With the KRITIS Regulation (KritisV), the German government has, for the first time, specified which facilities fall under the new KRITIS umbrella law and are therefore subject to the federal government’s comprehensive resilience requirements. For operators of critical facilities, this means additional obligations. For the security industry, however, the regulation marks far more than a regulatory adjustment: it fundamentally changes the role of security technology. In future, the demand will be not only for protective measures against burglary, sabotage or vandalism, but for integrated resilience concepts that ensure the continuous operation of critical services.

From physical security to resilience

With the KRITIS Framework Act, which came into force on 17 March 2026, Germany has implemented the European CER Directive (Critical Entities Resilience Directive). The Kritis Regulation now presented defines which facilities are considered critical and are therefore subject to the new legal requirements. It is based on sectors, critical services, facility categories and thresholds, which are largely aligned with the already established methodology of the BSI Kritis Regulation.

The key difference, however, lies in the focus: whilst previous regulations primarily addressed the IT security of critical infrastructures, the emphasis is now on physical resilience. Operators must analyse risks, implement protective measures and report significant incidents. This marks the first time that security is understood across sectors as an integral part of operational resilience.

For the security industry, this represents a paradigm shift. The traditional approach of considering individual systems – video surveillance, access control, intrusion detection or perimeter protection – will no longer suffice in future. The crucial question will be how critical services can be maintained even under exceptional strain.

Who will be classified as KRITIS in future

The Regulation covers ten key sectors:

• Energy
• Transport and traffic
• Finance
• Social security and basic income support
• Health
• Water
• Food
• Information technology and telecommunications
• Space
• Municipal waste disposal

A particular new development is the inclusion of the space sector. Critical services in this sector include, amongst others, positioning, navigation, timekeeping, Earth observation and transport capacities. This marks the first time the legislator has recognised the central importance of satellite-based services for modern societies and economies.

This opens up new areas of activity for the security sector. Ground stations, control centres, communication hubs and data processing facilities will need to be integrated more closely into KRITIS strategies in future.

Security technology becomes part of operational capability

The regulation makes it clear that critical infrastructure consists not only of production facilities or buildings. Control centres, command centres, networks, dispatch systems and digital platforms can also be classified as critical infrastructure. Particularly striking is the multitude of central control and monitoring systems, which are explicitly mentioned in almost all sectors.

This fundamentally changes the function of security technology.

A modern control centre no longer serves solely to handle alarms. It is increasingly becoming an operational resilience centre that brings together physical security information, cyber incidents, operational data and external situational information.

For providers of security management systems, this represents significant growth potential. There is demand for platforms that can integrate different systems and generate situational overviews in real time. Security control centres are evolving into central instruments of corporate resilience.

Video surveillance is becoming an early warning system

The shift is particularly evident in video surveillance. In many KRITIS environments, video technology has so far been used primarily for evidence preservation or perimeter surveillance.

The new requirements, however, promote a preventive approach.

Operators must identify risks and take appropriate measures to mitigate them. This results in a growing need for intelligent video systems capable of detecting unusual activities, sabotage attempts or operational anomalies at an early stage.

AI-supported analyses are consequently becoming significantly more important. Applications range from the detection of unauthorised persons on premises, through the analysis of crowds, to the automated monitoring of critical processes.

Particularly in energy plants, waterworks, transport infrastructure or logistics centres, the early detection of disruptions can create crucial time advantages.

Access control is becoming strategically more important

The regulation mentions numerous facilities whose failure would have a significant impact on security of supply. This inevitably results in greater importance being attached to access management.

This is no longer just about opening and closing doors.

In future, operators must be able to document much more precisely

• who has access to critical areas,
• when access has taken place,
• what authorisations have been granted,
• how temporary service providers are monitored and
• what processes come into effect in the event of a crisis.

Modern identity and access management systems are thus becoming a central component of regulatory compliance.

Solutions that link physical and digital identities will be in particularly high demand. The distinction between IT security and physical security is becoming increasingly blurred.

New opportunities for perimeter protection and drone detection

The increasing geopolitical tensions in Europe have clearly highlighted the vulnerability of critical infrastructure.

Acts of sabotage against submarine cables, attacks on energy infrastructure and the rising number of unauthorised drone flights have altered the threat landscape.

The Kritis Regulation itself does not specify any particular technologies. However, the obligation to conduct a risk analysis inevitably means that operators must assess new threat scenarios.

