Skip to content

KRITIS-DachG

KRITIS Dachgesetz

Resilience of critical infrastructures

The KRITIS Dachgesetz (KRITIS-DachG) supplements the existing regulations on the cyber security of critical infrastructures with a sector-specific consideration of physical security and resilience.

Reihen mit schwarz-weißen Server-Racks in einem Rechenzentrum. | TÜVIT

What is the KRITIS Dachgesetz (KRITIS-DachG)?

The KRITIS Dachgesetz (KRITIS-DachG) aims to strengthen the resilience of critical facilities in Germany against physical attacks. To this end, it contains minimum requirements for the physical security of critical infrastructures (KRITIS) as well as targeted support and supervisory measures. The background to this is the transposition of the EU Critical Infrastructure Protection Directive (CER Directive) into national law.

The KRITIS-DachG defines the term "critical facilities" as facilities that are of great importance to the functioning of the community and whose failure would lead to supply bottlenecks or hazards. The threshold for determining whether a system is affected by the law is the supply of 500,000 people or more.

A person presses a button on an electric gas meter

Who is affected by the KRITIS Dachgesetz?

The KRITIS-DachG affects operators of critical facilities in the following 11 sectors:

  • Energy
  • Transport & traffic
  • food
  • drinking water
  • Waste water
  • Municipal waste disposal
  • Finance & Insurance*
  • Information Technology & Telecommunications*
  • Healthcare
  • Space
  • Government
     

* These sectors fall under the scope of the KRITIS-DachG, but are largely exempt from many obligations.

When will the KRITIS Dachgesetz come into force?

The second draft bill of the KRITIS-DachG has been available since December 2023. It contains some changes compared to the first draft from July 2023.

The law was originally due to be promulgated in spring 2024, but its entry into force appears to have been delayed.

In general, the CER Directive must be implemented by the EU member states by 17 October 2024 at the latest. In the context of the current political situation after the 2025 federal elections, the CER Directive is expected to be adopted in autumn 2025 together with the NIS-2 Directive.

On the current draft bill

Requirements of the KRITIS Dachgesetz

§ 6: Registration of the critical facility 
Operators of critical facilities are obliged to register these with the Federal Office of Civil Protection and Disaster Assistance (BBK) no later than 3 months after they are considered to be operators of critical facilities for the first time or again. A contact point must also be set up and named as part of this process.

§ 10: Establishment of resilience measures
After 10 months following registration, operators of critical facilities are obliged to take suitable technical, security-related and organisational measures to ensure their resilience.

§ 11: Evidence 
With the aim of verifying compliance with measures, the competent supervisory authority may request the necessary evidence. Proof may be provided by means of audits. The Federal Office of Civil Protection and Disaster Assistance specifies the requirements.

§Section 14: Approval, monitoring and training obligation for managers
Managers of operators of critical facilities are obliged to approve and monitor the implementation of the measures taken. In addition, they must regularly take part in training courses to develop and expand their knowledge and skills in risk management.

§Section 9: Carrying out risk analyses & assessments 
Based on national risk analyses and risk assessments, operators of critical installations must carry out risk analyses and assessments at least every 4 years. Natural, climatic and man-made risks that threaten the economy's ability to act must be considered.

§Section 10: Preparation of resilience plans 
The resilience measures taken must be presented in a resilience plan that sets out the considerations on which the measures are based, including the risk analyses and risk assessments.

§Section 12: Obligation to report incidents 
Significant disruptions affecting the provision of critical services must be reported within 24 hours to a joint reporting centre set up by the BBK and the BSI. A detailed report must also be submitted no later than one month after the incident.

§Section 19: Fining provisions
The exact amount of fines is not yet defined in the draft bill. Administrative offences include, for example, failure to register in good time, missing documentation or risk assessments or failure to take appropriate resilience measures.

We will support you – no matter what

Get started at last!

We advise you

TÜV NORD IT Secure Communication I Berlin
To the consulting services Contact us
Goal achieved?

We check that

TÜV Informationstechnik I Essen
To the testing offers Contact us
The differences at a glance

KRITIS Dachgesetz (KRITIS-DachG) vs. NIS-2 Directive

KRITIS Dachgesetz (KRITIS-DachG)

Focus: Physical security & resilience of critical facilities

 

  • The KRITIS Dachgesetz (KRITIS-DachG) affects operators of critical facilities in 11 different sectors in Germany and within the EU.
  • Refers to the implementation of the CER Directive, which must take place by 17 October 2024 at the latest.
  • The responsible supervisory authority is the Federal Office of Civil Protection and Disaster Assistance (BBK).

NIS2UmsuCG

Focus: Cybersecurity of critical infrastructures

 

  • The NIS-2 Implementation & Cybersecurity Strengthening Act (NIS2UmsuCG) affects CRITIS operators with 50 or more employees and a turnover of EUR 10 million in 18 defined sectors as well as special cases.
  • Refers to the implementation of the NIS 2 Directive, which must take place by 17 October 2024 at the latest.
  • The responsible supervisory authority is the Federal Office for Information Security (BSI).

You can find out more about the NIS 2 Directivehere.