Skip to main content
Critical infrastructure

KRITIS Protecting critical infrastructure

Operators of critical infrastructure are subject to the tightened obligations of BSIG 2025 and – since March 2026 – the KRITIS-Dachgesetz. We get you registered, audit-ready and resilient: IT security and physical protection from a single source.

10

KRITIS sectors

~1,300

Operators of critical infrastructure

3 years

Audit cycle (§ 39 BSIG)

24/72 h

Reporting deadlines (§ 32 BSIG)

The basics

What is critical infrastructure?

KRITIS are facilities and systems whose failure would cause serious supply shortages or endanger public safety. In Germany the BSI-Kritisverordnung defines, sector by sector, which facilities count as critical – their operators are subject to specific obligations towards the BSI and the BBK.

Supply-critical

Facilities across ten sectors whose failure endangers the supply to the public – from electricity and water to healthcare and transport.

Two regulatory levels

IT security under BSIG 2025 (the NIS2 transposition) and – since March 2026 – physical resilience under the KRITIS-Dachgesetz (the CER transposition).

Tightened obligations

Operators of critical infrastructure are also essential entities – with additional duties such as attack detection and a three-year audit.

BSI & BBK

Supervised by the BSI (IT security) and the BBK (physical protection). Registration will move to a shared platform.

Scope

The ten KRITIS sectors

The BSI-Kritisverordnung names ten sectors. Whether your facility counts as critical depends on sector-specific thresholds – the benchmark being the supply of around 500,000 people.

Energy

Electricity, gas, fuel and district heating

Water

Drinking-water supply and wastewater

Food

Food supply and logistics

IT & telecommunications

Voice/data transmission, IT hosting

Healthcare

Inpatient care, pharmaceuticals, laboratories

Finance

Cash, payment processing, securities trading

Social insurance

Social-insurance benefits

Transport & traffic

Air, rail, water, road, public transport, logistics

Space

Ground infrastructure – thresholds still to be set

Municipal waste disposal

Disposal of municipal waste

In the NIS2 context further sectors such as digital infrastructure and public administration are added – 18 NIS2 sectors in total under BSIG 2025.

What operators must deliver

Core obligations under BSIG 2025

Beyond the general NIS2 obligations, operators of critical infrastructure carry additional, tightened requirements. The most important ones at a glance – with the relevant sections.

§ 33 BSIG

Registration & contact point

Registration with the BSI and designation of a contact point reachable at all times.

§ 30 BSIG

Risk management

Technical and organisational measures at a raised level of protection – including BCM, supply chain and cryptography.

§ 31 BSIG

Attack-detection systems

Use of attack-detection systems (SzA) for the relevant IT systems, in line with the BSI guidance.

§ 39 BSIG

Audit evidence every 3 years

Evidence of implementation submitted to the BSI every three years – via audit, assessment or certification.

§ 32 BSIG

Reporting obligations

Report significant incidents in stages: initial report within 24 h, assessment within 72 h, final report within one month.

KRITIS-Dachgesetz

Physical resilience

Since March 2026: resilience measures against physical threats under BBK supervision (the CER transposition).

KRITIS, NIS 2 and the umbrella act

How the regulatory levels work together

BSIG 2025 · IT security

  • Transposes the EU NIS2 Directive into German law
  • In force since 6 December 2025
  • Operators of critical infrastructure = essential entities
  • Additional duties: attack detection (§ 31) and a three-year audit (§ 39)
  • Supervision: BSI · fines up to €10 million or 2% of turnover

KRITIS-Dachgesetz · physical

Since 2026
  • Transposes the EU CER Directive into German law
  • In force since March 2026 (BGBl. 2026 I No. 66)
  • Protection against physical threats: sabotage, natural events, insiders
  • Resilience, risk analysis and personnel reliability
  • Supervision: BBK together with the BSI and the federal states

Both levels apply to the same operators of critical infrastructure – which puts IT security and physical protection into a single resilience concept.

Our services

End-to-end support for KRITIS operators

From the applicability assessment to ongoing audit evidence – we guide you through every obligation.

Applicability assessment

Checking whether you reach the thresholds of the BSI-Kritisverordnung.

  • Sector and facility identification
  • Threshold calculation
  • Classification of the NIS2 category

BSIG 2025 gap analysis

Target/actual comparison against the requirements of § 30 and § 31 BSIG.

  • Mapping of existing measures
  • Gap and risk assessment
  • Prioritised action plan

Attack detection (SzA)

Implementing the SzA obligation under § 31 BSIG and the BSI guidance.

  • Requirements capture per the OH SzA guidance
  • SIEM/IDS/OT monitoring selection
  • Audit-evidence preparation

B3S & audit evidence

Applying industry standards and passing the three-year audit procedure.

  • Identify the applicable B3S
  • Implementation & internal audits
  • Audit procedure § 39 BSIG

Reporting & crisis management

Incident-response process in line with the reporting deadlines of § 32 BSIG.

  • Reporting process 24h/72h/1 month
  • Connection to the BSI reporting portal
  • Crisis exercises & communication

KRITIS-Dachgesetz compliance

Implementing the physical resilience obligations under BBK supervision.

  • Registration on the BBK/BSI platform
  • Physical risk analysis
  • BCM & personnel reliability

Why DLAU for KRITIS?

Regulatory depth

BSIG 2025, the BSI-Kritisverordnung and the KRITIS-Dachgesetz from a single source

IT & physical

We think about cyber and physical resilience together

Audit-ready

Experience with BSI audit procedures and assessments

Sector knowledge

Projects in healthcare, energy, utilities and public administration

Meet your KRITIS obligations together?

We assess whether you are in scope, close the gaps and guide you through registration, audit evidence and reporting – until you are audit-ready.

Related: IT security standards · NIS 2 · IT-Grundschutz