KRITIS-DachG Enters into Force: New Obligations, Significant Fines and Many Open Questions for Operators of Critical Installations

Where an operator falls within the scope of the Act, it is subject to a range of obligations aimed at ensuring physical resilience.

I. First Step: Identification and Registration

Operators falling within the scope of the Act must register no later than three months after being classified as a critical installation, but not before 17 July 2026. Registration is carried out with the Federal Office of Civil Protection and Disaster Assistance (BBK) via an electronic registration platform jointly operated with the BSI – similar to the platform already known from the BSI Act. In particular, operators must provide contact details, sector classification and relevant supply metrics, which must be kept up to date on a regular basis. Failure to register may result in requests for information, obligations to provide documentation and, ultimately, compulsory registration by the authorities.

II. Risk Assessments: Risk Management on a Four-Year Cycle

Operators must establish a structured risk management system. No later than nine months after registration – and at least every four years thereafter – risk assessments must be carried out. These must be aligned with the national risk assessments conducted on a four-year cycle and must translate into concrete resilience measures. All natural, technical and human-induced risks that may significantly affect the availability of the critical service must be covered, including cross-sectoral and cross-border scenarios. Particular attention must be paid to interdependencies: to what extent does the operator depend on other critical services – including in other sectors, EU Member States and third countries? Conversely, how dependent are other sectors on the operator’s services? Further requirements will be specified by ordinance.

III. Core Obligations: Resilience Requirements

Ten months after registration, the resilience obligations take effect. Operators must prevent incidents as far as possible, physically secure their sites and installations, respond effectively to incidents, mitigate damage and restore the critical service without undue delay. These obligations follow a risk-based approach: they are based both on national risk assessments and on the operator’s own risk analysis. On this basis, operators must derive technical, security-related and organisational measures in accordance with the state of the art. It is clear that the costs and benefits of such measures must be proportionate to the risks involved, taking into account the operator’s economic capacity, and must not exceed what is necessary and proportionate. The Act explicitly sets out this principle. It also provides examples of measures, including structural and technical safeguards, alternative supply chains, as well as training and exercises.

The specification of resilience obligations is distributed across a large number of actors. Cross-sector minimum requirements are defined by the BMI and may be delegated to the BBK. Operators and industry associations may propose sector-specific standards, which the BBK reviews and publishes where appropriate. At the same time, several federal ministries and the Länder may adopt sector-specific minimum requirements in the absence of recognised standards. In addition, the European Commission may adopt technical and methodological specifications through implementing acts, which take precedence. The result is likely to be a complex multi-level regulatory framework that will be difficult for operators to navigate.

IV. Resilience Plan: Documentation Requirement

Resilience measures must be documented in a resilience plan. The plan must demonstrate the considerations on which the measures are based and how they were derived from the operator’s internal risk analysis. It is not a static document: it must be reviewed and updated as necessary and after each risk assessment. According to the Act, the BBK must provide templates and guidance for resilience plans by 17 January 2026 – a date that appears inconsistent and is likely to require clarification. It is already apparent that resilience obligations and the resilience plan will entail a considerable administrative burden for operators.

Responsibility for implementing the resilience obligations lies explicitly with the management body. If these obligations are breached, management is liable to the entity under general principles of company law. The KRITIS-DachG provides for an additional, standalone liability regime only on a subsidiary basis, i.e. where the applicable company law does not provide for liability. In practice, liability is therefore likely to remain within the established framework of directors’ and officers’ liability.

V. Supervisory Powers: Evidence Requirements and Audits

Compliance with the resilience obligations is subject to risk-based supervision. Where existing evidence is insufficient, the competent authority may request further information or order audits. The selection of operators for supervision depends on risk exposure, company size and the potential impact of incidents. In practice, this is likely to result in sample-based controls. Authorities may also rely on qualified independent third parties, who are granted rights of access and information during normal business hours. Where deficiencies are identified, authorities may require remediation plans and order specific measures. In addition, the BBK – in agreement with the competent federal ministry and the BSI – defines requirements for evidence and audits and provides guidance and templates. An exception applies to large parts of the energy sector (electricity, natural gas and hydrogen), where the Energy Industry Act takes precedence and provides for comparable requirements but significantly fewer sanctioning provisions.

VI. Incident Reporting: Rapid Notification Obligations

The Act introduces a two-stage reporting system. Ten months after registration, incidents must be reported without undue delay and, in any event, within 24 hours of becoming aware of them, to the joint reporting point of the BSI and the BBK. The initial notification must include, in particular, the number of affected persons, the actual or expected duration, the geographical spread and the potential for spatial containment. A detailed report must be submitted no later than one month after becoming aware of the incident. The details of the reporting procedure are determined by the BBK in agreement with the BSI, subject to any overriding EU implementing acts. The definition of an “incident” is derived by reference to the BSI Act and the Telecommunications Act. It covers events that significantly disrupt or are capable of significantly disrupting the provision of a critical service. Purely cybersecurity incidents are excluded.

Certain obligations are backed by significant administrative fines. Violations of registration obligations or failure to cooperate with supervisory measures – such as incomplete information or refusal of access – may result in fines of up to EUR 100,000. Failure to comply with an order of the BBK to submit information in cases of suspected non-registration may result in fines of up to EUR 1 million. Missing evidence of compliance with resilience obligations or failure to provide a resilience plan may result in fines of up to EUR 200,000.

While the BBK formally acts as the central point of contact, the allocation of competences is in fact highly fragmented. The KRITIS-DachG itself designates more than a dozen competent authorities. The BMI may designate additional federal authorities, and the Länder may appoint their own authorities under an opening clause. This fragmented system raises concerns regarding practicality and crisis response capability. It remains to be seen whether such a structure can ensure a consistent level of protection in practice.

In several respects, the KRITIS-DachG falls short of the CER Directive. The German legislator has not made use of key flexibilities in favour of operators. In particular, the option under EU law to provide financial support to operators of critical infrastructure is not reflected in the Act. Instead, obligations and costs are allocated unilaterally to operators – despite the fact that critical infrastructure is essential for the provision of services and the safety of the population. Against this background, public co-financing of additional resilience requirements appears warranted, especially in light of Article 143h of the Basic Law. The signal sent so far is clear: resilience, yes – co-financing, no.

The KRITIS-DachG addresses an important issue: the protection of critical infrastructure against physical threats. It establishes a new cross-sector framework – but primarily regulates who is empowered to adopt secondary legislation. Only these implementing measures will ultimately define the scope of application and the administrative burden. In particular, the BMI is granted extensive powers to adopt ordinances. Together with additional federal and state competences, this creates the risk of an inconsistent and difficult-to-navigate regulatory landscape. For operators, this means significant administrative effort and considerable financial burden. At the same time, it remains unclear whether this complex, multi-layered regulatory approach will lead to faster and more effective resilience in practice. Much will depend on how quickly, clearly and coherently the implementing regulations accompanying the KRITIS-DachG are adopted.