Apply now
Contact

KRITIS-Dachgesetz 2026: Obligations for operators of critical infrastructures

On January 29, 2026, the German Bundestag passed the KRITIS-Dachgesetz. This is the first time that comprehensive requirements for the physical security of critical infrastructures have been enshrined in law. Operators of energy plants, waterworks, hospitals, and transportation hubs must act now—the registration deadline is July 17, 2026.

What is the KRITIS-Dachgesetz and why does it exist?

The KRITIS-Dachgesetz (Law on Strengthening the Resilience of Critical Infrastructure) transposes the European CER Directive (Critical Entities Resilience) into German law.

Goal: Critical infrastructures should become more resilient to all types of threats—from sabotage and natural disasters to technical failures.

What makes it special: Unlike previous regulations (e.g., NIS2 for cybersecurity), the KRITIS umbrella law focuses on physical resilience —i.e., plant security, property security, structural measures, and crisis management.

The All-Gefahren-Ansatz means that operators must not only protect themselves against individual risks, but also think holistically—sabotage, fire, flooding, power failure, burglary.

The most important points

  • The KRITIS-Dachgesetz makes physical security a legal obligation

  • Important deadline: July 17, 2026 for registration with the BBK

  • After that: 9 months for risk assessment, 10 months for implementation of all measures

  • Operators must implement plant security, perimeter security, and resilience plans.

  • Failure to comply will result in heavy fines from 2027 onwards.

The law applies to facilities whose failure would affect at least 500,000 people. betreffen würde.

SectorExamples
EnergyPower plants, substations, gas pipelines, power grids
WaterWaterworks, sewage treatment plants, dams
HealthLarge hospitals, blood banks, emergency dispatch centers
TrafficAirports, train stations, ports, control centers
TelecommunicationsData centers, mobile communications hubs
NutritionLarge warehouses, central distribution centers

Important: Federal states can set lower thresholds. This means that regionally important municipal utilities, smaller hospitals, or local transport companies may also be affected.

Checklist: How to check whether you are affected

  • Would a failure of our facility affect more than 500,000 people?
  • Has our federal state defined lower thresholds?
  • Have we been contacted by the Federal Office for Civil Protection (BBK)?
  • Do we operate facilities in any of the sectors mentioned?

1. Registration with the BBK

All affected operators must register their critical facilities with the Federal Office for Civil Protection and Disaster Assistance.

What you need to do:

  • Online registration via the BBK portal

  • Specification of location, sector, supply area

  • Appointment of a contact person

Deadline: July 17, 2026

2. Create a risk assessment

Based on the risk assessment, you must document:

  • What protective measures you take

  • How to respond in a crisis

  • How to restore operation

  • Who is responsible for what

Important: Not only do you have to draw up a plan, but you also have to implement all the protective measures described in it within 10 months of registration.

Practical tip: The plan must be tested. Conduct emergency drills at least once a year.

Deadline: 10 months after registration

3. Develop and implement a resilience plan

You must systematically analyze all threats to your facility.

Important: The deadline begins from the date of your registration. Anyone who registers on July 17, 2026, has until April 2027 to complete the risk assessment.

You must assess these risks:

Intentional threats:

  • Sabotage and terrorism

  • Burglary and theft

  • Vandalism

  • Internal perpetrators and espionage

Non-intentional threats:

  • Natural disasters (floods, storms, earthquakes)

  • Fire and explosion

  • Power outage

  • Technical failure

  • Human error

Deadline: 9 months after registration

4. Implement physical protective measures

The law requires state-of-the-art security. In practice, this means:

Perimeter security

- Sturdy fences (at least 2.5 m high)

- Controlled access gates with identification checks

- Lighting for all outdoor areas

- Visible signage

Access control systems

- Electronic locking systems with logging

- Chip cards or biometric procedures

- Dual control principle for highly sensitive areas

- Visitor management with registration

Video surveillance

- Complete camera coverage of critical areas

- Recording for at least 72 hours

- Intelligent alerts in case of anomalies

- GDPR-compliant data storage

Alarm systems

- Burglar alarm system in accordance with VdS standard

- Fire alarm system with automatic fire department alert

- Personal alarm for staff

- 24/7 connection to control center

Professional plant security

Here's what's new: Human security presence becomes a legal requirement.

Minimum requirements for security personnel:

  • Proficiency examination pursuant to Section 34a of the Trade Regulation Act (GewO)

  • Plant security qualification for particularly critical facilities

  • Fire safety assistant training

  • First aid certification

  • Training on plant-specific risks

What plant security actually does:

  • Access controls with identity verification

  • Regular property inspections

  • Monitoring of security systems

  • Initial response to alarms

  • Evacuation in case of crisis

  • Complete documentation

5. Securing supply chains

You must ensure that critical supplies are not interrupted:

  • Contracts with guaranteed delivery times

  • Alternative suppliers as backup

  • Emergency stocks of critical spare parts (e.g., pumps, filters, control technology)

KRITIS-Dachgesetz Compliance Roadmap

Step 1: Inventory (gap analysis)

Check honestly:

  • What protective measures do we already have in place?

