In view of increasing hybrid threats, geopolitical tensions and growing dependencies on functioning infrastructure, the Bundestag has passed the Kritis (=Critical Infrastructure) umbrella law. With the law to strengthen the resilience of critical facilities, Germany is implementing the European CER Directive (EU 2022/2557) and, for the first time, creating a comprehensive security framework for the protection of central supply functions.

The aim is to maintain critical services even in the event of cyber attacks, acts of sabotage, natural disasters or technical malfunctions and to limit the impact of security incidents on the population, the economy and the state.

Focus on security: from prevention to crisis response

The Kritis umbrella law shifts the focus from pure prevention to a holistic security approach. Operators of critical facilities are obliged to systematically check their facilities for physical, organisational and digital risks and to implement appropriate protective measures.

Specifically, the law provides for, among other things:

• mandatory identification and registration of security-relevant facilities,
• the implementation of structured resilience measures to prevent and limit damage events,
• reporting obligations for security-relevant incidents in order to consolidate situation reports more quickly,
• and regular risk analyses for critical services.

This places the ability to detect, contain and recover at an early stage at the centre of the legal requirements.

Threshold values and security gaps from a security perspective

A key point of contention in security policy remains the regulatory threshold of 500,000 people supplied. Facilities below this threshold are generally not subject to the new obligations – even though smaller suppliers can also be systemically important in regional contexts.

Security experts warn that this regulation could create potential protection gaps, especially in rural areas or in highly networked supply chains. Although the regulations give the federal states room for manoeuvre, it remains to be seen how consistently this will be used.

Critical role of public administration

From a security perspective, the limited involvement of government agencies is particularly criticised. While private operators are subject to binding resilience requirements, large parts of the federal administration are exempt, and state administrations are not addressed at all.

In view of increasing attacks on government IT systems and administrative processes, experts see this as a considerable risk: security levels along critical value chains could drift apart, opening up new avenues for attackers.

Voices from business and security research

The digital association Bitkom welcomed the law in principle as a necessary step towards improving the national level of protection. At the same time, President Dr Ralf Wintergerst called for implementation not to be left solely to operators. Security measures of this magnitude require targeted government support, for example through funding programmes and clear guidelines.

Security researchers also expressed their approval, albeit with reservations. Prof. Dr. Dennis-Kenji Kipker from the Cyber Intelligence Institute speaks of a long-overdue move towards a structured resilience policy. However, he says it is crucial that the law be able to withstand the increasing professionalisation of hybrid attacks. Uniform standards and close cooperation between government and private actors are essential for this.

Implementation as a security-related test

From a security architecture perspective, the Kritis umbrella law marks a paradigm shift: away from selective protective measures and towards systemic resilience. However, only practical implementation will show whether this approach is effective.

Particularly relevant here are:

• the quality of risk analyses,
• the effectiveness of reporting and response mechanisms,
• and the ability to continuously adapt security measures to new threat situations.

Conclusion: Greater security – but no closed protection system

With the Kritis umbrella law, Germany is creating an urgently needed basis for the protection of critical infrastructure in an increasingly uncertain environment. The law strengthens prevention, transparency and responsiveness – but still leaves relevant areas open to attack from a security perspective.

For truly robust resilience, it will be important to critically review thresholds, consistently integrate government structures and address hybrid risks holistically. The Kritis umbrella law is therefore less of an end point and more of a security foundation on which to build further.