The KRITIS Umbrella Act and NIS2: What Applies to Whom?

Since July 2026, around 2,000 KRITIS operators must register in addition to NIS2. Who needs to comply with NIS2, the KRITIS Umbrella Act, or both — sectors, deadlines, and fines explained.
The registration requirement under the KRITIS Umbrella Act (KRITIS-Dachgesetz) begins no earlier than July 17, 2026, and affects around 2,000 operators of critical facilities in Germany, significantly fewer than the roughly 30,000 companies subject to NIS2. Both frameworks run in parallel: NIS2 governs cybersecurity, while the KRITIS Umbrella Act governs physical protection. NIS2Compass explains who must comply with NIS2, the KRITIS Umbrella Act, or both frameworks at the same time.
What Is the KRITIS Umbrella Act and When Did It Take Effect?
The KRITIS Umbrella Act (KRITISDachG) creates, for the first time, a nationwide legal framework for the physical protection of critical infrastructure in Germany. It has been in force since March 17, 2026. It thereby complements the NIS2 Directive, which exclusively governs cybersecurity.
The law transposes the CER Directive (EU) 2022/2557 on the resilience of critical entities into national law, closing a gap that NIS2 deliberately left open. The legislative process went through several stages: the Bundestag passed the law on January 29, 2026, and the Bundesrat approved it on March 6, 2026. It was published in the Federal Law Gazette (Bundesgesetzblatt) on March 16, 2026, and took effect the following day.
In substance, the KRITIS Umbrella Act targets facility protection, operational continuity, and personnel security, in other words, the physical and organizational resilience of critical facilities. NIS2, by contrast, addresses IT security measures, risk management, and reporting obligations for cyberattacks. Both frameworks interlock, but they partly apply to different groups of operators.
Operators of critical facilities must register no later than three months after being identified as a critical facility, but not before July 17, 2026. Responsibility lies with a joint registration platform run by the BBK (Federal Office of Civil Protection and Disaster Assistance) and the BSI. Companies that must meet both obligations in parallel will find a structured overview of the respective requirements in NIS2Compass.
How Do the KRITIS Umbrella Act and NIS2 Differ?
NIS2 protects network and information systems from cyberattacks, while the KRITIS Umbrella Act protects critical facilities from physical threats. The two regimes complement rather than overlap with each other, and they are overseen by different authorities. The KRITIS Umbrella Act does not replace the earlier IT Security Act concept; instead, it deliberately extends NIS2 to cover physical protection.
The differences show up in five key areas:
- Protected interest: NIS2 addresses cybersecurity, meaning networks, IT systems, and data processing. The KRITIS Umbrella Act governs physical resilience: facility protection, access controls, operational continuity, personnel security, and crisis management.
- Responsible authority: For NIS2, the BSI holds primary responsibility. Under the KRITIS Umbrella Act, the lead lies with the BBK, supplemented by the BNetzA for energy and telecommunications and by the German states (Länder) for health, water, and food.
- Threshold: NIS2 is based on employee count and revenue, with essential entities starting at 250 employees or over €50 million in revenue. The KRITIS Umbrella Act, by contrast, measures the degree of supply coverage, with a standard threshold of 500,000 people served.
- Fine framework: NIS2 provides for fines of up to €10 million or 2 percent of annual revenue, while the KRITIS Umbrella Act separately provides for fines of up to €1 million, primarily for registration and documentation failures. Details on NIS2 fines are available in the article NIS2 Fines: Penalties for Non-Compliance
- Reporting channel: Both regimes follow a reporting cascade with an initial notification within 24 hours and a detailed report within one month. Cyber incidents go to the BSI, physical incidents go to the BBK.
For affected companies, this means: both reporting channels and both sets of responsibilities must be tracked in parallel.
Which Sectors and Thresholds Apply Under the KRITIS Umbrella Act?
The standard threshold under the KRITIS Umbrella Act is 500,000 people served (§3, §5 KRITISDachG). Anyone exceeding this value counts as a critical facility. The law covers eleven sectors under the CER Directive, supplemented by a twelfth special category with reduced obligations, whose physical resilience is now regulated on a binding basis.
The affected sectors include:
- Energy
- Transport
- Banking
- Financial market infrastructure
- Healthcare
- Drinking water
- Wastewater
- Digital infrastructure
- Public administration
- Space
- Food
Municipal waste management occupies a special position: it falls under the Umbrella Act, but is subject to reduced obligations. One important exemption concerns the financial sector: financial companies subject to the EU's DORA regulation, as well as insurers, are exempt from the Umbrella Act under §4(2) KRITISDachG. For them, NIS2 or DORA takes precedence.
The thresholds are not set in stone. The Bundesrat had proposed lowering the threshold to 150,000 people served, which was not adopted in the final version. According to a protocol declaration by the German federal government from March 2026, a revision is nonetheless planned within two years, potentially affecting thresholds and additional sectors such as government, media, culture, and social services. Companies close to the current threshold should keep an eye on this development.
Whether your company falls under NIS2, the KRITIS Umbrella Act, or both depends heavily on sector and size. NIS2Compass explains the classification step by step: Am I Affected by NIS2? Here's How to Check
Does My Company Fall Under NIS2, the KRITIS Umbrella Act, or Both?
Whether NIS2, the KRITIS Umbrella Act, or both regimes apply depends on sector and company size. KRITIS operators are not a separate group, but a subset of companies affected by NIS2. Anyone who falls under the Umbrella Act is therefore almost always also subject to NIS2, but carries additional physical protection obligations on top.
