Germany now has a law that requires energy providers, hospitals, water utilities, and transport operators to physically harden their facilities against attacks, sabotage, and disasters. This is called the Critical Infrastructure Resilience Act (KRITIS-Dachgesetz).
The law was approved by the Bundesrat on 6 March 2026 and published in the Federal Law Gazette on 16 March 2026.
Why Germany needed the Critical Infrastructure Resilience Act
There are multiple reasons for Germany to pass this law.
- Since Russia’s invasion of Ukraine, the number of drone sightings over critical infrastructure in Germany has increased sharply.
Ukraine-Russia war in numbers ->
- In late 2022, the Nord Stream gas pipelines were blown up.
- In 2024, a power outage hit parts of southern Berlin after suspected attacks on infrastructure.
- EU’s Critical Entities Resilience Directive (CER-Richtlinie, EU 2022/2557) requires all member states to implement it in their national law. Germany is doing so with this act.
What does the Critical Infrastructure Resilience Act implement?
The KRITIS-Dachgesetz is the first law in Germany to set cross-sector, uniform minimum standards for the physical protection of critical infrastructure. Until now, rules varied by sector and focused mainly on cybersecurity. This law goes further.
It covers operators in eleven sectors:
- Energy
- Transport and traffic
- Banking and financial markets
- Health
- Drinking water and wastewater
- Digital infrastructure
- Food
- Space
- Public administration
- Waste disposal
- Production and research
A facility qualifies as critical if its disruption would affect at least 500,000 people. The federal states can set lower thresholds for regionally important facilities.
Around 2,000 operators in Germany are expected to fall under the law.
What should the operators who fall under the Act do?
The law doesn’t specify exact measures for operators to take. It only requires operators to take actions that are “appropriate and proportionate” to their specific risks. What that looks like will differ between a hospital and a power grid.
The core obligations are:
- Register with the Federal Office for Civil Protection and Disaster Assistance (Bundesamt für Bevölkerungsschutz und Katastrophenhilfe, or BBK) by 17 July 2026
- Conduct a risk assessment within 9 months of registration
- Submit a resilience plan and implement all protective measures within 10 months of registration
- Report incidents immediately via the joint reporting platform of the BBK and the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, or BSI)
The management of affected companies is personally liable for approving resilience measures and for monitoring their implementation. Violations can result in fines of up to €1 million.
NOTE: The KRITIS-Dachgesetz covers physical security, which includes facility access controls, perimeter protection, and crisis management. It complements, but does not replace, the NIS2 cybersecurity rules that also apply to many of the same operators.
What are the federal states complaining about with the new Critical Infrastructure Resilience Act?
The states have two main complaints.
- The 500,000-person threshold is too high. Many essential facilities in rural areas serve smaller populations and would fall outside the law. The states want a threshold of 150,000.
- The states object to being handed responsibility for resilience inspections of regional railways. Railway Federal Authority (Eisenbahn-Bundesamt, or EBA) oversees the national rail network. This split creates bureaucracy and an unfunded workload for state governments.
