The KRITIS Umbrella Act (Dachgesetz zur Stärkung der physischen Resilienz kritischer AnlagenKRITISDachG) has been in effect since March 17, 2026. For operators of critical infrastructure in Germany, this means: new obligations, tight deadlines, and hefty fines require swift action. For the first time, the law establishes a cross-sector legal framework to strengthen physical resilience and applies to operators of critical facilities across ten sectors – ranging from telecommunications, energy, and transportation to healthcare and space. In this article, you’ll learn who is affected, what obligations exist, how regulatory responsibilities are distributed, and what penalties apply for violations.

  1. The five most important takeaways for your company
  • The registration requirement takes effect on July 17, 2026 – affected operators must register with the Federal Office of Civil Protection and Disaster Assistance (Bundesamt für Bevölkerungsschutz und KatastrophenhilfeBBK)/Federal Office for Information Security (Bundesamt für Sicherheit in der InformationstechnikBSI) within three months of being identified as a critical infrastructure. Attention: Immediate action required – those who fail to act now risk fines.
  • Broad scope of application: The law addresses operators of critical infrastructure in ten sectors.
  • Comprehensive operator obligations: The list of obligations follows a comprehensive all-hazards approach.
  • Significant risk of fines: Violations of key operator obligations may result in fines of up to EUR 1,000,000.
  • Personal responsibility of management: Management is personally responsible for approving and monitoring resilience measures (Sec. 20 KRITISDachG).
  • Background and Objectives of the KRITISDachG

The KRITISDachG serves to implement the CER Directive on the resilience of critical entities (Directive (EU) 2022/2557). The objective is to ensure the maintenance of key economic and societal functions in the event of natural disasters, technical failures, sabotage, or other hybrid threats, specifically through cross-sectoral minimum standards for the physical protection of critical infrastructure. It thus supplements existing regulations on IT security – particularly the amended national BSI Act (BSIG) as the central implementing instrument of the NIS2 Directive (Directive (EU) 2022/2555) – with a physical component.

  • Sectors Affected

The law applies to operators of critical facilities, i.e., natural or legal persons as well as other organizational units that have a decisive influence on facilities that are essential for the provision of critical services (see Sec. 2 nos. 1 – 4 KRITISDachG).

The law defines ten sectors in Sec. 4 (1) KRITISDachG: information technology and telecommunications, energy, transport and traffic, finance, social security services and basic income support for job seekers, healthcare, water, food, space, and municipal waste management.

Which services are to be classified as critical within the individual sectors and the criteria according to which facilities are considered significant for the provision of critical services will be determined separately by a statutory ordinance issued by the Federal Ministry of the Interior (Bundesministerium des InnernBMI) (Sec. 4 (3) and 5 (1) KRITISDachG). Facilities that meet these criteria are considered critical facilities.

“Criticality” is therefore presumed to exist if a facility is necessary to provide a critical service and exceeds a threshold value specified in the statutory ordinance (Sec. 5 (1) sentence 1 no. 2 KRITISDachG). The threshold is determined based on the population to be served, with a population of 500,000 generally serving as the basis (Sec. 5 (2) sentence 2 KRITISDachG).

A state-level exemption clause allows the federal states to classify regionally significant facilities below the threshold as critical (Sec. 5 (7) KRITISDachG) – such as a hospital indispensable to the region or a water supply system.

Affected companies typically include energy suppliers, telecommunications providers, network operators, municipal utilities, airports, ports, and railway hubs, hospitals and pharmaceutical companies, water suppliers, data centers, and large food producers and logistics providers.

Federal government agencies that perform exclusively national security, defense, or law enforcement functions are largely exempt (Sec. 7 (1) no. 2 and (2) sentence 2 KRITISDachG).

  • Key Obligations and Sector Exemptions

A defining feature of the new legal framework is a multi-tiered resilience system that links government risk analyses with comprehensive operator obligations. In doing so, the law adopts a so-called all-hazards approach: every risk – from natural disasters to sabotage and terrorist attacks to human error – must be included in the risk analysis.  

