KRITIS Protection Against Drones: How Critical Infrastructure Operators Ensure Airspace Security

German security authorities registered over 1,000 suspicious drone sightings in 2025 alone. In January 2026, a targeted attack on a cable bridge in Berlin-Marzahn paralyzed 45,000 households and 2,200 businesses for days – a wake-up call for every critical infrastructure operator.

At the same time, on January 29, 2026, the Bundestag passed the KRITIS Umbrella Act: For the first time, nationwide, cross-sector minimum standards for the physical protection of critical facilities apply. The registration deadline is July 17, 2026. Those who fail to consider drone threats in their risk analysis face fines of up to one million euros – and significantly more in a serious incident.

This guide shows the specific obligations created by the new law, why drones are becoming the greatest physical threat to critical infrastructure facilities, and how operators can effectively protect themselves with the right combination of drone surveillance and drone defense.

The New Threat Landscape: Why Drones Are Becoming the Greatest Physical Threat to Critical Infrastructure

Over 1,000 Drone Sightings in One Year

The numbers speak for themselves. BKA President Holger Münch publicly confirmed that German authorities registered over 1,000 suspicious drone sightings over sensitive facilities in 2025. The German Air Traffic Control (DFS) recorded 225 drone-related disruptions in German airspace – an increase of 40 percent compared to the previous year. In Saxony alone, 21 security-relevant drone overflights over critical infrastructure were documented, while Mecklenburg-Vorpommern reported 68 incidents in the first half of the year.

The actual number is likely significantly higher. Many critical infrastructure facilities lack any drone detection systems – they simply cannot detect overflights.

Hybrid Warfare: Espionage, Sabotage, and Digital Twins

The threat extends far beyond curious hobby drones. Security experts warn of a systematic pattern of hybrid warfare: Drones are used to scout infrastructures, identify vulnerabilities in security concepts, and create digital terrain models that prepare for later attacks.

The NATO Exercise Hedgehog 2025 has impressively confirmed the military dimension: Ten drone pilots were enough to incapacitate two complete NATO battalions. What applies in a military context is increasingly true for civilian infrastructure as well.

The attack on Berlin's power supply in January 2026 demonstrates that the threat is not theoretical. 45,000 households and 2,200 businesses were affected – the economic repercussions amounted to millions.

Which Critical Infrastructure Sectors Are Particularly Vulnerable

Fundamentally, all nine critical infrastructure sectors are affected by drone threats. However, particularly exposed are:

Energy Supply: Substations, high-voltage lines, wind farms, and solar installations are often located in open landscapes and are difficult to secure. A targeted drone attack on a single substation can cut off hundreds of thousands from the power supply.

Water Supply: Wastewater treatment plants and water purification facilities are extensive, often inadequately monitored, and vulnerable to contamination or sabotage.

Transport and Traffic: Airports, railway facilities, and ports are difficult to protect comprehensively with traditional security measures. Drones pose an acute operational risk here.

Telecommunications: Data centers and transmission masts are targets for espionage and sabotage. A failure can have cascading effects on all other sectors.

The logistics sector is also increasingly coming into focus. How Drone Security for Logistics Companies this can specifically look like is shown in our separate guide.

The KRITIS Umbrella Act 2026: What Operators Need to Know Now About Physical Protection

CER Directive, NIS2, and KRITIS Umbrella Act in Interaction

The regulatory landscape for KRITIS operators fundamentally changed in 2026. Three sets of regulations are intertwined:

KRITIS Umbrella Act (KRITISDachG): Transposes the European CER Directive (EU 2022/2557) into German law. For the first time, nationwide, cross-sector minimum standards for the physical protection of critical infrastructures are defined.

NIS2 Implementation Act: Expands IT security obligations. The number of regulated companies is growing from currently around 4,500 to an estimated 30,000. IT and physical security are increasingly being considered together.

BSI Act (BSIG): Continues to regulate IT security for KRITIS operators, including reporting obligations and proof of the state of the art.

For operators, this means: Physical security – and thus also drone protection – is no longer a voluntary measure, but a legal obligation.

All-Hazards Approach: Drones as a Mandatory Risk to Consider

The KRITIS Umbrella Act pursues an all-hazards approach. Operators must identify and assess all relevant risks for their facilities – from natural disasters to technical failures and deliberate attacks. Drone threats clearly fall into the latter category.

