KRITIS Framework Act 2026: An Overview of Operators’ Obligations | Security Airline

In 2024, Germany introduced uniform obligations for operators of critical infrastructure for the first time with the KRITIS Umbrella Act. By the end of 2025, the implementation deadline will be approaching, while in parallel, the NIS2 Directive is tightening cybersecurity requirements. In 2026, approximately 4,500 companies from ten sectors will need to demonstrate physical and digital protection concepts, with violations potentially leading to fines of up to 10 million euros.

This guide explains what the KRITIS Umbrella Act requires from operators, how these obligations differ from the previous BSI-KritisV, and where the interface to the NIS2 Directive lies. Special emphasis is placed on physical protection obligations, as protection against drones, sabotage, and espionage will be clearly regulated for the first time in 2026. Written for management, information security officers (ISOs), and security managers from the energy, water, food, transport, health, finance, IT, and telecommunications sectors.

Note: The law is formulated as a framework; many details will be refined through legal ordinances and industry standards. Those who wait for the final interpretive text will lose time. It is more sensible to start now with the clear obligations.

What is KRITIS?

KRITIS stands for critical infrastructure and refers to facilities whose failure or impairment would have significant consequences for supply, public safety, or the economy. Previously, operators were only classified as KRITIS if they exceeded defined thresholds, such as a certain number of people supplied or a minimum quantity of goods produced. With the KRITIS Umbrella Act, this circle expands, and, most importantly, the obligations are standardized for the first time.

You can find a comprehensive assessment of the current threat status to critical infrastructure and the role drones play in our article KRITIS Protection Against Drones.

What is the KRITIS Umbrella Act?

The KRITIS Umbrella Act, officially the Act to Strengthen the Resilience of Critical Infrastructures (KRITIS-DachG), consolidates the physical protection obligations for KRITIS operators. It transposes the EU Directive on the Resilience of Critical Entities (CER, EU 2022/2557) into German law. While the NIS2 Directive regulates cybersecurity, the Umbrella Act covers the physical counterpart: structural security, access control, supply chain resilience, and defense against external threats, including drones.

For the first time, physical and digital resilience are considered in an integrated manner. The Federal Office of Civil Protection and Disaster Assistance (BBK) assumes central oversight for the physical domain, while the BSI remains responsible for cybersecurity. Both authorities share situational reports and incident notifications.

Scope and Affected Sectors

The KRITIS Umbrella Act covers ten sectors. A simplified overview:

• Energy: Power grids, power plants, solar and wind farms above threshold, gas infrastructure
• Water: Drinking water suppliers, wastewater treatment plants
• Food: Wholesale, logistics in the food sector
• Transport and Traffic: Airports, ports, rail networks, logistics hubs
• Healthcare: Hospitals, pharmacy logistics, laboratories
• Finance and Insurance: Banks, payment service providers, insurers
• Information Technology and Telecommunications: Data centers, Internet Exchanges, mobile networks
• Government and Administration: Security authorities, judiciary, administrative services
• Media and Culture: Broadcasting, press hubs
• Municipal Waste Management: Waste incineration, recycling facilities

An entity is considered KRITIS if it exceeds defined thresholds. Examples include electricity grid operators serving 500,000 people or more, hospitals with 30,000 inpatient cases per year or more, and food producers with an annual production of 434,500 tons or more. The umbrella law lowers some thresholds, and new actors are covered, including for the first time logistics centers and data centers above a defined capacity.

Key Obligations at a Glance

The umbrella law outlines six core obligations:

1. Risk and Threat Analysis

Operators must conduct a systematic analysis that identifies natural, technical, and human threats. Drones, sabotage, espionage, and hybrid attacks are explicitly mentioned. The analysis must be updated every two years.

2. Resilience Measures

Based on the analysis, technical and organizational measures must be implemented. In the physical domain, these include perimeter protection, access control, detection, and emergency preparedness. Specific proof of compliance must adhere to the state of the art, which is further specified by the BBK in industry standards.

3. Incident Reporting Obligation

All significant incidents must be reported to the competent supervisory authority within 24 hours, with a detailed assessment to follow after 72 hours. Drone overflights suspected of espionage or sabotage are considered significant incidents.

4. Emergency and Recovery Plans

Operators must document how they resume operations after an incident, how backup structures function, and what personnel reserves are available. Exercises are mandatory every three years.

5. Supply Chain Resilience

Protection extends beyond the company's own gates. Those who rely on a limited number of suppliers must explore alternatives, secure logistics chains, and document single points of failure.