These include, in particular:

• drone overflights,
• espionage activities,
• attempts at sabotage,
• insider threats,
• hybrid attacks, and
• coordinated physical and digital attacks.

This creates significant market opportunities for manufacturers of radar systems, drone detection, sensor fusion and intelligent perimeter surveillance.

Operators of energy facilities, waterworks, transport infrastructure and logistics centres, in particular, will increasingly demand appropriate protection concepts.

IT and physical security are converging

One of the most important points in the draft regulation is the aim to ensure coherence between the KRITIS Framework Act and the BSI Act.

The Federal Government is explicitly pursuing the goal of more closely integrating physical resilience and cybersecurity. In future, operators of critical infrastructure are to be defined under the same scope of application.

This is of considerable significance for the security industry.

Many traditional security providers will need to expand their expertise. Customers will increasingly demand solutions that integrate both worlds:

• Security Information and Event Management (SIEM),
• Physical Security Information Management (PSIM),
• Security Operations Centre (SOC),
• Control centre integration,
• Cyber-Physical Security Monitoring,
• Risk and crisis management.

The boundary between IT and security departments will continue to blur.

Documentation becomes a key compliance and resilience factor

One of the most underestimated consequences of the KRITIS Framework Act and the planned KRITIS Regulation does not concern the installation of additional security technology, but rather the documentation of the measures taken. Whilst many discussions currently focus on access controls, perimeter protection, control centres or video surveillance, a second, at least equally significant challenge is emerging in the background: evidence management.

This is because the regulation does not merely oblige operators of critical infrastructure to analyse risks and implement resilience measures. In future, they must also be able to document these processes in a traceable manner. Risk analyses, threat assessments, protective measures, responsibilities, training, maintenance, incidents and improvement measures will form part of a continuous verification process. This is in line with the logic of the CER Directive, which aims to ensure the verifiable resilience of critical infrastructure. Simply claiming to have taken appropriate measures will no longer suffice in future.

For operators, this means a significant organisational change. In many companies, information on security measures has so far been spread across different departments. Technical documentation is held by facility management or engineering, cybersecurity evidence by IT, emergency plans by crisis management, and compliance documents by the legal department. The KRITIS regulation now forces these areas to work much more closely together.

This becomes particularly challenging in the case of complex infrastructures. Operators of energy supply networks, waterworks, transport companies or data centres will in future have to document not only which protective measures exist, but also how these contribute to reducing specific risks. This shifts the focus from a mere list of measures to documentation of effectiveness.

This opens up a new business area for the security industry. Demand will increasingly shift from individual hardware components to comprehensive systems that can be documented. In future, security solutions must be able to log, in an audit-proof manner, which events were detected, which alarms were triggered, which decisions were made and which measures were implemented. Modern security platforms will thus become compliance tools.

Providers of Physical Security Information Management (PSIM), Security Operations Platforms and integrated control centre systems stand to benefit particularly. They enable the consolidation of different data sources and create a centralised situational overview that simultaneously serves as a basis for documentation. Such systems can be crucial, particularly during audits or regulatory inspections.

There is another aspect to consider: documentation is increasingly becoming a matter of liability. Should an incident occur, the question will not merely be which protective measures were in place. Equally relevant will be whether risks were identified, assessed and appropriately addressed. Companies must therefore be able to demonstrate much more clearly in future that they have fulfilled their duty of care.

For installers, integrators and consultants, this means a significant expansion of their existing range of services. Customers will no longer ask solely for cameras, sensors or access readers. What is required are solutions that combine technical security, operational processes and regulatory documentation. Anyone wishing to succeed in KRITIS projects in future must therefore not only deliver security, but also verifiability.

This gives rise to a new form of security architecture. Security technology no longer protects only facilities and people, but simultaneously documents a company’s resilience. The ability to demonstrate that measures have been taken thus becomes just as important a competitive factor as the actual protective effect of the systems.

Greater resilience – but also more bureaucracy?

As understandable as the objectives of the KRITIS umbrella law and the KRITIS Regulation are, an uncomfortable question arises: does the new regulation lead to an actual increase in resilience, or does it risk further expanding existing bureaucratic burdens?

