The threat situation for critical infrastructures in Germany is becoming increasingly severe.
As cyberattacks on hospitals, energy providers, and logistics companies increase, lawmakers are significantly expanding the circle of KRITIS operators.
The new KRITIS umbrella law will affect over 30,000 companies from 2025 – is yours among them?

The new KRITIS landscape in Germany

The KRITIS umbrella law and the NIS2 directive are fundamentally changing the regulatory environment.
Not only large corporations, but also medium-sized companies in critical sectors must implement comprehensive security measures.

Does it affect your company? The likelihood is higher than ever! In addition to the classic KRITIS sectors such as energy, water and health, numerous new areas are now being added:

• Waste management
• Food production and distribution
• Chemical industry
• Pharmaceutical industry
• Digital infrastructures and services
• Research institutions
• And many more

The 7 mandatory security requirements for KRITIS operators

As a KRITIS operator, you must be able to demonstrate:

1. Systematic risk management: Implement a structured process for identifying and assessing risks.
2. Technical and organizational measures: Implement protective measures in accordance with the state of the art.
3. Emergency and crisis management: Develop plans for dealing with security incidents.
4. Continuity Management: Ensure that critical processes can be maintained even in the event of disruptions.
5. Supply Chain Management: Review the security standards of your suppliers and service providers.
6. Reporting Obligations: Establish processes for timely reporting of security incidents.
7. Documentation Requirements: Document all security measures and their effectiveness.

The existential risks of non-compliance

The consequences of inadequate KRITIS security are severe:

• Fines in the millions (up to €10 million or 2% of global annual revenue)
• Personal liability of management
• Operational disruptions with massive financial consequences
• Reputational damage and loss of trust
• Potential threats to public safety

Alarming statistic: Over 60% of potentially affected companies have not yet implemented adequate measures!

The 5-step plan for KRITIS compliance

Implementing the KRITIS requirements requires a structured approach:

1. Affectedness analysis: Clarify whether your company falls under KRITIS regulation.
2. Gap analysis: Identify the gaps between your existing security measures and legal requirements.
3. Action planning: Develop a prioritized implementation plan for the necessary measures.
4. Implementation: Systematically implement the planned measures.
5. Continuous Improvement: Establish a PDCA cycle for the continuous optimization of your security measures.

Conclusion: KRITIS security as a strategic investment

The new KRITIS requirements undoubtedly present a challenge – but they also offer an opportunity to sustainably strengthen your company’s resilience.
View the necessary investments not as mere costs, but as a strategic measure to protect your business continuity.

The time to act is now. With the KRITIS umbrella law and the NIS2 implementation coming into effect in 2025, there is little time left for thorough preparation.
Companies that act early not only ensure compliance, but also gain a competitive advantage in an increasingly risk-prone business environment.