Strengthening Critical Infrastructure: Germany's New KRITIS Umbrella Law and NIS-2 Implementation
Implementing the NIS-2 Directive (EU 2022/2555) and the Critical Entities Resilience ("CER") Directive (EU 2022/2557) into national law, Germany is reinforcing the security and resilience of its critical infrastructure, creating new compliance challenges and opportunities for organizations operating in or serving the German market.
The implementation comes under significant time pressure, as the transposition period for the NIS‑2 Directive expired in October 2024 (see our previous Alert), and the European Commission has already opened infringement proceedings against several Member States, including Germany. The NIS-2 Implementation Act broadens the scope compared with earlier rules on critical infrastructure, now also covering areas like digital services, including cloud service providers and data centers, as well as the manufacturing sector and postal and courier services. Within corporate groups, thresholds are measured at group level if a subsidiary relies on the parent company's IT systems. The Act excludes activities that are "negligible" compared to a company's main business. However, since it does not define "negligible," it is unclear whether secondary activities in a regulated sector bring an entity under the Act's scope. For example, a manufacturing company that operates its own data center or provides cloud-based services to customers might fall within the Act's scope even though IT services are not its main business.
Covered entities must establish and document comprehensive risk management processes. Minimum protective measures expected of operators include: the introduction of designated emergency response teams, strengthened site security and access controls, and concrete measures to ensure operational continuity. Certain organizations must register with the Federal Offices for Information Security (BSI) and for Civil Protection and Disaster Assistance (BBK), and report security incidents within 24 hours through a central online portal. Regulatory supervision will be intensified, and violations can result in heightened administrative sanctions. Notably, managing directors may face explicit personal liability for compliance failures.
The KRITIS Umbrella Law complements the NIS-2 Implementation Act by defining critical infrastructures in Germany more precisely and requiring operators to protect them against an expanded range of threats—encompassing both cyber and physical risks (all-hazards approach). Organizations are obliged to base their risk mitigation strategies on both state and operator-led risk analyses, document the implemented measures, and provide substantiated proof to authorities. By integrating the requirements of both the NIS-2 and CER Directive and supplementing them with a comprehensive all-hazards approach, Germany's legislative framework goes beyond the EU minimum standards. However, as the NIS-2 Directive does not provide for a distinction between primary and secondary activities in determining the scope of application, this raises the question whether the German draft legislation ensures full and accurate transposition.
The new regulatory landscape in Germany significantly raises standards for critical infrastructure protection, with a renewed emphasis on management-level accountability. Organizations should assess whether they fall within the expanded scope of the rules. In light of new requirements regarding registration, risk management, documentation, and incident reporting, early internal reviews and preparations are highly recommended. The legislative process for both the NIS‑2 Implementation Act and the KRITIS Umbrella Law is expected to conclude in late 2025, with entry into force shortly thereafter, underscoring the need for organizations to act now to ensure compliance readiness.
