What the KRITIS Umbrella Act means for organisations
The KRITIS Umbrella Act has been in force since 17 March 2026 and, for the first time, establishes nationwide, cross-sector minimum standards for the protection of critical infrastructure in Germany. For affected organisations, this means that the protection of critical assets is no longer considered solely from an IT security perspective, but in much broader terms, including resilience, physical protection, risk analysis and reporting procedures.
What the KRITIS Umbrella Act regulates
The KRITIS Umbrella Act brings critical assets and their operators within a clear legal framework. Its main focus is on:
- nationwide minimum standards for physical protection
- a cross-sector resilience approach
- risk analyses and risk assessments
- specific resilience measures and resilience plans
- incident reporting obligations
- official evidence requirements, audits and regulatory orders
In addition, the Act provides for cross-sector minimum requirements to be specified in greater detail by statutory instrument. Operators and industry associations may also develop sector-specific resilience standards, which may be recognised by the Federal Office for Civil Protection and Disaster Assistance (BBK) as suitable.
Who is affected by the KRITIS Umbrella Act
Identifying KRITIS assets and therefore determining whether an organisation falls within scope is the responsibility of the organisations themselves, provided that they operate in one of the KRITIS sectors. The KRITIS sectors are:
Energy
Water
Health
Transport and Traffic
Digital Infrastructure
Social Security
Space
Public Administration
Manufacturing
Food
Waste Management
Chemicals
Financial Sector
Digital Providers
Research
Postal & Courier Services
One useful point of reference is that a facility is considered essential to overall service provision in Germany if it is indispensable to nationwide supply and serves more than 500,000 people. At the same time, the parliamentary process added a provision allowing the federal states to identify additional critical assets for certain critical services where sole responsibility lies with them.
What obligations the KRITIS Umbrella Act places on organisations
The KRITIS Umbrella Act does not remain at an abstract level, but identifies specific areas of action that operators are expected to address. These include, among other things:
- emergency preparedness
- physical protection, for example through structural and technical safeguards
- monitoring of the surrounding area
- detection equipment and access controls
- risk and crisis management procedures
- defined procedures in the event of an alert
- measures to maintain operations, such as emergency power supply
- alternative supply chains
- personnel security
- information materials, training and exercises
This makes it clear that the KRITIS Umbrella Act requires more than protective measures on paper. It calls for robust organisational and operational arrangements for prevention, response and recovery.
How incident reporting currently works
The KRITIS Umbrella Act also sets out clear rules for incident reporting. Incidents must be reported without undue delay and no later than 24 hours after they become known. If an incident is still ongoing, the initial report must be updated, and a detailed report must be submitted within one month. Reports are filed through a joint reporting office run by the Federal Office of Civil Protection and Disaster Assistance (BBK) and the Federal Office for Information Security (BSI), so physical and digital incidents do not have to be handled through separate reporting channels.
Implementing the KRITIS Umbrella Act in three steps
Organisations that may fall within the scope of the KRITIS Umbrella Act should no longer wait for a later stage in the legislative process before taking action.
Assessing whether your organisation falls within scope
The first step is for organisations to determine whether they fall within the scope of the KRITIS Umbrella Act and which specific requirements apply to them.
Reviewing protective measures
The next step is to assess existing technical, organisational and physical protective measures against the current legal requirements.
Building implementation and taking action
The next step is to put robust structures in place for risk analysis, resilience measures, evidence requirements and reporting processes, and to begin implementation in a focused way. As the Act is already in force and further details may still be set out by statutory instrument, this step should not be delayed.
How 3-core supports organisations with implementation
By working with 3-core, organisations gain an experienced partner for the structured implementation of the requirements set out in the KRITIS Umbrella Act. We support them in determining whether they fall within scope, carrying out risk analyses, developing appropriate resilience measures, and preparing robust evidence and resilience plans.
In addition, we support organisations not only with specialist expertise, but also with a suitable tool that allows measures, responsibilities, evidence and ongoing developments to be managed in a structured and transparent way. This means that implementation of the KRITIS Umbrella Act is not only documented, but can also be managed efficiently in day-to-day operations.