Many companies are currently experiencing an unprecedented intensification of regulatory requirements. In addition to the traditional requirements relating to occupational health and safety, data protection, environmental law and sector-specific regulations, there are now NIS2, DORA, the Cyber Resilience Act (CRA), the EU AI Regulation, supply chain requirements and numerous national implementing acts. The KRITIS Framework Act now introduces a further layer of documentation, analysis and reporting obligations.

It is noteworthy that the draft bill itself points out on several occasions that the specific costs and burdens cannot yet be reliably quantified. It is explicitly stated, for both the business sector and the public administration, that the actual burdens can only be estimated once further resilience standards and minimum requirements have been established. However, it is already foreseeable today that considerable resources will be channelled into analysis, documentation and verification processes.

Small and medium-sized operators of critical infrastructure are likely to be particularly affected by this. Whilst large corporations have their own compliance departments, security organisations and legal departments, smaller operators often have to meet the same requirements with significantly more limited staff resources. Municipal utilities, public utility companies, regional water companies and small and medium-sized logistics firms, in particular, face the challenge of meeting additional regulatory requirements without having new specialist staff available at the same time.

The security industry itself is already familiar with this problem from other sectors. Many installers and integrators have been reporting for years on an increasing proportion of administrative tasks. Project work has long since ceased to consist solely of planning, installation and commissioning. Added to this are risk analyses, data protection impact assessments, cybersecurity certifications, documentation and audit preparations. With the KRITIS regulation, this trend is likely to intensify further.

Critics therefore see the danger of a ‘compliance industry’, in which companies spend more and more time demonstrating regulatory compliance rather than reducing actual risks. The crucial question is: does an operator really become more resilient by producing yet another report, or by implementing additional security measures? A gap can certainly arise between regulatory compliance and actual risk mitigation.

Furthermore, resilience cannot be fully standardised. A waterworks in Bavaria, a container port in Hamburg, a data centre in Frankfurt and a hospital in North Rhine-Westphalia are exposed to completely different risks. The more detailed regulation becomes, the greater the risk that individual risk situations will be lost behind standardised checklists.

At the same time, it would be too simplistic to dismiss the new requirements as mere bureaucracy. Recent years have shown that critical infrastructure is exposed to significant threats. Acts of sabotage against energy infrastructure, attacks on communication networks, hybrid threats, extreme weather events and geopolitical tensions make it clear that resilience is no longer a theoretical exercise. In the past, many operators have assessed security measures primarily from an economic perspective. The new regulation is intended to ensure that risks to society as a whole are given greater consideration.

Practical implementation will therefore be crucial. If the forthcoming sector-specific resilience standards primarily result in additional forms, evidence and reporting obligations, acceptance could quickly decline. If, on the other hand, regulatory requirements can be linked to concrete improvements in operational capability, the regulation can make an important contribution to strengthening critical infrastructure.

This places a particular responsibility on the security industry. Manufacturers, integrators and consultants should not contribute to creating new layers of bureaucracy, but rather support their customers in meeting regulatory requirements as efficiently as possible. Automated documentation, intelligent audit functions, digital twins, integrated risk and security platforms, and AI-supported analyses can help to limit the administrative burden.

After all, acceptance of the KRITIS regulation will not ultimately be measured by how many reports have been produced. What will be decisive is whether critical services actually remain available in an emergency. Resilience must therefore not become synonymous with bureaucracy – but must be reflected in greater resilience of society, the economy and infrastructure.

Conclusion: The security industry is becoming a resilience partner

The Kritis Regulation is far more than a technical supplement to the KRITIS umbrella law. For the first time, it provides a binding definition of which facilities are considered critical and which operators will be subject to the federal government’s resilience requirements in future.

This creates a new strategic role for the security industry. Security is no longer understood solely as protection against crime, but as a prerequisite for maintaining socially relevant services.

Video surveillance, access control, control centres, drone detection, security management platforms and cyber-physical security solutions will in future not only fulfil security tasks but also contribute to the operational resilience of critical infrastructure.

Those who recognise this development early on and consistently align their products, services and consultancy offerings with resilience are likely to be among the winners of the next generation of KRITIS. This is creating a market in which technical expertise alone is no longer sufficient. What is needed are partners who understand security, business continuity and regulatory requirements in equal measure and can combine them effectively. As a result, the security industry is increasingly transforming from a provider of individual protective measures into a strategic resilience partner for the state, the business sector and operators of critical infrastructure.