6. Appointment of a Resilience Officer

Every KRITIS operator must appoint a responsible person who serves as the interface to the supervisory authority and is accountable for implementation. In large corporations, this is often the Chief Security Officer.

Drone Protection as a KRITIS Obligation

Protection against unmanned aerial vehicles is clearly enshrined for the first time in the KRITIS umbrella law. The justification refers to the sharply increased number of drone overflights over critical facilities, which the Federal Criminal Police Office (BKA) estimates at over 1,000 incidents in 2025. Specifically, this means:

• The risk analysis must include a drone threat assessment.
• Resilience measures must include drone detection and reporting channels.
• Drone overflights suspected of espionage or sabotage are reportable incidents.
• Emergency plans must describe response chains for drone incidents.

What is not explicitly stated in the umbrella law, but is practically mandatory: active drone defense (jamming, GNSS spoofing, kinetic countermeasures) remains reserved for state authorities. Operators must therefore work with a detection and reporting chain and can deploy autonomous Drone First Responder drones to verify incidents within minutes.

A sensible KRITIS-compliant architecture combines RF detection, radar, optics, and acoustic sensors. More on the specific implementation can be found in the article Drone Defense and Drone Detection.

Interface to the NIS2 Directive

NIS2 (EU 2022/2555) is the digital counterpart to the Umbrella Act and was adopted in Germany in 2024 as the NIS2 Implementation Act. Entities classified as KRITIS (critical infrastructure) almost always also fall under NIS2 and must additionally:

• Document IT security risk management measures.
• Report cyber incidents within 24 hours, with an assessment following after 72 hours.
• Hold management personally liable if obligations are breached.
• Manage supplier risks.

In practice, this means that risk analyses under the KRITIS Umbrella Act and NIS2 should be merged, as should incident reporting channels. The supervisory authorities (BBK plus BSI) exchange information, making duplicate documentation avoidable.

KRITIS Deadlines and Fines

The KRITIS Umbrella Act is entering into force in stages. Key dates for 2026 at a glance:

• Q2 2026: Submit first risk analysis to the BBK
• Q4 2026: Resilience measures implemented and documented
• Ongoing from 2027: Incident reporting obligation takes effect, BBK audits begin
• Every 2 years: Update of the risk analysis
• Every 3 years: Exercises for emergency and recovery concepts

Fines are severe: up to 10 million Euros or 2 percent of the worldwide annual turnover, whichever is higher. Management can be held personally liable. In case of systematic violations, there is also the threat of losing the operating license.

Implementation in 90 Days: Roadmap

Those who begin implementation in 2026 can achieve a viable state within 90 days. The following roadmap has proven effective in consulting KRITIS operators:

Day 1 to 10: Inventory and Assessment

Inventory of all locations, facilities, and suppliers. Identification of KRITIS thresholds, appointment of the resilience officer, initial stakeholder workshops.

Day 11 to 30: Risk and Threat Analysis

Structured assessment of natural hazards, technical risks, sabotage, espionage, and drone threats. The result is a prioritized register of measures.

Day 31 to 60: Implement Quick Wins

Quickly implementable measures: improved access control, updated emergency plans, introduction of a 24-hour reporting chain, pilot project for drone detection at one location. We recommend simultaneously adapting site security to the new tasks; more on this in the article Security Guards in Logistics Centers.

Day 61 to 90: Architecture and Audit Preparation

Establishment of a situational awareness system, sensor rollout, staff training, dress rehearsal for incident reporting channels. The result is a documented status that can withstand an initial BBK audit.

Conclusion

The KRITIS umbrella law changes the rules for approximately 4,500 operators of critical infrastructure in Germany. 2026 will be the year of implementation, as resilience measures must be documented from Q4 onwards, and audits will begin in 2027. Those who start early avoid costly rushed projects and simultaneously close gaps in their own defense against drones, sabotage, and hybrid attacks.

Security Airline supports KRITIS operators from risk analysis to 24/7 drone detection operations. The mini drone wall, which we implement with RF sensor technology, radar, autonomous drones from the Arrow-401 system and a VdS control center, is KRITIS-compliant and audit-ready.

Next Steps

Are you a KRITIS operator and want to pass the audit smoothly in 2026?

Security Airline provides a KRITIS-compliant risk analysis, a tailor-made protection concept against drones, and an implementation plan that meets your deadlines.

• Risk and Threat Analysis according to Section 6 of the KRITIS Framework Act
• State-of-the-art drone detection and DFR system
• Connection to VdS-certified monitoring station
• Audit preparation and documentation package

Contact: +49 30 921 046 38   |   Request KRITIS Consulting

‍