What is KRITIS?

The key input of the KRITIS Act

‍

Definition and scope

The KRITIS Framework Act defines critical infrastructures as organizations and facilities of central importance to society. This includes sectors such as energy supply, water supply, healthcare, telecommunications, transport, and the financial sector. Companies that exceed a certain threshold of service provision are classified as KRITIS operators and must comply with special cybersecurity requirements mandated by the BSI (Federal Office for Information Security).

Obligations for KRITIS operators

Affected companies must implement appropriate technical and organizational IT security measures. These include:

• Protection against cyberattacks
• Use of incident response and crisis management systems 
• Regular audits of their security architecture

Additionally, reporting obligations must be observed: IT security incidents must be reported immediately to the BSI (Bundesamt für Sicherheit in der Informationstechnik).

Stricter requirements under the IT Security Act 2.0

The new amendment introduced several additional obligations, including:

• Extended reporting duties: Companies must report not only successful cyberattacks to the BSI, but also significant IT security threats, even if they were repelled. 
• Mandatory attack detection systems: KRITIS operators are required to deploy intrusion detection and monitoring solutions to identify threats early. 
• Critical components and vendor checks: Certain hardware and software components may only be used if they come from trusted, BSI-compliant manufacturers. 

These provisions are intended to ensure that critical infrastructure cybersecurity in Germany is strengthened against modern threats.

Why is the KRITIS Act important?

‍Protection of national security

Critical infrastructures are the backbone of a functioning society. Attacks or outages in these sectors could cause severe disruption—for example, nationwide power outages, disruptions in water supply, or attacks on hospitals and healthcare facilities.

Response to rising cyber threats

Cybercriminals and state-sponsored hacker groups deliberately target critical infrastructures. The KRITIS Act strengthens resilience and ensures faster incident response to mitigate damages.

Alignment with European requirements

The KRITIS Act also reflects European cybersecurity regulations, including the EU NIS2 Directive. Through strict rules, Germany aims to position itself as a leader in cybersecurity and critical infrastructure protection.

Which companies are affected by the KRITIS Act?

The Act applies to companies in the following KRITIS sectors in Germany:

• Energy supply (electricity, gas, and fuel providers) 
• Water supply and wastewater management 
• Healthcare (hospitals, laboratories, pharmaceutical supply) 
• Information and telecommunications technology (internet providers, mobile operators, data centers) 
• Transport and traffic (airports, railway companies, logistics hubs) 
• Financial and insurance services (banks, payment providers) 
• Food sector (food production and distribution) 

Companies in these sectors must assess whether they exceed the legally defined thresholds. If so, they qualify as KRITIS operators and must comply with BSI cybersecurity standards and reporting obligations.

‍

Best practices for companies implementing the KRITIS Act

• Implement an IT security management system (ISMS): Develop a comprehensive cybersecurity strategy that identifies threats, defines protection measures, and sets out clear emergency processes. 
• Deploy attack detection systems: Use modern SIEM (Security Information and Event Management) or IDS solutions to monitor and detect cyber threats in real time. 
• Fulfill reporting obligations: KRITIS operators must report incidents immediately to the BSI. Companies should establish an internal incident response team with clear reporting and escalation procedures. 
• Audit the supply chain: Ensure security not only within the company but also across third-party vendors and service providers. Regular supplier audits and security standards for partners are crucial. 
• Train employees in cybersecurity awareness: Many attacks exploit human error via phishing or social engineering. Regular training reduces risks and improves early detection of attacks. 

‍

Challenges in implementing the KRITIS Act

• High implementation costs: Many KRITIS operators must invest heavily in cybersecurity infrastructure to meet the law’s requirements. For smaller companies, this can be a financial burden. 
• Geopolitical risks and targeted cyberattacks: International conflicts increase the risk of attacks on critical infrastructures, requiring constant adaptation of security strategies. 
• Regulatory uncertainties: While IT Security Act 2.0 has been adopted, practical compliance guidelines remain partly unclear. Companies need detailed BSI implementation guidance to ensure efficient compliance. 

‍

The KRITIS Act: Safeguarding critical infrastructure in Germany

The KRITIS Act is a cornerstone of Germany’s cybersecurity and critical infrastructure protection strategy. It ensures that essential services become more resilient against cyber threats and comply with binding BSI security standards.

For companies, this means greater responsibility. Those falling under the Act must act early to implement the requirements—ranging from attack detection systems to IT security management frameworks and staff training.

As cyber threats continue to evolve, so too will the KRITIS Act. Companies should therefore not only meet current obligations but also future-proof their cybersecurity strategies to stay ahead of new compliance requirements.