Critical Infrastructures (KRITIS): Protection, Obligations, and Affected Companies

30.04.2025 by Annalena Rauen

Power plant with electricity pylons in the background


 

Critical infrastructures (abbreviated: KRITIS) safeguard fundamental functions of our society – from energy supply and medical care to IT and communication.

At the same time, these infrastructures are exposed to various risks: cyberattacks, technical failures, natural disasters, or human error can lead to far-reaching disruptions at any time. To prevent failures with serious consequences, the legislator has defined clear requirements for the protection of these systems. In this article, you will learn what critical infrastructures are, which sectors are affected, and how you can determine whether your company is included.

Definition: Critical infrastructure according to the federal government

“Critical infrastructures (KRITIS) are organizations or institutions of vital importance to the functioning of the community, whose failure or impairment would result in lasting supply shortages, significant disruptions to public safety, or other dramatic consequences.”  

- Federal Office of Civil Protection and Disaster Assistance



Simply put: critical infrastructures include all goods, services, and structures essential to the common good of our society. This refers not only to power grids or water utilities – hospitals, data centers, traffic control systems, logistics hubs, and communication networks are also part of it. 


A failure of these companies or systems is considered critical because it can have serious consequences for public safety, health, or the population’s supply. For example, if a central data center fails, entire administrative sectors or payment services may come to a standstill. 

Understanding the legal framework

The protection of critical infrastructures is anchored in several legal regulations. Companies operating in this area are subject – depending on their sector, size, and relevance – to strict requirements.  

The following laws and regulations form the legal basis for the protection of critical infrastructures in Germany:  

  • KRITIS Regulation (BSI-KritisV): Defines thresholds and sectors from which a company is classified as KRITIS. Once these thresholds are exceeded, the company is deemed KRITIS-relevant – regardless of whether it is publicly or privately organized. 

  • IT Security Act: Requires KRITIS companies to implement minimum standards in the field of cybersecurity. 

  • NIS 2 Directive (to be transposed into national law from October 2024): Extends the obligations to additional sectors as well as medium-sized companies. 

  • Planned KRITIS Umbrella Act: For the first time, includes requirements for the physical protection of critical facilities, such as access control or structural safety measures. 

The Federal Office for Information Security (BSI) provides companies with extensive guidelines, assistance, and checklists to help implement legal requirements. The Federal Association for Critical Infrastructures (BKI) also regularly provides updates and practical recommendations. 

 
Additionally, the Federal Office of Civil Protection and Disaster Assistance (BBK) supports operators of critical infrastructures with scenarios, exercises, and disaster response handbooks – for example, in the event of widespread outages, natural events, or hybrid threat situations.

KRITIS sectors according to the KRITIS act

Depending on the sector and its societal relevance, a company can be classified as a KRITIS entity. This entails specific obligations for securing systems and reporting security-relevant incidents. The Federal Office for Information Security (BSI) currently identifies nine official KRITIS sectors:  

  • Energy (electricity, gas, oil) 
  • Water (drinking water supply, wastewater disposal) 
  • Information technology and telecommunications 
  • Health (hospitals, laboratories, pharmaceuticals) 
  • Food (production, processing, trade) 
  • Transport and traffic (rail, road, air, shipping) 
  • Finance and insurance 
  • Government and administration (e.g., police, fire departments, authorities) 
  • Media and culture (broadcasting, press, protection of cultural assets) 

There are current discussions to include municipal waste disposal as an additional KRITIS sector. 

KRITIS-relevant companies: Typical criteria

Whether a company is classified as a KRITIS entity is a crucial question, as it entails legal obligations, technical requirements, and potential liability risks.The classification results from a combination of various factors: industry, company size, system relevance, and the infrastructure services provided. Central to this is the question: who is being served, and to what extent?  

Typical criteria for KRITIS classification include: 



Different threshold values apply depending on the sector. Companies that operate just below these thresholds should still prepare: with the implementation of the NIS 2 Directive, the number of obligated organizations will significantly increase. A frequently used benchmark: if a company provides critical services to more than 500,000 people, it generally falls under the KRITIS regulation. 

TIP: Perform an affectedness check

To verify whether your company is affected under § 28, the BSI offers a NIS 2 Affectedness Check. This tool helps determine whether your organization falls under the new requirements – and which actions are necessary. 


 

What are the consequences of non-compliance?

The legal requirements for protecting critical infrastructures are binding. Companies classified as KRITIS entities that fail to implement the required measures must expect serious consequences.  

  • With the entry into force of the NIS 2 Directive and the planned KRITIS Umbrella Act, not only will the requirements increase – the scope of sanctions will also be significantly expanded. High fines, deadlines imposed by supervisory authorities, and official directives will become standard enforcement tools.  
  • Particularly relevant for management: personal liability is coming into sharper focus. If executives demonstrably fail to implement adequate security measures or fail to monitor their implementation, they can be held civilly or criminally liable in the event of damage.  

In short: inaction is not an option. Companies should therefore invest early in IT security, risk management, and compliance – to protect both their systems and their reputation.

KRITIS companies need to take action now

Critical infrastructures are essential to the system and therefore require special protection. Whether it's power supply, digital communication, or medical care: companies operating in these areas bear a special responsibility. Depending on classification, they are subject to clearly defined legal obligations.  

The central task for KRITIS companies is therefore to remain operational under all circumstances.  

Modern IoT solutions help not only monitor but also actively protect critical systems. They enable early risk detection, process automation, and efficient fulfillment of legal requirements – with less effort and greater security. 


 

Walkthrough Solutions for Your IoT Project


Walkthrough Solutions for Your IoT Project

From advice on IoT hardware, networking and implementation to the right Cloud application and analytical tools, thanks to our global network and partner ecosystem we can provide single-source end-to-end solutions for your IoT project.

More about Walkthrough Solutions

From advice on IoT hardware, networking and implementation to the right Cloud application and analytical tools, thanks to our global network and partner ecosystem we can provide single-source end-to-end solutions for your IoT project.

More about Walkthrough Solutions

Woman with laptop and clipboard in warehouse
Annalena Rauen
Annalena Rauen

Marketing Manager IoT

Back in 2016, Anna worked on IoT topics at Deutsche Telekom for the first time. Since then, she has been supporting customer best practices in a wide range of industries – always focusing on the benefits that the Internet of Things can provide. Her IoT blogposts describe real use cases and the value these innovations add to market players, their business models, and even entire industries.