Companies in scope
In scope are public and private operators “critical facilities” that are essential for the provision of critical services to the general public in Germany. Critical services are defined at sector level and include 10 strategic sectors, including energy, food, water, healthcare, financial services, space, information technology and telecommunications, transport and traffic.
Whether a facility is critical depends on its significance for service delivery, where disruption would lead to material supply shortages or risks to public security. In principle, this includes facilities that supply more than 500,000 people. Technical thresholds and sector-specific criteria will be set (and may be expanded) by the Federal Ministry of the Interior by way of regulation (KRITIS-Verordnung). Federal States can also designate critical facilities with amplified regional significance. This will require further assessment, particularly by smaller companies, of whether they will fall in scope. It is expected that more companies will be in-scope than under previous KRITIS laws.
In addition, facilities whose failure would have an impact on at least six EU Member States can be designated as “critical entities of particular European significance” and are subject to enhanced coordination and scrutiny.
Key obligations
The Act complements the cybersecurity requirements under the German NIS2 implementation (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik, BSIG) that apply to approximately 30,000 important and essential entities active in 18 sectors since December 6, 2025. Operators of critical facilities are always essential entities under NIS2 – that were required to register by March 6, 2026, with the BSI – but may be subject to additional obligations under the Act.
Risk assessment & resilience framework
Government agencies will publish risk analyses for each critical service, which will serve as a basis for the respective risk analyses and assessments that operators have to conduct at least every four years and that have to take into account inter alia natural, technical and human risks and the scope of interdependencies. Operators must have a holistic resilience framework covering governance, risk management, incident handling and supervision. Minimum requirements for the resilience framework include measures for emergencies and fail-safe operation, as well as stronger property protection and training. A written resilience plan is required, describing preventive and protective measures, detection and response mechanisms, recovery and continuity arrangements. The Act does not impose specific measures, rather operators have to determine and take appropriate and proportionate resilience measures, which may vary from sector and company. Different measures will be required in flood-prone areas, and a hospital must be protected differently than a power grid.
Management responsibility & liability
Senior management (Geschäftsleitung) is responsible for ensuring implementation of the resilience framework and overseeing compliance and can be held liable for non-compliance under the respective corporate law rules.
Registration obligation
In scope companies must register with the Federal Office of Civil Protection and Disaster Assistance (BBK) and the Federal Office for Information Security (BSI) by July 17, 2026, or within three months of later qualification.
Designation of a point of contact
Operators must designate a specific point of contact who must be available 24/7. Operators of critical facilities belonging to the same sector can no longer set up a joint higher-level contact point. Companies should review their communication channels for exchanging information with the authorities.
Incident reporting
Operators must report significant security incidents that materially impair or could impair the provision of a critical within 24 hours of becoming aware of the incident. This must be done on the existing Reporting and Information Portal (MIP). Continuous updates are required and the final report is due within one month.
Impact on German foreign direct investment regulations
The KRITIS reform will have material knock on effects for the German foreign direct investment (FDI) screening regime given that the identification of critical facilities referenced in the FDI regime will be shifted from the existing IT security-based concept to the new KRITIS framework.
Under the current rules, the concept of critical facilities in terms of the German FDI regime is basically defined by a chain of cross-references: The German Foreign Trade and Payments Ordinance (Außenwirtschaftsverordnung, AWV) refers to the BSIG, which in turn refers to the existing German Ordinance for Determining Critical Infrastructures (BSI-KritisV), which does not yet include the sector “space”. The BSI-KritisV provides for annexes that list specific facilities, each linked to defined thresholds. These thresholds determine whether a given facility qualifies as critical for the supply in Germany with specific services or goods. A common feature of the facilities listed in the annexes of the BSI-KritisV is that they describe, in essence, IT-related infrastructure such as data centres or IT systems for ports.
Under the Act, critical facilities will similarly be identified through ordinance-based thresholds set out in the KRITIS-Verordnung yet to be adopted. However, it is to be expected that such list will be less dependent on the concept of IT-related facilities and systems. In addition, “space” is not yet an explicit sector under the current German FDI rules but will be incorporated into the scope of the German FDI regime, as it will be explicitly introduced as a new KRITIS sector.
Even more importantly in practice, the Act empowers the Federal Ministry of the Interior to individually determine on a case-by-case basis that a facility is critical, even where it does not meet these general thresholds set forth by the ordinance, and the Federal States have analogous powers within their competence. Since the future FDI rules cross-reference the general statutory definition of "critical facility" under the Act, facilities individually designated as critical should, based on the statutory framework, also fall within the scope of FDI screening. This would represent a notable expansion compared to the current regime, where mandatory FDI filing requirements are tied to the fixed thresholds stipulated by the currently applicable BSI-KritisV. However, the new KRITIS-Verordnung has not yet been published. Until its entry into force, the former framework governing FDI screening and critical facilities remains applicable, albeit subject to potential short-term change.
What to do now?
For operators:
- Conduct regular scope assessments by checking the size, sector and entity type.
- Register and prepare for timely compliance with specific requirements, including tracking of all critical components used.
- Align resilience framework with existing NIS2 and DORA measures.
- Review of resilience framework and conduct management resilience training to prevent management liability.
- Review supply chain contracts for new due diligence and risk requirements.
For investors active in or contemplating transactions involving critical infrastructures and the space sector:
- Monitor these developments closely. Given the overlap between the BSIG and Act regimes and the expected consolidation under a new Foreign Direct Investment Screening Act (see our alert Germany to consolidate FDI screening rules: new draft investment screening act expected by mid-2026), transactions in sectors such as energy, IT and telecommunications, and space may face increased regulatory scrutiny.
- The combination of Germany's NIS2 transposition and the Act's all-hazards framework signals a protective posture, with resilience strengthened across cyber and physical vectors alike. Authorities can be expected to approach reviews of deals touching essential services or critical facilities with heightened scrutiny, prioritizing continuity of supply and safeguards against undue third-country influence. Early assessment of filing obligations and forward-looking compliance planning will be essential to navigate this evolving landscape.
