On January 28, 2026, the Bundestag adopted the KRITIS Umbrella Act (KRITIS-Dachgesetz), marking a significant milestone in strengthening the physical resilience of critical infrastructures in Germany. For the first time, the legislation establishes binding, cross-sector minimum requirements as well as uniform criteria for identifying critical facilities across all relevant sectors.

The German Electrical and Digital Industry Association, ZVEI, explicitly welcomes this step. From the association’s perspective, the decisive factor now is swift implementation based on consistent criteria in all federal states. In particular, facilities that fall below the threshold of 500,000 inhabitants supplied must be assessed using harmonised and transparent standards nationwide. Without such consistency, there is a risk of fragmented implementation by the individual federal states, which could significantly undermine the effectiveness of the KRITIS Umbrella Act.

Standardisation as a Cornerstone of Resilience

ZVEI also advocates that mandatory resilience measures for operators of critical infrastructures should be developed on the basis of established norms and standards. Proven frameworks in areas such as intrusion detection, access control, video surveillance, and perimeter protection provide a reliable foundation for protecting critical facilities in a realistic, efficient, and sustainable manner.

According to the association, leveraging recognised standards not only enhances security outcomes but also offers planning certainty for operators, technology providers, and authorities alike—an essential prerequisite for effective implementation.

Industry Perspective: The Need for Clear and Reliable Requirements

Peter Krapp, Managing Director of the ZVEI Security Association, emphasised the importance of regulatory clarity:

“With the KRITIS Umbrella Act, a central building block for the protection of critical infrastructures is finally being implemented. For operators, it is now particularly important to receive clear and reliable requirements—applied uniformly across Germany. Only if all federal states use the same criteria can companies plan and implement their protective measures efficiently. Our goal is to work together with policymakers and industry to create a practical and holistic security framework.”

National Framework in the European Context

Together with the NIS-2 Implementation Act, which governs the digital resilience of critical facilities, the KRITIS Umbrella Act forms Germany’s national framework for implementing the EU Directive on the resilience of critical entities, known as the CER Directive.

ZVEI strongly supports a coordinated, cross-sector, and practice-oriented implementation of both legislative initiatives. Following adoption by the Bundestag, the law still requires approval by the Bundesrat.

Outlook

With the KRITIS Umbrella Act, Germany has taken a decisive step toward enhancing the protection of critical infrastructures against physical threats. The coming months will be crucial in determining whether the law delivers its full potential—through rapid, consistent, and standards-based implementation across all federal states. Industry associations such as ZVEI see themselves as active partners in this process, contributing expertise to ensure that resilience requirements are both effective and feasible in practice.