A resilience plan includes, among other things, risk and dependency analyses, protection objectives, measures for prevention and response, emergency organisation, exercises, and supporting evidence.
KRITIS Umbrella Act 2026: Requirements, Obligations, and Audit Readiness
With the national transposition of the CER Directive, the protection of critical infrastructure in Germany will gain significantly greater importance in 2026. The current draft bill for the KRITIS Umbrella Act makes this clear: operators of critical infrastructure must prepare for stricter requirements, new reporting obligations, and robust evidence and documentation requirements.
KRITIS Umbrella Act 2026: New Requirements for Critical Infrastructure Operators
For KRITIS companies, the issue is no longer just complying with legal requirements. What matters now is how quickly and systematically the new obligations can be translated into robust operational processes.
Those who act early achieve more than mere compliance:
greater organizational and technical resilience
improved auditability and ability to provide evidence
more stable critical processes
greater trust among customers, partners, and public authorities
a measurable competitive advantage through proactive preparation
A holistic KRITIS strategy ensures that risks are identified early, measures are prioritized, and incidents are managed effectively.
Operational Changes in 2026 Under the KRITIS Umbrella Act
The KRITIS Umbrella Act will significantly increase the requirements for protecting critical infrastructure. Four operational areas are particularly relevant:
risk analysis and security concept
physical protection and protection zone concepts
resilience planning
reporting and evidence obligations vis-à-vis public authorities
In the future, companies will not only have to implement effective protective measures, but also document them in a structured manner and be able to provide robust proof of compliance in the event of an audit or inspection.
1. Risk Analysis under Section 12 KRITIS-DachG: The Foundation for Effective Protection
The risk analysis within the security concept under Section 12 KRITIS-DachG is the central starting point for the effective protection of critical infrastructure. It forms the basis for a risk-based security strategy and identifies where the greatest threats and dependencies for your company lie.
A structured all-hazards approach is particularly important here, as reflected, for example, in BSI Standard 200-3. This means that not only cyber risks are considered, but all relevant scenarios are systematically taken into account.
Typical Sources of Risk in the KRITIS Environment
These include, among others:
natural events and environmental hazards
technical failures and infrastructure damage
organizational errors and process failures
staff shortages or personnel unavailability
disruptions in supply chains and interfaces
sabotage, vandalism, and deliberate attacks
hybrid threats and cascading effects
What a Robust Risk Analysis Should Deliver
A sound risk analysis provides:
a realistic picture of threats and risks
prioritization of the most critical risks
the basis for targeted investments
better decision-making for protective measures
stronger ability to demonstrate compliance to supervisory authorities
In this way, a legal obligation becomes a strategic management tool for resilience and operational security.
2. Protection Zone Concept: Physical Protection of Critical Infrastructure
In addition to organisational and technical measures, the physical protection of critical infrastructure plays a central role. A protection zone concept is designed to secure sensitive areas in graduated layers – from the outer perimeter to the innermost core zones.
The principle follows an onion-layer model: multiple coordinated layers of protection make intrusion more difficult, delay attacks, and improve the detection of incidents.
Typical Components of a Protection Zone Concept
An effective protection zone concept includes:
perimeter protection, e.g. fences, gates, barriers, and site security
secured building envelopes, doors, and windows
access control systems
video surveillance and detection
alerting and intervention processes
clear responsibilities and escalation paths
organizational rules for visitors, service providers, and employees
Why Protection Zones Are So Important Operationally
A graduated protection zone concept is far more than a purely structural security measure. It creates the operational foundation for reducing risks at an early stage, effectively separating sensitive areas, and detecting unauthorized access more quickly. At the same time, it improves response capability in the event of an incident and helps ensure the long-term secure operation of critical infrastructure.
However, such a concept only reaches its full effectiveness when structural, technical, and organisational measures are closely aligned and work together seamlessly in practice. Only then can a robust and effective level of security be achieved.
