Critical Infrastructures and KRITIS in Germany

German Critical Infrastructure Protection legislation regulates operators of critical infrastructures and facilities in Germany (KRITIS). The BSI law (BSI-Gesetz) requires operators to implement cybersecurity in their regulated critical facilities (Anlagen) in critical sectors. The IT security law has been updated several times since 2014.

This regulation will change in Germany in 2024 with the KRITIS Framework law (DE) and NIS2 Implementation (EN) – both will implement EU regulations from NIS2 and RCE directives. The number of affected German companies will increase from 2,000 to around 30,000 – with more sectors, company sizes and new security requirements.

EU NIS2 Summer School

Workshop: German Critical Infrastructures in English

An introduction to German KRITIS and NIS2 regulation. (S24.2)
Summer School ∙ Module S24.2 ∙ English ∙ 11 June 2024 online

This is the English version of the page on German Critical Infrastructures and German NIS2.

Who is affected?

KRITIS until 2024

German critical infrastructure regulation consists of three layers to identify affected companies – in the German CIP (KRITIS) context valid until ~2024.

  1. Sectors and services: Defined by law to contain critical operators
  2. Infrastructure (facilities): Specific infrastructure used for providing critical services
  3. Operators (KRITIS): Identified by owning critical infrastructure facilities for critical services

The definitions (1 and 2) as well as the method (3) are documented in German law. With them, operators have to identify their own infrastructures and register their facilities with authorities. This will be changed with NIS2 from 2024 onward.


Germany defines eight critical (KRITIS) sectors, in which critical operators provide legally defined critical services to the general public:

  1. Energy
  2. Water
  3. Food
  4. Health
  5. Transport
  6. Waste
  7. IT and Telecommunications
  8. Financial and Insurance


The critical services are provided by operators on critical infrastructures (KRITIS-Anlagen), specific facilities defined by German KRITIS regulation in the KRITIS ordinance. Operators use these assets (and their definitions) to identify their own scope of applicability in their company and registration to authorities.


Companies that operate infrastructure facilities above legally defined thresholds will become regulated operators of Critical Infrastructures (KRITIS). These operators will need to comply with security requirements of German KRITIS regulation within their affected infrastructure.

Existing certifications (ISO 27001 and C5) help but usually do not cover the whole KRITIS scope of the infrastructure and mandated requirements.


NIS2 and KRITIS from 2024

Critical infrastructure regulation will change significantly from 2024 on in Germany with the German NIS2 implementation as well as other addition to KRITIS (RCE, Dachgesetz).


The German NIS2 implementation (EN) and KRITIS Framework law (DE) increases the number of affected sectors and companies – operators and entities. Both laws will lead to thousands of new entities of medium and large companies, the majority of Germany’s economy.

  1. Energy
  2. Water
  3. Health
  4. Transport
  5. IT and telco
  6. Finance and insurance
  7. Space
  8. Food
  9. Waste
  10. Post and courier
  11. Chemicals
  12. Industry
  13. Digital services
  14. Research
  15. Central government*

  - critical assets     - very important (essential)     - important


The NIS2 implementation in Germany defines three (four) groups of company types in scope:

  1. Very important (essential) entities based on company size in NIS sectors (#1)
       companies with ≥ 250 staff or
       companies with ≥ 50m EUR revenue und assets ≥ 43m EUR
       special cases: qTSP, TLD, DNS, telco, critical facilities, central government
  2. Important entities based on company size in NIS sectors (#1 and #2)
       companies with ≥ 50 staff or
       companies with ≥ 10m EUR revenue und assets ≥ 10m EUR
       trust services
  3. Operators of critical facilities (KRITIS) are still regulated based on KRITIS methods with individual infrastructure assets
       Critical facilities above threshold (usually ≥ 500k supplied persons)
  4. Some federal entities are also regulated with separate requirements

Companies in these groups become regulated entities (NIS2) and will need to comply with security requirements of German NIS2 regulation – throughout their company.

Existing certifications (ISO 27001 and C5) will probably help but will not necessaritly cover the whole NIS2 scope in that company and mandated requirements.




Critical infrastructure protection (CIP) regulation in Germany is based on IT Security Acts since 2015 and separate KRITIS ordinances that define the legal framework and requirements for operators. There were two IT Security Acts in 2015 and 2021, both of which changed existing German laws for critical infrastructure protection.

The existing IT Security Act 2.0 has been in force since 2021 and will be superseded by German EU NIS2 and RCE implementations from 2024 on.

Compiled based on draft laws, December 2023
KRITIS NIS2 Implementation KRITIS Framework
Focus Cybersecurity Cybersecurity Resilience
Name IT Security Act 2.0 NIS2UmsuCG KRITIS-DachG
Law changes BSIG changes BSIG own law
Changes to Energy, telcos, etc. Energy, telcos, etc. none
Companies Operators critical facilities Operators critical facilities
Federal administration
Operators critical facilities

some Federal administration
Drafts Final 3 2
In force Since 2021 Oct 2024 (plan) Oct 2024 (plan)
Regulator BSI BSI BBK
Based on extended earlier law EU NIS2 EU RCE

Several federal German agencies are responsible for regulating and supervising critical operators with increased formal authorities:




  1. Gesetz zur Erhöhung der Sicherheit informationstechnischer Systeme vom 17. Juli 2015 (IT-Sicherheitsgesetz), Bundesgesetzblatt Jahrgang 2015 Teil I Nr. 31, ausgegeben zu Bonn am 24. Juli 2015
  2. Verordnung zur Bestimmung Kritischer Infrastrukturen nach dem BSI-Gesetz (BSI-Kritisverordnung - BSI-KritisV), vom 22. April 2016 (BGBl. I S. 958), die durch Artikel 1 der Verordnung vom 21. Juni 2017 (BGBl. I S. 1903) geändert worden ist
  3. Gesetz über das Bundesamt für Sicherheit in der Informationstechnik (BSI-Gesetz - BSIG) vom 14. August 2009 (BGBl. I S. 2821), das zuletzt durch Artikel 73 der Verordnung vom 19. Juni 2020 (BGBl. I S. 1328) geändert worden ist