KRITIS Protecting critical infrastructure
Operators of critical infrastructure are subject to the tightened obligations of BSIG 2025 and – since March 2026 – the KRITIS-Dachgesetz. We get you registered, audit-ready and resilient: IT security and physical protection from a single source.
KRITIS sectors
Operators of critical infrastructure
Audit cycle (§ 39 BSIG)
Reporting deadlines (§ 32 BSIG)
The basics
What is critical infrastructure?
KRITIS are facilities and systems whose failure would cause serious supply shortages or endanger public safety. In Germany the BSI-Kritisverordnung defines, sector by sector, which facilities count as critical – their operators are subject to specific obligations towards the BSI and the BBK.
-
Supply-critical
-
Facilities across ten sectors whose failure endangers the supply to the public – from electricity and water to healthcare and transport.
-
Two regulatory levels
-
IT security under BSIG 2025 (the NIS2 transposition) and – since March 2026 – physical resilience under the KRITIS-Dachgesetz (the CER transposition).
-
Tightened obligations
-
Operators of critical infrastructure are also essential entities – with additional duties such as attack detection and a three-year audit.
-
BSI & BBK
-
Supervised by the BSI (IT security) and the BBK (physical protection). Registration will move to a shared platform.
Scope
The ten KRITIS sectors
The BSI-Kritisverordnung names ten sectors. Whether your facility counts as critical depends on sector-specific thresholds – the benchmark being the supply of around 500,000 people.
Energy
Electricity, gas, fuel and district heating
Water
Drinking-water supply and wastewater
Food
Food supply and logistics
IT & telecommunications
Voice/data transmission, IT hosting
Healthcare
Inpatient care, pharmaceuticals, laboratories
Finance
Cash, payment processing, securities trading
Social insurance
Social-insurance benefits
Transport & traffic
Air, rail, water, road, public transport, logistics
Space
Ground infrastructure – thresholds still to be set
Municipal waste disposal
Disposal of municipal waste
In the NIS2 context further sectors such as digital infrastructure and public administration are added – 18 NIS2 sectors in total under BSIG 2025.
What operators must deliver
Core obligations under BSIG 2025
Beyond the general NIS2 obligations, operators of critical infrastructure carry additional, tightened requirements. The most important ones at a glance – with the relevant sections.
Registration & contact point
Registration with the BSI and designation of a contact point reachable at all times.
Risk management
Technical and organisational measures at a raised level of protection – including BCM, supply chain and cryptography.
Attack-detection systems
Use of attack-detection systems (SzA) for the relevant IT systems, in line with the BSI guidance.
Audit evidence every 3 years
Evidence of implementation submitted to the BSI every three years – via audit, assessment or certification.
Reporting obligations
Report significant incidents in stages: initial report within 24 h, assessment within 72 h, final report within one month.
Physical resilience
Since March 2026: resilience measures against physical threats under BBK supervision (the CER transposition).
KRITIS, NIS 2 and the umbrella act
How the regulatory levels work together
BSIG 2025 · IT security
- Transposes the EU NIS2 Directive into German law
- In force since 6 December 2025
- Operators of critical infrastructure = essential entities
- Additional duties: attack detection (§ 31) and a three-year audit (§ 39)
- Supervision: BSI · fines up to €10 million or 2% of turnover
KRITIS-Dachgesetz · physical
Since 2026- Transposes the EU CER Directive into German law
- In force since March 2026 (BGBl. 2026 I No. 66)
- Protection against physical threats: sabotage, natural events, insiders
- Resilience, risk analysis and personnel reliability
- Supervision: BBK together with the BSI and the federal states
Both levels apply to the same operators of critical infrastructure – which puts IT security and physical protection into a single resilience concept.
Our services
End-to-end support for KRITIS operators
From the applicability assessment to ongoing audit evidence – we guide you through every obligation.
Applicability assessment
Checking whether you reach the thresholds of the BSI-Kritisverordnung.
- Sector and facility identification
- Threshold calculation
- Classification of the NIS2 category
BSIG 2025 gap analysis
Target/actual comparison against the requirements of § 30 and § 31 BSIG.
- Mapping of existing measures
- Gap and risk assessment
- Prioritised action plan
Attack detection (SzA)
Implementing the SzA obligation under § 31 BSIG and the BSI guidance.
- Requirements capture per the OH SzA guidance
- SIEM/IDS/OT monitoring selection
- Audit-evidence preparation
B3S & audit evidence
Applying industry standards and passing the three-year audit procedure.
- Identify the applicable B3S
- Implementation & internal audits
- Audit procedure § 39 BSIG
Reporting & crisis management
Incident-response process in line with the reporting deadlines of § 32 BSIG.
- Reporting process 24h/72h/1 month
- Connection to the BSI reporting portal
- Crisis exercises & communication
KRITIS-Dachgesetz compliance
Implementing the physical resilience obligations under BBK supervision.
- Registration on the BBK/BSI platform
- Physical risk analysis
- BCM & personnel reliability
Why DLAU for KRITIS?
Regulatory depth
BSIG 2025, the BSI-Kritisverordnung and the KRITIS-Dachgesetz from a single source
IT & physical
We think about cyber and physical resilience together
Audit-ready
Experience with BSI audit procedures and assessments
Sector knowledge
Projects in healthcare, energy, utilities and public administration
Meet your KRITIS obligations together?
We assess whether you are in scope, close the gaps and guide you through registration, audit evidence and reporting – until you are audit-ready.
Related: IT security standards · NIS 2 · IT-Grundschutz