Specifically, this means: Anyone who does not consider the drone risk in their risk analysis does not meet the requirements of the law. Given over 1,000 documented drone sightings per year and proven acts of sabotage, failure to consider it is hardly justifiable.

Deadlines, Obligations, and Fines

The law sets tight deadlines and severe penalties:

Registration by July 17, 2026: Operators of critical facilities must register with the Federal Office of Civil Protection and Disaster Assistance (BBK). A facility is considered critical if it supplies more than 500,000 people. The federal states can also identify regionally significant facilities below this threshold.

Risk analysis within 9 months: After registration, operators must conduct a comprehensive risk analysis based on the all-hazards approach and subsequently develop a resilience concept.

Incident reporting within 24 hours: Security-relevant incidents – including drone overflights – must be reported within 24 hours. A detailed report must follow within one month.

Fines up to 1 million Euros: In the event of serious violations of orders, fines of up to one million Euros may be imposed. Late submission of audits can be penalized with up to 500,000 Euros.

Management Liability: Personal Responsibility

Both the KRITIS Umbrella Act and the NIS2 Directive stipulate personal liability for management. Anyone who, as a managing director or board member, fails to implement the necessary measures or conducts an incomplete risk analysis, will be personally liable in the event of damage. Ignoring the drone risk is therefore not just an operational, but also a personal liability risk.

Drone Defense for KRITIS: Technologies and Approaches at a Glance

Professional drone defense and drone detection for critical infrastructures follows a three-stage model: Detect, Classify, Respond.

Stage 1: Detection – Knowing what's happening in the airspace

Drone detection systems form the basis of any protection concept. They utilize various sensor technologies that complement each other:

RF sensors (radio frequency): They detect radio signals between the drone and the remote control. Advantage: Passive detection, no self-emissions. Disadvantage: Does not work with autonomously flying drones without an active radio connection.

Radar: Detects drones independently of radio signals based on their movement and radar cross-section. Modern systems differentiate drones from birds and other flying objects.

Optical and thermal sensors: Cameras and thermal imaging systems enable visual verification and identification of detected objects.

Sensor fusion: The combination of multiple sensor types drastically increases detection probability and reduces false alarms. Professional systems fuse data in real-time to create a unified situational picture.

Stage 2: Classification – Threat or False Alarm?

Not every detected drone is a threat. AI-powered classification systems differentiate in real-time between harmless hobby drones, approved commercial flights, and potential threats. They identify the drone type, analyze flight behavior, and pinpoint the pilot's location. This friend-or-foe identification is crucial: it prevents overreactions and focuses resources on genuine threats.

Stage 3: Response – Initiating Countermeasures

In the event of a confirmed threat, various response options are available. Soft-kill measures disrupt the drone's control or GPS signals, causing it to return to its starting point, land, or crash. Alerting and documentation secure the incident for authorities and fulfill the reporting obligations of the KRITIS umbrella law. In certain cases, the drone can be physically neutralized by nets or other systems.

Security Airline's own approach goes a step further: A dedicated security drone is immediately flown to the identified pilot, forcing them to land through physical presence – without jammers, legally compliant, and within seconds. To see how this looks in practice, find it here.

▎ Legal Notice: Active drone defense measures (jamming, physical neutralization) are subject to strict legal frameworks in Germany. The use of jammers is generally reserved for security authorities. KRITIS operators should closely coordinate their defense concept with the relevant authorities. Detection and monitoring, however, are legally unproblematic and should form the basis of any protection concept.

Drones as Protectors: Automated Monitoring of Critical Facilities

Drones are not just a threat – they are also one of the most effective tools for protecting critical infrastructure. Autonomous surveillance drones patrol facility grounds around the clock, detect intruders, verify alarms, and provide real-time situational awareness.

Our provides a comprehensive overview of the technology. Guide to Security Drones and Surveillance Drones. In the KRITIS context, the following aspects are particularly relevant:

Autonomous Perimeter Monitoring for Extensive Facilities

Critical infrastructures often span vast areas: substations, waterworks, solar farms, or refineries frequently cover hundreds of thousands of square meters of terrain. Stationary cameras can barely cover these areas completely, and security personnel require hours for a single patrol round.

An autonomous surveillance drone launches from its base station (drone-in-a-box), surveys the entire site in minutes, and delivers high-resolution video and thermal imaging data to the control center. In case of an alarm, it reaches any point in under two minutes – regardless of site size or time of day.

