What is KRITIS? - Definition and Significance
The term KRITIS (Critical Infrastructure) refers to organizations, facilities, and systems of essential importance to the functioning of society, whose failure or impairment would lead to significant supply shortages, disruptions to public safety, or other dramatic consequences.
Official Definition under German BSI Act
According to Section 2(10) of the BSI Act (BSIG), critical infrastructures are "facilities, installations or parts thereof that are of high importance for the functioning of society because their failure or impairment would result in significant supply shortages or threats to public safety."
The classification as KRITIS is specifically regulated by the BSI-KRITIS Ordinance (BSI-KritisV), which defines specific thresholds for various sectors. With the NIS2 Directive (EU 2022/2555) and the planned KRITIS Umbrella Act, the regulatory framework will be significantly expanded from 2025.
Over 30,000 companies in Germany are expected to fall under the expanded KRITIS regulation from 2025/2026 - that's a tenfold increase compared to the previous ~3,000 operators!
KRITIS Sectors: Which Industries Are Affected?
The BSI-KRITIS Ordinance currently defines 9 main sectors with a total of 29 sub-sectors:
The 9 KRITIS Sectors
- Energy: Electricity, gas, petroleum supply, district heating
- Healthcare: Hospitals, pharmacies, laboratories
- Water: Drinking water supply, wastewater disposal
- Food: Food production and retail
- Finance and Insurance: Banks, stock exchanges, insurance companies
- Transport and Traffic: Rail, air, shipping, road transport
- Government and Administration: Government agencies, judiciary, emergency services
- Information Technology and Telecommunications: ISPs, data centers, cloud providers
- Media and Culture: Broadcasting, print media
New Sectors Through NIS2 (from 2025/2026)
- Manufacturing: Chemicals, pharmaceuticals, machinery and vehicle construction
- Waste management: Disposal companies
- Digital services: Social media platforms, search engines, cloud computing
- Research: Research institutions with critical infrastructure
- Postal and courier services: Parcel delivery services
- Public administration: Federal and state authorities
- Space: Satellite operators
Requirements for KRITIS Operators
Companies classified as KRITIS operators must fulfill the following 5 main obligations:
1. Registration with BSI
Report to BSI within 6 months of reaching the threshold. Consequence of non-reporting: Fine up to EUR 100,000
2. Designation of a Contact Point
Establish a contact point as interface to BSI with 24/7 availability for security-relevant incidents.
3. IT Security Measures According to State of the Art
- Risk management and threat scenario identification
- Access Control with Least-privilege principle and MFA
- Perimeter Security: Firewalls, IDS/IPS, Network Segmentation
- Monitoring & Logging with SIEM systems
- Patch Management for critical systems
- Backup & Recovery with offline backups
- Incident Response processes
- Security Awareness training
4. Security Audit Every 2 Years
Conduct IT security audit every 24 months. Options include security audit, ISO 27001 certification, or industry association verification.
5. Reporting of Significant IT Security Incidents
Immediate reporting of significant security incidents to BSI. Consequence of non-reporting: Fine up to EUR 2 million (after NIS2 implementation)
NIS2 Directive: The Major Expansion from 2025/2026
The NIS2 Directive replaces the previous NIS Directive and massively expands cybersecurity requirements. Entry into force is expected for late 2025 or early 2026.
The Two New Categories
| Category | Supervision | Fine (max.) |
|---|---|---|
| Essential Entities | Strict supervision by BSI | EUR 10 million or 2% of global turnover |
| Important Entities | Spot checks | EUR 7 million or 1.4% of global turnover |
New Reporting Deadlines
- Early notification: Within 24 hours
- Complete notification: Within 72 hours
- Final report: Within 1 month
New Technical Requirements
- Zero Trust Architecture implementation
- Multi-Factor Authentication mandatory for privileged accounts
- Critical patches within 14 days
- Encryption for data at rest & in transit
- DMARC, SPF, DKIM mandatory for email
- Privileged Access Management
Management Accountability
New: Personal Liability of Management - Management must approve and monitor cybersecurity measures. Personal liability possible in cases of gross negligence.
Compliance Strategy: How to Become KRITIS/NIS2 Compliant
Phase 1: Gap Analysis (4-6 Weeks)
- Threshold check: Determine if you exceed KRITIS thresholds
- As-is analysis: Assess current IT security posture
- Risk assessment: Identify critical assets and processes
Phase 2: Roadmap Development (2-3 Weeks)
- Prioritize measures by risk and regulatory urgency
- Create timeline with clear milestones
- Budget planning for security investments
Phase 3: Implementation (6-18 Months)
Quick Wins (0-3 Months):
- Registration with BSI
- 24/7 contact point
- MFA for privileged accounts
- Security Logging & Monitoring
- Incident Response Plan
Medium-term (3-12 Months):
- SIEM system implementation
- Network Segmentation
- Vulnerability Management Program
- Endpoint Detection & Response
- Security Awareness Training
Long-term (12-18 Months):
- ISO 27001 Certification
- Security Operations Center
- SOAR implementation
- Business Continuity Management
Conclusion
KRITIS regulation and NIS2 pose significant challenges - but also offer opportunities to strengthen cyber resilience. With over 30,000 affected companies from 2025/2026, cybersecurity becomes mandatory for large parts of the German economy.
Key Takeaways
- Know thresholds: Check annually if you are KRITIS-obligated
- Start early: Compliance takes 12-18 months
- Documentation: What is not documented is not implemented
- Continuity: Cybersecurity is an ongoing process
- Investment: Compliance costs less than fines and cyberattacks
KRITIS Compliance with e2security
Our experts support you with threshold assessment, gap analysis, and implementation:
- KRITIS/NIS2 Gap Assessment
- ISO 27001 Certification Consulting
- Penetration Testing & Audit Preparation
- Vulnerability Management as a Service
- Incident Response Plan Development
- 24/7 SOC Services