Critical infrastructure in Germany is undergoing a regulatory, technical and organisational overhaul. With the KRITIS umbrella law, the focus is shifting away from isolated protective measures towards a comprehensive obligation to ensure resilience. For operators, this means that resilience is no longer merely a goal of good organisation, but a binding benchmark for day-to-day operations. It is precisely this shift that is giving facility management a new role. It is no longer solely responsible for availability, maintenance and service quality, but is becoming a key operational function for security of supply, accountability and crisis resilience.

In recent years, the debate on critical infrastructure has been heavily dominated by cyber risks. This now falls short of the mark. After all, the functionality of energy supply, water, healthcare, logistics, IT and telecommunications, transport or waste management always depends on physical locations, technical facilities, access points, emergency response chains and robust operational processes. Where buildings, control centres, data centres, hospitals, transport or waste management facilities fail, this has a direct impact on the economy, the state and the population. It is precisely at this interface between property, technology and operations that facility management becomes a stabilising factor.

The KRITIS umbrella law addresses companies that provide essential critical services. It thus defines not a purely technical scope of protection, but a scope of operational responsibility. What matters is who exercises significant influence over a critical facility and its processes. Responsibility therefore remains with the operator, even if operational services are outsourced to external service providers. This distinction is central to practice. This is because many tasks relating to building operations, technical management, inspection, maintenance, fire safety, access control or fault management have been delegated to facility service companies for years. What is new is that this delegation now takes place under significantly stricter requirements regarding control, documentation and verification.

For affected companies, this results in a concrete list of obligations. These include registration with the competent authority, recurring risk analyses, the derivation and documentation of resilience measures, as well as notification and reporting obligations in the event of relevant incidents. What is crucial here is not so much the mere existence of measures as their systematic derivation, robust implementation and audit-proof documentation. Anyone failing to meet these requirements risks severe sanctions. Resilience thus becomes a governance issue.

It is precisely here that the new significance of facility management becomes apparent. The legal requirements do not materialise at an abstract level, but in the day-to-day operation of buildings. In practice, resilience means controlling access, securing perimeters, designing critical technology with redundancy, defining failure paths, rehearsing crisis procedures and clearly defining responsibilities. Building operations thus evolve from a supporting function into a cornerstone of the corporate security architecture.

This also changes the requirements for risk analysis. It must not be limited to standard disruptions in day-to-day operations. What is required is a structured assessment of natural, technical and human-induced risks. These include, for example, extreme weather conditions, fires, sabotage, health emergencies, hybrid threats, cross-sector dependencies or cascade effects along critical supply chains. For facility management, this means: it must not only be aware of the current state of the technical infrastructure, but also be able to understand and assess its behaviour under exceptional circumstances.

The integration of technical and organisational issues is particularly challenging in this context. In many existing properties, systems have evolved over time, been expanded over the years and only partially documented in a consolidated manner. Redundancies often exist on paper, but not necessarily within a robust operational framework. Maintenance windows, load switching, spare part availability, escalation chains or staff substitution arrangements determine, in an emergency, whether a critical service remains stable or fails. This broadens the focus from the individual system to the overall system.

Under these conditions, business continuity management becomes a core component of building operations. Risk analyses are intended to reduce the probability of incidents occurring, but they cannot guarantee absolute security. This is why robust emergency and recovery plans are required for critical infrastructure. Technical resilience is evident, for example, in emergency power systems, redundant refrigeration and air-conditioning technology, secure utility supply, or protection mechanisms against the failure of individual components. Organisational resilience arises from clear escalation procedures, defined crisis communication, documented handover protocols, and robust stand-in arrangements. The central principle is: critical systems must not be operated as isolated individual components.

A look at particularly sensitive sectors reveals just how specific these requirements are. In hospitals, the ability to switch to a self-sufficient power supply within a very short time is crucial for maintaining life-support systems. In data centres, even brief interruptions in cooling can lead to massive failures. In logistics centres, high process dynamics, numerous external stakeholders and sensitive supply chains converge, which intensifies requirements for access control, perimeter protection and operational organisation. In waste management facilities, changing fire risks – such as those posed by incorrectly disposed lithium-ion batteries – increase the pressure on fire safety concepts and technical prevention measures. In the energy sector, meanwhile, physical security, switchgear, emergency power supply and site protection are becoming a matter of security policy.