Integration into existing security systems

For critical infrastructure operators, it is crucial that drone surveillance does not function as an isolated solution but is seamlessly integrated into the existing security architecture. Professional systems offer connectivity to intrusion detection systems and fence sensors, integration into existing video management systems, a live connection to certified emergency and service control centers, as well as automatic logging of all flights, alarms, and measures for legal documentation requirements.

24/7 Monitoring by Certified Control Centers

The Critical Infrastructure Umbrella Act requires operators to implement continuous security management. Drone surveillance connected to a VdS-certified control center meets this requirement: real-time alarm verification, immediate escalation to security forces, and comprehensive documentation – around the clock, 365 days a year.

Practical Example: Drone Surveillance in the Energy Sector

Energy facilities are among the most vulnerable critical infrastructure sectors. Solar and wind farms are particularly vulnerable due to their size, exposed location, and high material value.

A typical scenario: A solar farm covering 200,000 m². An autonomous surveillance drone flies irregular patrols – every 20 to 40 minutes, on varying routes. In case of a fence sensor alarm, it immediately flies to the alarm location, assesses the situation with thermal imaging and an HD camera, and reports to the control center. Simultaneously, the drone detection system identifies unauthorized drones flying over the park. Both systems work hand in hand – protection by and protection from drones in an integrated concept.

The Question of Responsibility: Who Protects Critical Infrastructure from Drones?

One of the most frequent questions from critical infrastructure operators is: Isn't drone defense a state responsibility? The answer is nuanced.

Police and Federal Police: General hazard prevention in airspace is the responsibility of police authorities. The Federal Police established its own drone defense unit in 2025. However, state forces cannot permanently protect every critical infrastructure facility.

German Armed Forces: The German Armed Forces may only operate domestically in narrow exceptional cases (mutual assistance under Article 35 of the Basic Law). Permanent drone defense by the German Armed Forces over civilian facilities is not constitutionally provided for.

Joint Drone Defense Center: The Federal Ministry of the Interior has initiated a joint drone defense center with a budget of 5 million Euros, which coordinates federal and state efforts. It is currently being established – a nationwide operational capability will take time.

Operator's Own Responsibility: The KRITIS Umbrella Act makes it unequivocally clear: operators are responsible for the physical resilience of their facilities. This explicitly includes protection against drone threats. Detection and monitoring are the responsibility of the operators – active defense measures require close coordination with authorities.

▎ Conclusion: Government structures are being developed, but KRITIS operators cannot and must not wait for them. Detection and monitoring can be implemented immediately and meet legal requirements. Active defense requires coordination with authorities.

Checklist: 7 Steps to a KRITIS-Compliant Drone Protection Concept

The following checklist provides KRITIS operators with a practical guide – from fulfilling obligations to operational implementation.

1. Conduct a Risk Analysis Based on an All-Hazards Approach Explicitly integrate drone threats into your risk analysis. Assess the probability of occurrence and potential damage for various scenarios: reconnaissance, espionage, sabotage, attack.

2. Identify Airspace Vulnerabilities Analyze your site from a drone's perspective: Where are the blind spots? Which parts of your facility are particularly vulnerable from above? Where could a drone pilot operate undetected?

3. Evaluate Detection and Monitoring Technology Determine which combination of RF sensors, radar, and optical systems is suitable for your facility. At the same time, include autonomous surveillance drones for active site monitoring.

4. Define Alarm Chains and Reporting Processes Define who is informed upon drone detection, what escalation levels apply, and how the statutory 24-hour reporting obligation is met.

5. Integration into the Overall Security Concept Drone protection must not be an isolated solution. Integrate detection and monitoring into your existing security infrastructure: control center, video surveillance, access control, intrusion detection system.

6. Train Personnel and Raise Awareness Raise awareness among your security personnel about drone threats. Train them in operating detection systems and practice alarm scenarios.

7. Plan Regular Tests and Audits Regularly test your drone protection concept under realistic conditions. Document the results – they are part of your proof of resilience to the authorities.

Investment Costs and ROI: What Drone Security Costs – and What Inaction Costs

Typical Investment Sizes for Critical Infrastructure Operators

The costs for a drone protection concept vary depending on facility size, threat level, and desired protection level. As a guide: A basic drone detection system starts at around 50,000 Euros. Powerful systems with sensor fusion and 360-degree coverage are in the six-figure range. Autonomous surveillance drones in a Drone-as-a-Service model cost 3,500 to 8,000 Euros monthly. For ongoing costs (maintenance, licenses, control center), critical infrastructure operators should budget around 100,000 to 150,000 Euros annually.

