KRITIS Ordinance: What critical infrastructure operators need to know now

Following the adoption of the German Umbrella Act for Critical Infrastructure Protection (KRITIS-Dachgesetz), a consistent federal legal framework for improving the physical resilience of critical infrastructure has been in effect since 17 March 2026. 

The draft KRITIS Ordinance (KritisV) specifies what infrastructure and which operators will be classed as critical in future and will therefore be subject to the requirements of the Umbrella Act for Critical Infrastructure Protection, and in some cases even the BSI Act (BSIG). Companies from the energy, health care, finance, transport, information technology and space sectors are particularly affected. While the KRITIS Ordinance provides more clarity regarding the scope of application for the first time, there are key specifications on risk analyses, resilience measures, registration duties and organisational requirements that have yet to be outlined. This makes it more pressing for companies to figure out how they can make early preparations to align their KRITIS, NIS2 and cyber compliance structures with the new requirements.

Umbrella Act for Critical Infrastructure Protection coming into effect – key implementation requirements still missing

The German Umbrella Act for Critical Infrastructure Protection (KRITIS-DachG, BGBl. 2026 I no. 66) came into effect on 17 March 2026 and transposes the CER Directive (EU) 2022/2557 into German law. It provides for the first federal statutory requirements valid across all sectors for the physical resilience of critical infrastructure. Unlike the KRITIS regulations primarily shaped to date by the BSI Act, the law covers not only cyber risks, but also physical hazards – from natural disasters and sabotage to terrorist attacks and supply chain breakdowns.

The ministerial bill for the KRITIS Ordinance now specifies what infrastructure falls under its scope. However, definitive clarity is still lacking: The public hearings with representatives of interest groups have finished; interdepartmental consultations are ongoing, meaning that amendments during the continued proceedings are not precluded.

KRITIS Ordinance: New infrastructure categories and expanded scope

The KRITIS Ordinance (KritisV) closely conforms to the previous BSI KRITIS Ordinance (BSI-KritisV) in its methodology. It maintains the same regular threshold value of 500,000 people supplied, with additional sector-specific infrastructure categories and threshold values. In many cases therefore, little in the fundamental categorisation should change for operators already classed as critical; nevertheless it may be necessary to double-check against the new catalogue, since new infrastructure categories and the future dual effect for duties under the BSI Act may also impact operators that were previously covered.

At the same time, the draft implements the specifications of the CER Directive and appreciably expands the scope of application in several areas. The changes in the energy, health care, financial and transport sectors as well as the introduction of the new sector of space are particularly relevant.

Energy sector under the KRITIS Ordinance: Expanded to storage, hydrogen and cooling infrastructure

In the energy sector, the draft significantly expands the types of infrastructure classed as critical and thus takes account for the changes in energy infrastructure. Transmission and distribution networks were already covered under the BSI KRITIS Ordinance (BSI-KritisV). In future this ordinance is expected to determine what is classified as critical infrastructure under the Umbrella Act for Critical Infrastructure Protection and the BSI Act and thus establish a standardised regulatory foundation. 

One point that is especially relevant practically is the inclusion of multiple infrastructure categories that previously were not explicitly covered by the KRITIS framework. These include in particular energy storage facilities such as batteries. The decisive threshold value is generally 104 MW installed rated output. For pre-qualified infrastructure for the primary reserves, a lowered threshold value of 36 MW applies; the threshold value is lifted entirely for contracted black-start facilities. 

In addition, facilities for connecting generation installations to distribution and transmission networks as well as power-to-gas facilities are covered. The latter are within the scope of application if their annual production exceeds 5,190 GWh and should be of particular significance for major hydrogen projects. 

One critical service newly introduced is "district cooling". This covers cooling plants, district cooling networks and the control and guidance systems used for them. 

This means that the relevant categories for operators in the energy sector likely will not be limited to traditional generation and network infrastructure. Storage, hydrogen and district cooling infrastructure should also be included in the impact analysis.

Health care, finance, transport and space under the KRITIS Ordinance

Several new categories are being added in the health care sector: Production sites for pharmaceutical base materials, EU reference laboratories in Germany and research and development centres above a threshold value of around EUR 61 million in annual R&D investments. However the draft does not set out any measurement criteria or threshold values for production sites for pharmaceutical base materials – the category exists but is substantively incomplete. At the same time, the draft replaces the existing term "requiring a prescription" with "supply-relevant", more narrowly defining the objects of the legislation than previously. The list of supply-relevant medicinal products under section 52b (3c) German Medicinal Products Act (AMG) will be decisive in future.

In the finance sector, receipt of contributions (threshold value of EUR 15 billion in total contributions) and issuance of credit (EUR 7 billion in customer credit) are being added as new critical services. This makes the scope of application for credit institutions broader than under the BSI KRITIS Ordinance, while the operative obligations for business subject to the EU Digital Operational Resilience Act (DORA) remains limited by section 4 (2) German Umbrella Act for Critical Infrastructure Protection (KRITIS-DachG).

In the transport sector, federal motorways will be registered as a physical infrastructure category, as will computer reservation services and global distribution systems (threshold value 20 million flight bookings annually) as well as port infrastructure above 50 million tonnes in transshipments annually. 

An entirely new KRITIS sector, space, is being added. This is leading many companies to ask themselves for the first time whether individual facilities fall within the scope of application.

