Germany and is currently being extensively amended. As a supplement to the Cybersecurity Act’s wide-ranging requirements for protection from digital dangers such as hacker attacks, the KRITIS Umbrella Act has several measures to strengthen analogue security.
The draft KRITIS Umbrella Act has an “all-danger approach” intended to protect German infrastructure from all hazards of a physical nature, whether natural disasters or danger due to human acts. The goal of the KRITIS Umbrella Act is to make operators of critical facilities more resilient, i.e. strengthen their ability to prevent or avert an incident or mitigate its impact (section 2 no. 6).
Operators of critical facilities must take “resilience measures”, which are monitored by the responsible German Federal Office of Civil Protection and Disaster Assistance (Bundesamt für Bevölkerungsschutz und Katastrophenhilfe – “Federal Civil Protection Office” (section 3(1)). In its capacity as an interface with IT security law, the KRITIS Umbrella Act also includes a number of legal definitions for parties to which the NIS-2 Directive applies and whose obligations will soon be included in the revised version of the Cybersecurity Act.
Who is affected?
The KRITIS Act is aimed primarily at operators of “critical facilities”. Applicability of the law to a particular party is determined based on two criteria: whether the facility is used in a particular sector (energy, transport and traffic, financing and insurance, health care, potable water, wastewater, food, information technology and telecommunications, outer space, public administration or municipal waste disposal) and whether it functions at or above a particular threshold (section 4).
As an interface with IT security law, the KRITIS Umbrella Act also defines additional entities and facilities that will be subject to more detailed provisions in the (future version of the) Cybersecurity Act, including “Critical Infrastructure” (section 2 no. 2), “Critical Services” (section 2 no. 4), “Particularly Important Entities” (section 2 no. 11) and “Important Entities” (section 2 no. 12).
The approach found in the draft KRITIS Umbrella Act, i.e. an overarching means to address digital and analogue dangers, is to be seen as positive. However, the many different terms hinder it from being easily and simply applied. Parties to whom it may apply will have to look even more closely to determine exactly which obligations are applicable to their specific case.
What must affected entities do?
The draft KRITIS Umbrella Act places operators of critical facilities under several obligations that are strikingly similar in form to the requirements for operators of critical facilities according to the Cybersecurity Act (see particularly section 8a of the Cybersecurity Act).
- First, operators of critical facilities must register with the Federal Civil Protection Office (section 8(1)). If an operator does not comply with this obligation, the authority can perform the registration itself (section 8(2)).
- Operators also must designate a point of contact that must be available around the clock (section 8(3) and 8(4)).
- Based on this registration, the authorities are then to conduct government risk assessments and evaluations (section 9), which the operators of critical facilities are also obliged to conduct (section 10).
- However, operators’ key task is to implement suitable and appropriate technical, security-related and organisational measures to ensure resilience. This is a requirement in the KRITIS Umbrella Act that is similarly abstract to that found in the Cybersecurity Act – with the distinction that the measures must now also be “security-related”. The draft KRITIS Act does not include any detailed requirements regarding the measures, but merely gives examples. The list of examples in Annex 1 does not provide any reference points that would not already arise from general reasonable consideration. Physically protecting premises and controlling access rights should actually be a general matter of course.
- The measures must be documented in a “resilience plan” (section 11(6)).
- Proof of compliance with the requirements is to be provided at regular intervals (section 11(11) and (8)).
Another component that will probably sound familiar to operators is the “sector-specific resilience standards” (section 8(5)). In a manner similar to that of the sector-specific security standards found in section 8a(2) of the Cybersecurity Act, operators of critical facilities and their sector associations can develop their own standards to make the KRITIS Umbrella Act’s abstract requirements more concrete and then have Federal Civil Protection Office certify their suitability.
Operators must immediately report any security incidents to the Federal Civil Protection Office (section 12(1)). The deadlines for this are extremely strict. The authority must be notified within 24 hours of awareness of the incident, and a detailed report is due by one month thereafter (section 12(3)).
What are the consequences of non-compliance with the KRITIS Umbrella Act?
There are also many parallels to the Cybersecurity Act in the application and enforcement of the KRITIS Umbrella Act. The Federal Civil Protection Office is authorised to check compliance with all of the legal requirements. To facilitate this, operators of critical facilities must permit the authority to enter their business and operations premises during normal operating hours and provide records and the necessary support (section 11(9)).
If and to the extent that the Federal Civil Protection Office is of the opinion that the measures taken are insufficient, it can order an operator to take the necessary measures (section 11(10). Violations of the KRITIS Umbrella Act are punishable by a fine in many cases, including failure to register or complete a risk assessment in a timely manner or insufficient support of the Federal Civil Protection Office (section 19). However, the current draft KRITIS Umbrella Act does not yet set the exact amount of such fines.
According to the wording of its draft, the KRITIS Umbrella Act is to be introduced in several stages. The most important obligations are set to enter into force on 1 January 2026, and the provision regarding fines on 1 January 2027. These time periods are intended to provide the relevant facilities with sufficient time to comply with the new requirements and implement the necessary resilience measures.
So far, the KRITIS Umbrella Act is only a draft. Many changes may still come before it is adopted. However, the essential core content of the KRITIS Umbrella Act is prescribed by European law.