KRITIS-DachG
Resilience of critical infrastructures
The KRITIS Dachgesetz (KRITIS-DachG) supplements the existing regulations on the cyber security of critical infrastructures with a sector-specific consideration of physical security and resilience.
The KRITIS Dachgesetz (KRITIS-DachG) aims to strengthen the resilience of critical facilities in Germany against physical attacks. To this end, it contains minimum requirements for the physical security of critical infrastructures (KRITIS) as well as targeted support and supervisory measures. The background to this is the transposition of the EU Critical Infrastructure Protection Directive (CER Directive) into national law.
The KRITIS-DachG defines the term "critical facilities" as facilities that are of great importance to the functioning of the community and whose failure would lead to supply bottlenecks or hazards. The threshold for determining whether a system is affected by the law is the supply of 500,000 people or more.
The KRITIS-DachG affects operators of critical facilities in the following 11 sectors:
* These sectors fall under the scope of the KRITIS-DachG, but are largely exempt from many obligations.
The second draft bill of the KRITIS-DachG has been available since December 2023. It contains some changes compared to the first draft from July 2023.
The law was originally due to be promulgated in spring 2024, but its entry into force appears to have been delayed.
In general, the CER Directive must be implemented by the EU member states by 17 October 2024 at the latest. In the context of the current political situation after the 2025 federal elections, the CER Directive is expected to be adopted in autumn 2025 together with the NIS-2 Directive.
§ 6: Registration of the critical facility
Operators of critical facilities are obliged to register these with the Federal Office of Civil Protection and Disaster Assistance (BBK) no later than 3 months after they are considered to be operators of critical facilities for the first time or again. A contact point must also be set up and named as part of this process.
§ 10: Establishment of resilience measures
After 10 months following registration, operators of critical facilities are obliged to take suitable technical, security-related and organisational measures to ensure their resilience.
§ 11: Evidence
With the aim of verifying compliance with measures, the competent supervisory authority may request the necessary evidence. Proof may be provided by means of audits. The Federal Office of Civil Protection and Disaster Assistance specifies the requirements.
§Section 14: Approval, monitoring and training obligation for managers
Managers of operators of critical facilities are obliged to approve and monitor the implementation of the measures taken. In addition, they must regularly take part in training courses to develop and expand their knowledge and skills in risk management.
§Section 9: Carrying out risk analyses & assessments
Based on national risk analyses and risk assessments, operators of critical installations must carry out risk analyses and assessments at least every 4 years. Natural, climatic and man-made risks that threaten the economy's ability to act must be considered.
§Section 10: Preparation of resilience plans
The resilience measures taken must be presented in a resilience plan that sets out the considerations on which the measures are based, including the risk analyses and risk assessments.
§Section 12: Obligation to report incidents
Significant disruptions affecting the provision of critical services must be reported within 24 hours to a joint reporting centre set up by the BBK and the BSI. A detailed report must also be submitted no later than one month after the incident.
§Section 19: Fining provisions
The exact amount of fines is not yet defined in the draft bill. Administrative offences include, for example, failure to register in good time, missing documentation or risk assessments or failure to take appropriate resilience measures.
Focus: Physical security & resilience of critical facilities
Focus: Cybersecurity of critical infrastructures
You can find out more about the NIS 2 Directivehere.