Umbrella Act for Critical Infrastructure Protection and BSI Act: Why categorisation may have double the consequences in future

The change that will likely have the most consequences has nothing to do with the individual threshold values. The BSI Act already refers to critical infrastructure and services under the Umbrella Act for Critical Infrastructure Protection; however the effect of this reference in practice will only become clear once the KRITIS Ordinance comes into effect. In the future this ordinance is expected to determine both the scope of the Umbrella Act for Critical Infrastructure Protection and the operators subject to the special requirements of the BSI Act. This means that classing something as critical infrastructure may in future trigger not just duties to maintain physical resilience but also key cybersecurity requirements.

Nevertheless, no comprehensive congruent range of duties applies to operators in the finance and IT/telecommunications sectors. Both sectors are covered in the draft in full with infrastructure categories and threshold values. If special priority requirements already apply to certain operators – such as DORA in the finance sector or the relevant provisions of the BSI Act – individual obligations from the Umbrella Act for Critical Infrastructure Protection do not apply. This does not affect the registration duty.

Until the KRITIS Ordinance (KritisV) comes into effect, the most recent version of the BSI KRITIS Ordinance (BSI-KritisV) will continue to apply. Companies should therefore carefully follow the transition phase and examine which requirements are relevant for each of their facilities.

Resilience duties and risk analyses: Which requirements are still to be decided?

Though the scope of application has been nailed down, it is important to note that the substantive requirements of the framework are still largely to be settled. Neither the sector-agnostic minimum requirements under section 14 Umbrella Act for Critical Infrastructure Protection nor industry-specific resilience standards or more detailed specifications on how to conduct risk analyses are in place to date. The draft itself acknowledges that it is not possible at present to reliably estimate the effort required for business and administration.

As a result it is becoming increasingly apparent which companies will be subject to the framework in the future. The precise organisational, technical and financial measures that follow from it are yet to be determined however.

Registration duty under the Umbrella Act for Critical Infrastructure Protection: Why companies should act now

The Umbrella Act for Critical Infrastructure Protection requires operators of critical infrastructure to register on the joint platform for the German Federal Office of Civil Protection and Disaster Assistance (BBK) and the Federal Office for Information Security (BSI) within three months after their infrastructure is designated as critical (section 8 German Umbrella Act for Critical Infrastructure Protection (KRITIS-DachG). Registrations cannot be made until 17 July 2026 at the earliest. The bill includes a transitional provision: Infrastructure that already reached the relevant threshold values in 2025 will be deemed critical when the KRITIS Ordinance (KritisV) goes into effect; this date will simultaneously trigger the registration period for operators of these facilities.

Regardless of the outstanding uncertainty, it is worth beginning preparations for registration now. Failure to comply with the duty is punishable by a fine (section 24 German Umbrella Act for Critical Infrastructure Protection (KRITIS-DachG)), while significant preparatory work – particularly performing the impact analysis, naming a point of contact and consolidating the required registration information – can already be done.

KRITIS compliance and governing body responsibility: New duties for management and board of directors

The heart of the German Umbrella Act for Critical Infrastructure Protection (KRITIS-DachG) in its substance is the "all-hazards" approach. Operators must consider all relevant risks and take suitable, proportionate measures as far as the state of the art allows to prevent incidents, limit their effects and ensure that critical services are re-established. The foundation for this approach is a risk analysis to be updated at least every four years and a resilience plan based on that analysis.

Special attention must be paid to the explicit allocation of responsibility to the executive level. The management must organise and monitor the implementation of the resilience measures (section 20 German Umbrella Act for Critical Infrastructure Protection (KRITIS-DachG)). They are liable for breaches of duty under the general principles of corporate law; the Umbrella Act for Critical Infrastructure Protection includes a subsidiary catch-all provision to this extent. There is also a potential for fines under section 24 German Umbrella Act for Critical Infrastructure Protection (KRITIS-DachG).

This explicitly renders resilience a governance-related task. The requirements of the Umbrella Act for Critical Infrastructure Protection demand the active involvement of the board and management and are not just aimed at security, compliance or crisis management staff.

What should companies do now?

• Check impact: Compare their infrastructure portfolio with the categories and threshold values in the draft ordinance – especially in the newly added or expanded sectors for energy, health care, finance, transport and space. 
• Identify regulatory interfaces: Review existing compliance structures under the German Umbrella Act for Critical Infrastructure Protection (KRITIS-DachG), German BSI Act (BSIG) and NIS2 to determine which synergies can be used and which dual processes can be avoided. 
• Prepare to register: Compile the necessary registration information, name a point of contact and prepare internal procedures for registration on the joint platform for the Federal Office of Civil Protection and Disaster Assistance (BBK) and the Federal Office for Information Security (BSI). 
• Establish governance: Specify responsibilities for management, compliance and security teams and define the required reporting and decision-making channels. 
• Prepare resilience duties: Draw up a risk analysis and a resilience plan on the basis of the existing framework and adjust them to the staggered deadlines under section 8 (7) German Umbrella Act for Critical Infrastructure Protection (KRITIS-DachG)
• Monitor regulatory developments: Closely follow the ordinance's continuing procedures and the announced minimum requirements and recommendations from the BBK.

Conclusion: Greater clarity for critical infrastructure, outstanding questions on implementation

The draft is the first legislation to give companies a reliable basis for assessing who will be subject to the Umbrella Act for Critical Infrastructure Protection in the future. Nonetheless it is largely yet to be determined how individual duties will be arranged. For precisely this reason, companies should use the time remaining to thoroughly review the impact on them and set up the necessary organisational structures.