  • Where are the biggest gaps?

  • What budget do we need?

Free tip: Many security service providers offer a free initial consultation and gap analysis.

Step 2: Conduct risk assessment with experts

Hire experienced security consultants who know your industry.

They bring:

  • Knowledge of current threat situations

  • Assessment methods (e.g., risk matrix)

  • Industry-specific best practices

Schedule: Allow 4-8 weeks for a professional risk assessment.

Step 3: Implement quick wins

Some measures can be implemented quickly:

  • Improvement of outdoor lighting (1-2 weeks)

  • Install additional cameras (2-4 weeks)

  • Training of existing personnel (immediately)

  • Implement visitor management system (1 month)

Step 4: Plan long-term measures

Others need more lead time:

  • Establishment of 24/7 plant security (2-3 months)

  • Electronic access control (3-4 months)

  • Structural reinforcement (6-12 months)

Important: You have a maximum of 10 months after registration. Therefore, start immediately after registration.

Step 5: Establish professional plant security

In-house security vs. security service provider?

CriterionIn-house plant securityExternal service provider
AvailabilityLong recruitment periodReady for immediate use
ExpensesHigh fixed costsFlexible adaptation
QualificationPersonal responsibilityCertified personnel
RepresentationMust be organized independentlyÜbernimmt Dienstleister
CompliancePersonal responsibilityDokumentation inklusive

Recommendation for KRITIS operators: External service providers such as Pond Security, which have experience with critical infrastructure, generally offer better value for money.

Step 6: Use B3S standards

Pond Insider Tip: Those who implement recognized industry-specific security standards (B3S) automatically meet the legal requirements.

Advantage: No double checks, standardized evidence, acceptance by authorities.

Check whether B3S standards exist for your industry (e.g., for energy suppliers, waterworks).

How Pond Security supports you with KRITIS compliance

As a security service provider for critical infrastructures, we focus on physical security::

Free initial consultation

- Impact assessment

- Gap analysis of your current security

- Individual recommendations for action

Get advice now!

Risk assessment & safety concepts

- Professional risk analysis based on an all-risks approach

- Development of compliance-compliant resilience plans

- Support with communication with authorities

Certified plant security

- Competency examination pursuant to Section 34a of the Trade Regulation Act (GewO)

- Plant security qualifications

- Fire safety & first aid

- 24/7 availability

Customized security solutions

- Property protection and access control

- Mobile patrols

- Control center connection

- Crisis management

Compliance documentation

- Audit-ready reports

- Training certificates

- Incident documentation

Table of contents

Social Media Awareness
KRITIS Dachgesetz 2026 Header 3
  • FAQ

Frequently asked questions about the KRITIS - Dachgesetz

NIS2 regulates cybersecurity (digital threats), while the KRITIS-Dachgesetz regulates physical security (sabotage, fire, burglary). Many companies fall under both laws.

Basically, you yourself through self-assessment. However, the BBK can also identify and contact operators.

You are violating applicable law and risk fines starting in 2027. Therefore, please register in a timely manner.

No, ISO 27001 only covers IT security. The KRITIS-Dachgesetz also requires physical security measures.

No, but you need qualified security personnel. Many operators rely on external service providers such as Pond Security due to cost and flexibility.

Ask a question
Logo of the Bundeswehr
nato blue compass e1725528855832
Department of the Army 1030x1030 1 e1725528878430
Department of the Air Force e1725528885266
Global Switch Logo
All References

Your trusted security partner.

Leading companies and institutions rely on Pond Security. Our security solutions protect well-known organizations in industry, commerce and the public sector nationwide.

Your trusted security partner.

Leading companies and institutions rely on Pond Security. Our security solutions protect well-known organizations in industry, commerce and the public sector nationwide.

Bundeswehr Logo
NATO Logo
U.S. Department of the Army Siegel
United States Department of the Air Force Siegel
Global Switch Logo
All References
  • Contact us

Strong together, safe together.

We are here for you! Feel free to contact us by phone, E-Mail or conveniently via our contact form.

Rückinger Strasse 12, 63526 Erlensee

Our headquarters

+ 49 (0) 61 83 / 806 – 0

Call us

[email protected]

Send us an E-Mail

Your direct contact to us

To our jobs
  • Securely informed

Discover more updates from Pond Security.

Zwei Personen und eine kleine Person vor einem großen blauen Schild mit Vorhängeschloss, darüber der Text 'ISO 27001:2022', umgeben von Zahnrädern und Verbindungslinien.
Advice

ISO 27001:2022 at Pond Security

For us, information security is not a project, but part of our everyday routine. With ISO 27001:2022 certification, we demonstrate that our information security management system functions reliably, is regularly audited, and is continuously improved.

Read more »