The Cost of Inaction

The investment costs are offset by significant risks:

Fines: Up to one million Euros for violations of directives, up to 500,000 Euros for delayed audits.

Operational Disruptions: The Berlin power outage in January 2026 affected 45,000 households and 2,200 businesses for several days. The economic damages far exceed the costs of a protection concept.

Reputational Damage: A successful attack on a critical infrastructure facility permanently damages the trust of customers, partners, and authorities.

Personal Liability: Management is personally liable if it is demonstrably proven that no adequate protective measures were taken.

Investing in drone security is therefore not an optional expense, but a business necessity – and a legal obligation.

Conclusion: Drone Protection is a Critical Infrastructure Obligation – and the Deadline is Approaching

The Critical Infrastructure Umbrella Act has unequivocally clarified: Operators of critical infrastructures are responsible for the physical protection of their facilities – including protection against drone threats. The registration deadline is July 17, 2026, and the risk analysis must be submitted within nine months.

At the same time, the threat situation is escalating: Over 1,000 drone sightings per year, hybrid warfare, and the Berlin infrastructure attack demonstrate that the danger is real and acute.

The solution lies in a combination: Protection from drones through detection and defense systems, and Protection by drones through autonomous monitoring. Operators who combine both dimensions not only meet legal requirements – they protect their facilities, their employees, and the security of supply for the population.

For emergency scenarios and rapid situational awareness during security incidents, Drone-First-Responder-Systems (DFR) are also available, providing real-time situational information to security forces before ground units arrive.

‍

Is your critical infrastructure protected against drone threats?

Security Airline analyzes your facility and develops a tailored protection concept – from drone detection and automated monitoring to control center integration.

• Free Vulnerability Analysis
• Protection Concept Compliant with the KRITIS Umbrella Act
• Combination of Drone Monitoring and Drone Defense
• 24/7 Monitoring by Certified Control Center

→ Request Protection Concept Now  |  +49 30 921 046 38

‍

FAQ – Frequently Asked Questions about KRITIS Protection Against Drones

What are the obligations of KRITIS operators regarding drone protection?

The KRITIS Umbrella Act requires an all-hazards approach: Operators must consider all relevant risks – including drone threats – in their risk analysis and implement appropriate protective measures. These include detection, monitoring, and defined response processes.

What does a drone defense system for KRITIS facilities cost?

A basic drone detection system starts at around 50,000 Euros. High-performance systems with sensor fusion are in the six-figure range. Autonomous surveillance drones in a DaaS (Drone-as-a-Service) model cost 3,500 to 8,000 Euros per month. Ongoing costs for maintenance and licenses are approximately 100,000 to 150,000 Euros annually.

Who is responsible for drone defense in Germany?

General hazard prevention in airspace falls under the responsibility of the police and federal police. The Bundeswehr (German armed forces) may only intervene in exceptional cases. However, the KRITIS Umbrella Act makes it clear: operators are solely responsible for the physical resilience of their facilities. Detection and monitoring can be implemented immediately; active defense requires coordination with authorities.

What is the difference between NIS2 and the KRITIS Umbrella Act?

NIS2 regulates the IT and cybersecurity of critical infrastructures and expands the circle of regulated companies to around 30,000. The KRITIS Umbrella Act for the first time defines nationwide minimum standards for physical protection. Both laws complement each other and require an integrated security concept.

Can drones also be used to protect critical infrastructure?

Yes. Autonomous surveillance drones patrol facility grounds around the clock, detect intruders, verify alarms, and deliver real-time situational awareness to the control center. They supplement or replace stationary cameras and security personnel on large sites.

What fines are imposed for violations of the KRITIS Umbrella Act?

For serious violations of directives, fines of up to one million euros can be imposed. Late submission of audit reports can be penalized with up to 500,000 euros. Additionally, the law provides for personal liability of the management.

How can energy facilities be protected from drone attacks?

Through a combination of drone detection (radar, RF sensors, optical systems), autonomous drone surveillance (perimeter protection, thermal imaging, AI analysis), and integration into a certified control center. The concept should be developed as part of the legally required risk analysis.

By when do KRITIS operators have to meet the new requirements?

Registration with the BBK must be completed by July 17, 2026. A comprehensive risk analysis including a resilience concept must be submitted within nine months of registration. Security incidents must be reported within 24 hours, effective immediately.

→ Book a web call now & secure a free security analysis | +49 30 921 046 38