Three groups can be distinguished. NIS2 only: companies in the financial sector are subject to DORA regulation, and insurers as well as IT/telecom service providers are expressly exempt from the Umbrella Act under §4(2) KRITISDachG. Both regimes: operators in energy, transport, health, water, food, and space that exceed the 500,000-person supply threshold, for example, large municipal utilities, regional water suppliers, or rail operators. NIS2 only, for the large majority: most NIS2-affected SMEs fall below the KRITIS threshold and carry NIS2 obligations exclusively.
The size ratio makes the classification tangible: of roughly 30,000 NIS2 entities in Germany, only around 2,000 are additionally subject to the KRITIS Umbrella Act. For the vast majority, NIS2 obligations alone remain in place. NIS2Compass's Pre-Check assigns companies to the relevant NIS2 categories and flags when KRITIS Umbrella Act thresholds might additionally be relevant.
Which Deadlines Apply Now, and What Happens in the Event of Violations?
Affected operators must register starting July 17, 2026, no later than three months after being identified as a critical facility. After that, a staggered chain of deadlines begins: a risk analysis within nine months, and a resilience plan and reporting system within ten months. Anyone who misses these deadlines risks fines under the KRITIS Umbrella Act as well as additional fines under NIS2.
After registration, the following deadlines apply:
Risk analysis (9 months, §12 KRITISDachG): operators assess natural, technical, and human-made hazards as well as dependencies on third parties and other critical facilities.
Resilience measures and resilience plan (10 months, §13 KRITISDachG): the plan covers prevention, physical protection, crisis management, operational continuity, and personnel security.
Reporting system (10 months, §18 KRITISDachG): incidents must be reported to the Federal Office of Civil Protection and Disaster Assistance (BBK) within 24 hours, followed by a detailed report within one month.
Management board obligation (10 months, §20 KRITISDachG): the management board must actively take responsibility for implementing resilience measures, not merely take note of them.
Violations carry two separate fine frameworks. Under §24, the KRITIS Umbrella Act provides for fines of up to €1 million, for example, for missing or late registration, missing documentation, or failure to remedy deficiencies. NIS2 sanctions independently and considerably more severely: up to €10 million or 2 percent of annual revenue for essential entities, and up to €7 million or 1.4 percent for important entities.
"The biggest misconception in the market is that NIS2 replaces the old KRITIS regulation," says NIS2Compass. "The opposite is true: affected operators now have more obligations under the KRITIS Umbrella Act than before, not fewer."
A municipal utility in the energy sector serving more than 500,000 people illustrates how the two frameworks interlock. It simultaneously qualifies as an NIS2 "essential entity" and as a KRITIS operator under the Umbrella Act, with two parallel deadline calendars and two reporting channels: the BSI for cyber incidents under NIS2, and the BBK for physical incidents under the Umbrella Act. For the management board, the governance issue nonetheless remains a single one: clarifying responsibilities, maintaining documentation, and demonstrating training. Affected companies were already familiar with a similar registration logic from NIS2 BSI registration.
The NIS2 Guide supports the buildup of the governance structure in Chapter 1, which is also relevant for the Umbrella Act.
Frequently Asked Questions
Do I need to register for both NIS2 and the KRITIS Umbrella Act?
Yes, if you are classified as a KRITIS operator. NIS2 applicability and KRITIS status are assessed separately and each requires its own registration. NIS2Compass helps keep both sets of obligations apart and find the right implementation path for each.
What happens if I miss the KRITIS registration deadline on July 17, 2026?
Under §24 KRITISDachG, fines of up to €1 million are possible. This sanction stands independently alongside potential NIS2 fines, since both laws provide for their own reporting obligations and their own sanction mechanisms. Timely registration avoids this risk.
Does the KRITIS Umbrella Act also apply to IT service providers?
No. IT service providers and telecommunications companies are expressly exempt under §4(2) KRITISDachG. For these companies, only the NIS2 Directive via the NIS2UmsuCG applies, not the Umbrella Act's physical resilience obligations.
What is the difference between the NIS2 threshold and the KRITIS Umbrella Act threshold?
NIS2 measures by employee count and revenue, starting at 50 or 250 employees respectively. The KRITIS Umbrella Act measures by degree of supply coverage, generally starting at 500,000 people served. A company can significantly exceed the NIS2 threshold and still remain below the KRITIS threshold.
Does the KRITIS Umbrella Act replace the previous KRITIS regulation?
No, it does not replace the existing BSI-KritisV. The Umbrella Act adds obligations for the physical protection of critical facilities on top of the existing rules. The previous cybersecurity obligations for KRITIS operators continue to run through NIS2 and the BSIG.
Implement NIS2 step by step
NIS2Compass guides you step by step through implementation – with guide, templates and knowledge hub.
Get startedÄhnliche Artikel
NIS2 ISO 27001 Mapping: Excel Checklist Download
ISO 27001 covers approximately 70% of NIS2 requirements. The mapping Excel shows at a glance what is already covered — and where the regulatory gap remains.
6 Min. Lesezeit
NIS2 BSI Registration: Missed the Deadline — What Now?
The statutory NIS2 registration deadline has expired, but the BSI is granting an extended deadline until 31 July 2026. How to complete your registration in the BSI portal step by step.
9 Min. Lesezeit
NIS2 Checklist as an Excel Template: the 10 §30 Obligations
Turn the 10 minimum measures from §30 BSIG into an Excel checklist: a 6-step build, ISO 27001 mapping, and common mistakes. With the free NIS2Compass Pre-Check.
8 Min. Lesezeit