3. Roadmap to Greater Resilience – What Does the Resilience Plan under Section 13 KRITIS-DachG Include?
The resilience plan under Section 13 KRITIS-DachG is the structured roadmap that enables operators of critical infrastructure to systematically strengthen their resilience. Its purpose is to improve prevention, limit the impact of disruptions, and accelerate the recovery of critical processes.
A resilience plan is not an isolated document, but an operational management tool for day-to-day operations.
What Belongs in a Resilience Plan
A practical resilience plan should include, among other things, the following elements:
an inventory of critical processes and assets
risk and dependency analysis
assessment of supply chains, interfaces, and cascading effects
definition of protection objectives
measures for prevention, detection, response, and recovery
emergency capacities and redundancies
crisis management organization and decision-making structures
communication and reporting channels
exercise and testing concepts
monitoring, review, and continuous improvement
Operational Value of a Resilience Plan
A robust resilience plan creates the conditions for identifying vulnerabilities at an early stage and addressing them in a targeted manner before they develop into critical disruptions. It helps to effectively limit the impact of outages, shorten recovery times, and clearly define responsibilities in the event of an incident. At the same time, it ensures that regulatory requirements can be met in a structured, transparent, and auditable way.
This means resilience is no longer treated as a one-time project, but is embedded as a permanent and actively practiced operating standard throughout the organisation.
4. KRITIS Umbrella Act 2026: Reporting and Evidence Obligations – How to Become Audit-Ready
A particularly important aspect of the KRITIS Umbrella Act is the new reporting and evidence obligations. In the future, companies will not only be required to report incidents within the prescribed deadlines, but also to demonstrate that their resilience measures have been implemented effectively.
Which reporting obligations KRITIS companies will face
The current draft provides in particular for incident reports to be submitted to the BBK via a joint digital reporting portal operated by the BBK and BSI.
Key elements include:
an initial report without undue delay, no later than 24 hours after becoming aware of the incident
updates in the case of ongoing events
a detailed report no later than one month afterwards
The exact design of the reporting procedure and the formal requirements will be further specified by the competent supervisory authority.
What Evidence Companies Must Provide
For auditability and evidentiary robustness, it is essential that companies are able to document the implementation of their resilience requirements in a reliable and verifiable manner.
In particular, authorities may request the following evidence:
resilience plan
security concept
results of internal or external audits
documentation of measures and implementation status
evidence of exercises and tests
remediation plans for identified deficiencies
proof of implementation following on-site inspections
We get you ready. Trust 3-core as your consulting partner of choice.
3-core helps you translate the requirements of the KRITIS-DachG into day-to-day operations in a pragmatic and audit-ready manner from designing reporting and alerting processes, to developing the resilience plan, to preparing for audits, certifications, and on-site inspections by supervisory authorities. In addition, we provide practical tools that can be integrated into your existing landscape in a system-agnostic way – both through our risk analysis template and through a practical resilience plan framework.
And we do not leave you to handle it alone: our interdisciplinary experts support the implementation process, adapt approaches and templates to companies across all KRITIS sectors and industries, and assist with execution so that tools become effective processes. In this way, legal requirements are turned into clear procedures, robust evidence, and real resilience in everyday operations.
FAQ on the KRITIS Umbrella Act 2026
What is the KRITIS Umbrella Act?
The KRITIS Umbrella Act is Germany’s national implementation of the CER Directive. It sets out requirements for the resilience and protection of critical infrastructure.
What will change for KRITIS companies in 2026?
KRITIS companies must prepare for stricter requirements in risk analysis, resilience planning, physical protection, as well as reporting and evidence obligations.
What is a risk analysis under Section 12 KRITIS-DachG?
It is part of the security concept and serves to systematically identify threats, dependencies, and vulnerabilities, and to derive appropriate protective measures.
What does audit-ready mean in the KRITIS context?
Audit-ready means that a company has structured its measures, processes, and supporting evidence in such a way that it can demonstrate compliance with the requirements of authorities or auditors in a robust and well-organised manner.
