Introduction: What the KRITIS Umbrella Act Means in an International Context
Germany has taken a significant legislative step to strengthen the protection of critical infrastructure with the adoption of the KRITIS Umbrella Act. The law establishes a national framework to improve the resilience and physical protection of critical facilities that provide essential services to society.
For international observers, the term KRITIS refers to Kritische Infrastrukturen—critical infrastructures whose disruption would have severe consequences for public safety, economic stability, and government functionality. These include sectors such as energy, water, healthcare, and transport.
The new legislation implements the European Directive (EU) 2022/2557, which requires EU member states to strengthen the resilience of critical entities against threats ranging from natural disasters to sabotage and hybrid attacks.
While the German law creates long-awaited national standards for protecting critical infrastructure, a closer examination reveals that the regulatory framework still contains structural weaknesses and unresolved policy questions.
Political Background and Legal Framework
Germany’s federal chamber, the German Bundesrat, has approved the KRITIS Umbrella Act, formally titled Act Implementing Directive (EU) 2022/2557 and Strengthening the Resilience of Critical Facilities. The German state of Hesse supported the legislation.
During the 1062nd session of the Bundesrat, Hesse’s interior minister Roman Poseck described the law as “an important step for greater security and resilience,” while also emphasizing that the framework must be evaluated and further developed over time.
The legislation transposes the European resilience directive into German law and, for the first time, introduces nationwide minimum standards for the physical protection of critical infrastructures.
A Law Driven by a Changing Threat Landscape
Supporters of the law point to a significantly deteriorating security environment. Several developments are cited as justification:
- increasing cyberattacks against critical infrastructure
- sabotage incidents targeting supply systems
- deliberate disruptions linked to the Russian war against Ukraine
- rising geopolitical tensions, including developments in the Middle East
- a power outage in Berlin, reportedly linked to a suspected left-wing extremist attack
These developments are used to argue that Germany must strengthen its preparedness for attacks on essential infrastructure systems.
Core Provisions of the Law
The KRITIS Umbrella Act introduces binding obligations for operators of critical infrastructure. These include:
- physical security measures to protect facilities
- mandatory reporting of major disruptions
- emergency and crisis management planning
- regular risk assessments
- resilience and protection strategies
The law applies to ten strategically important sectors considered essential for societal and economic stability:
- Energy
- Transport and traffic
- Banking
- Financial market infrastructures
- Healthcare
- Drinking water supply
- Wastewater management
- Digital infrastructure / IT and telecommunications
- Public administration
- Food supply
These sectors are classified as critical because disruptions in their operation could severely affect public safety, economic activity, or governmental functions.
The 500,000-Person Threshold
One of the most debated aspects of the law concerns the definition of critical infrastructure.
Under the current framework, facilities are generally classified as critical if they provide services to more than 500,000 people or have comparable economic significance.
However, this threshold has been widely criticized. Germany’s Conference of Interior Ministers repeatedly called for a broader definition that would capture more infrastructure operators.
Critics argue that the current threshold could exclude many regionally important infrastructures, such as:
- medium-sized energy providers
- regional water utilities
- hospitals serving regional populations
- logistics hubs or transport nodes
In crisis situations, these facilities may be crucial for maintaining regional stability and public services, even if they do not reach the national threshold defined in the law.
Resilience as a Long-Term Policy Task
Roman Poseck himself acknowledged that resilience is a long-term responsibility for both the state and society. According to Poseck, the new legislation represents only one component within a broader resilience strategy.
The German federal government has committed to evaluating the law together with the federal states and adjusting it where necessary.
International Comparison
Another element of the political debate concerns Germany’s broader culture of crisis preparedness.
According to policymakers, Germany still lags behind some European countries in building societal resilience. In particular, states in Scandinavia and the Baltic region are often cited as examples of stronger preparedness systems that emphasize:
- civil defense structures
- public emergency preparedness
- crisis planning at the societal level
- resilience programs for citizens and businesses
These countries have invested heavily in resilience strategies following years of geopolitical tension and hybrid threats.
Conclusion
The KRITIS Umbrella Act represents an important milestone in Germany’s efforts to strengthen the protection of critical infrastructure and to implement European resilience policy. For the first time, the country now has a nationwide framework defining responsibilities and minimum protection standards.
At the same time, the ongoing debate about the 500,000-person threshold illustrates that the legislation may still leave significant gaps in the protection of regionally important infrastructure.
The planned evaluation of the law will therefore be crucial. Only if the regulatory framework remains adaptable—and expands protection to include mid-sized infrastructure operators—can the KRITIS Umbrella Act evolve into a truly comprehensive system for safeguarding critical infrastructure in Germany.