This makes it clear: in the KRITIS environment, facility management is no longer merely an operational function, but a risk and crisis manager. It provides the operational foundation for the company’s resilience strategy. At the same time, it acts as a bridge between physical security and digital control. This is because modern building operations are now highly digitised. Sensors, building automation, CAFM platforms, data analytics, AI-supported evaluations and networked OT systems improve transparency, responsiveness and efficiency. However, they also create new vulnerabilities. Consequently, physical resilience requirements and cyber requirements are increasingly overlapping.

This creates a dual management challenge. Whilst the KRITIS umbrella law addresses the physical resilience of critical infrastructure, NIS2 regulates the security of network and information systems. In practice, the two levels can no longer be separated. Anyone using networked building automation must manage physical and digital risks together. This applies not only to data centres or highly automated industrial and transport sites, but increasingly to any critical property featuring smart technology, remote access or integrated monitoring. Facility management thus becomes the operational interface between two regulatory worlds.

Facility management also plays a key role in documentation. Audits, evidence and regulatory inspections require that risk analyses, inspection obligations, maintenance cycles, responsibilities and measures are documented comprehensively and in a traceable manner. This is precisely why digital operational platforms are gaining in importance. CAFM systems and other centralised documentation solutions do more than just reduce administrative effort. They create a uniform data foundation, make services transparent, support real-time management and facilitate strategic decisions regarding lifecycle, maintenance and investments. Documentation is thus not only an obligation, but also a tool for operational and economic management.

This development is also transforming the market for facility services. When operators retain responsibility despite delegation, the selection of external partners becomes an integral part of risk management. Tenders in the KRITIS sector can therefore no longer be based primarily on price and traditional scope of services. The decisive factor is whether a provider can demonstrably support regulatory requirements, crisis resilience and process stability.

What is required are service providers with robust operational capability, qualified staff, high availability, short response times and transparent security and quality standards. Relevant certifications, suitable references and digital maturity are important indicators, but are not sufficient on their own. Equally crucial is the question of how extensively a provider delivers its services in-house and how stable its own organisation is. Where process chains are heavily outsourced to subcontractors, interface risks, management overhead and potential security gaps increase. A resilient operation therefore requires resilient partners.

This significantly shifts the requirements profile for facility service companies. The focus is no longer on the reactive service provider, but on the process-oriented, digitally equipped and crisis-proof partner. Depending on the level of maturity, the spectrum ranges from the traditional operational provider to the strategic value-added partner who actively contributes to risk analysis, resilience concepts and the further development of operations. For many KRITIS companies, it is precisely this partnership model that is likely to gain in importance, as increasing regulatory and technical requirements often cannot be fully met internally.

Added to this is the shortage of skilled workers. Operating complex technical infrastructures requires highly qualified staff, who are in short supply on the market. External specialists, cross-site technical teams and standardised digital operating models can help to deploy scarce resources more effectively. At the same time, experienced partners facilitate the transfer of best practices across sectors and infrastructures. This can significantly enhance implementation capabilities, particularly as companies are now required to systematically reassess their critical systems, redundancies, maintenance strategies and emergency procedures.

For operators, this results in a clear course of action. The first step is an honest and methodologically sound assessment of the current situation. Which systems and processes are truly critical? Where are there reliable redundancies, and where are they merely assumed? Which dependencies are documented, and which have hitherto only existed implicitly? How robust are emergency and maintenance processes under exceptional stress conditions? Only on this basis can investments, modernisations, monitoring concepts and organisational measures be sensibly prioritised. Resilience does not begin with the procurement of technology, but with transparency.

The actual paradigm shift therefore lies less in individual regulations than in the new classification of building operations. In the KRITIS context, buildings, systems and technical infrastructure are no longer understood as a supporting framework for the actual service provision, but as its operational prerequisite. Where this prerequisite is unstable, the critical service is also unstable. Facility management thus becomes a strategic function for business continuity, compliance and security of supply.

This is a clear signal for the security industry. In the coming years, the protection of critical infrastructure will not be determined solely by IT, perimeter security or individual security systems. It will increasingly be determined by the ability to integrate physical, technical, organisational and digital resilience within building operations. This is precisely where a new playing field for facility management is emerging – not as a downstream service function, but as an integral part of national security and supply architecture.