The Critical Infrastructure Umbrella Act

The regulatory "all-round protection" is coming

On 29 January, the Critical Infrastructure Umbrella Act was passed by the Federal Parliament. The legislative process is thus in its final stages. Affected undertakings must now prepare to comply with extensive statutory minimum requirements in order to protect the installations they operate against physical and organisational threats. The Act is aimed at a physical "all-hazards approach" (natural disasters, sabotage, terrorism) and thus fills the gap to cyber security already regulated by the Federal Office for Information Security Act. Undertakings falling within the scope of the Critical Infrastructure Umbrella Act also fall within the scope of the Cyber Security Act (Federal Office for Information Security Act) and must therefore also implement the requirements of the NIS2 Directive.

Affected Undertakings

Affected are operators of critical installations providing essential services to the population. The "criticality" of an installation is determined by the level of supply provided. Installations in the following sectors only fall within the scope of the Critical Infrastructure Umbrella Act if certain supply thresholds are met:

• Energy
• Transport and Traffic
• Financial and Social Insurance Sector
• IT and Telecommunications
• Space Ground Infrastructure
• Public Administration

The aforementioned sectors fall within the competence of the Federal Government. It has determined that undertakings shall generally fall within the scope of the Critical Infrastructure Umbrella Act from a threshold of 500,000 inhabitants to be supplied.

• Healthcare
• Drinking Water & Wastewater
• Food
• Municipal Waste Disposal

These sectors fall within the competence of the Federal States. The Federal Ministry of the Interior shall lay down rules by ordinance according to which the Federal States may decide whether certain installations in these sectors are to be regarded as critical and fall within the scope of the Critical Infrastructure Umbrella Act, even if they do not meet the "normal" thresholds (over 500,000 persons supplied).

Core Obligations under the KRITIS-DachG

1. Registration & Contact: Registration with the Federal Office of Civil Protection and Disaster Assistance (BBK), designating a contact person available at all times, via a joint portal of the BBK and BSI. Critical components in use must also be reported.
2. Reporting Obligations: Significant incidents must be reported to the BBK within 24 hours. New: The authority must now promptly transmit "relevant follow-up information" (e.g. recommendations for action, warnings) to the operator in order to assist in managing the incident.
3. Prevention: Implementation of TOMs (access controls, emergency power, crisis teams) in accordance with the "all-hazards approach".
4. Audits and Evidence: The authorities conduct risk-based audits (no fixed regular intervals). To avoid duplication of effort, IT security audits are recognised and retrieved by the Federal Office for Information Security.
5. Exemptions: The Finance and IT & Telecommunications sectors are mostly exempt from requirements such as incident reporting, prevention measures, and audits, as they are already covered by specific regulations (namely DORA and NIS 2/BSIG). In these cases, only mandatory registration is required. However, there is a particular exception for the municipal waste and social security sectors: while these operators are freed from most operational obligations, they must still carry out a risk analysis every four years in accordance with Section 12.

Management Liability and Sanctions

Like the Federal Office for Information Security Act, the Critical Infrastructure Umbrella Act provides for personal responsibility of the management (Section 20). Liability follows primarily from company law (Section 43 of the German Limited Liability Companies Act / Section 93 of the German Stock Corporation Act). Infringements of the Critical Infrastructure Umbrella Act may result in fines of up to EUR 1 million.

Outlook

The legislative procedure is expected to be concluded in March 2026. Thereafter, affected undertakings will have at least 12-13 months to implement the new obligations.