An overview of the core provisions:

  • Cross-sectoral risk analyses by federal and state ministries for critical services (Sec. 11 KRITISDachG),
  • Registration with the BBK/BSI within three months of identification as a critical facility, no earlier than July 17, 2026 (Sec. 8 (1) KRITISDachG),
  • Risk analysis (Sec. 12 KRITISDachG) for the first time no later than nine months after registration (Sec. 8 (7) KRITISDachG), thereafter as needed, but at least every four years,
  • Resilience measures and resilience plan (Sec. 13 KRITISDachG) for the first time no later than ten months after registration (Sec. 8 (7) KRITISDachG), including emergency response teams, physical security, access controls, emergency power supply, and staff training,  
  • Reporting obligations: Upon request, evidence of compliance with these obligations must be provided (Sec. 16 KRITISDachG), and incidents must be reported immediately, no later than 24 hours after becoming known (Sec. 18 (1) KRITISDachG),
  • Personal responsibility of management for approving and monitoring resilience measures (Sec. 20 KRITISDachG).

The core of these requirements consists of resilience obligations under Sec. 13 KRITISDachG. To specify these obligations, the BMI may establish cross-sectoral minimum requirements (Sec. 14 (1) KRITISDachG). In addition, operators or their industry associations have the option of proposing industry-specific resilience standards (Sec. 14 (2) KRITISDachG). Sector-specific requirements issued by federal ministries or state governments are only permissible on a subsidiary basis and in agreement with the BMI (Sec. 14 (3) and (4) KRITISDachG). The provisions on sector-specific requirements will not take effect until January 1, 2030, in order to give priority to the development of industry-specific standards (see Sec. 14 (2) KRITISDachG).

Furthermore, the law provides for sector-specific exemptions to avoid double regulation (Sec. 4 (2) nos. 1 – 3 KRITISDachG):

  • These apply to operators in the financial sector who are already subject to the Digital Operational Resilience Act (DORA) (Regulation (EU) 2022/2554), as well as operators in the IT and telecommunications sector for whom a resilience and security regime exists under the NIS2 Directive and its national implementation in the BSIG. In these areas, key operator obligations – such as risk analysis and risk assessment (Sec. 12 KRITISDachG), ensuring resilience (Sec. 13 KRITISDachG), and providing evidence (Sec. 16 KRITISDachG) – are exempted, while the registration requirement (Sec. 8 KRITISDachG) and provisions regarding national risk analyses and assessments (Sec. 11 KRITISDachG) continue to apply.
  • Similar exemptions apply to operators of critical facilities in municipal waste management and in the social security/basic income support sector, although risk analysis and assessment obligations (Sec. 12 KRITISDachG) expressly remain in effect.
  • Penalties for Violations

Violations of key operator obligations may result in fines of up to EUR 1,000,000 as well as administrative orders. The graduated fine scale depends on the nature and severity of the violation. It has been increased from a maximum of EUR 500,000 to EUR 1,000,000 compared to the government draft (as of November 2025).

If managers violate their duty to approve the specific resilience measures to be taken pursuant to Sec. 13 (1) KRITISDachG as appropriate and to continuously monitor their implementation (Sec. 20 (1) KRITISDachG), they are liable to their organization for damages caused through negligence (Sec. 20 (2) KRITISDachG); the governing body remains ultimately responsible.

  • Competencies of the Authorities

Responsibility for critical services lies with different federal (Sec. 3 (2) nos. 1 – 12 KRITISDachG) or state authorities (Sec. 3 (6) KRITISDachG), depending on the sector, such as the BMI (for critical services provided by federal administrative bodies) and the Federal Network Agency (BundesnetzagenturBNetzA) (e.g., for critical telecommunications services).

The central contact point for ensuring cross-border cooperation with contact points in other Member States (Art. 9 (2) CER Directive) is the BBK, Sec. 3 (1) KRITISDachG.

The BBK is the competent authority for imposing administrative fines for violations of registration requirements; in all other cases, the competent (sector-specific) authority pursuant to Sec. 3 (2) sentence 1 KRITISDachG (Sec. 24 (3) KRITISDachG) is responsible.

  • Conclusion and Outlook

With the KRITISDachG, the national legislature supplements existing resilience requirements – which until now have been primarily focused on cyber and information security – with physical security requirements. Within the framework of a risk-based “all-hazards approach,” the KRITISDachG establishes continuous and comprehensive resilience management for operators; at the same time, sector-specific exemptions consider the goal of avoiding double regulation.

Even though critical services, resilience obligations, and minimum standards are yet to be specified by statutory ordinance (upon whose entry into force the previously applicable BSI-Kritisverordnung will be repealed), it is advisable for the affected sectors to review the new legal requirements at an early stage, especially since the KRITISDachG provides for substantial fines for violations.