Critical Infrastructures (KRITIS): Protection, Obligations, and Affected Companies

“Critical infrastructures (KRITIS) are organizations or institutions of vital importance to the functioning of the community, whose failure or impairment would result in lasting supply shortages, significant disruptions to public safety, or other dramatic consequences.”  

- Bundesamt für Bevölkerungsschutz und Katastrophenhilfe 

Simply put: 

Critical infrastructures include all goods, services, and structures essential to the common good of our society. This refers not only to power grids or water utilities – hospitals, data centers, traffic control systems, logistics hubs, and communication networks are also part of it. 
A failure of these companies or systems is considered critical because it can have serious consequences for public safety, health, or the population’s supply. For example, if a central data center fails, entire administrative sectors or payment services may come to a standstill.

The protection of critical infrastructures is anchored in several legal regulations. Companies operating in this area are subject – depending on their sector, size, and relevance – to strict requirements.

The following laws and regulations form the legal basis for the protection of critical infrastructures in Germany: 

• KRITIS Regulation (BSI-KritisV): Defines thresholds and sectors from which a company is classified as KRITIS. Once these thresholds are exceeded, the company is deemed KRITIS-relevant – regardless of whether it is publicly or privately organized.
• IT Security Act: Requires KRITIS companies to implement minimum standards in the field of cybersecurity.
• NIS 2 Directive (to be transposed into national law from October 2024): Extends the obligations to additional sectors as well as medium-sized companies.
• Planned KRITIS Umbrella Act: For the first time, includes requirements for the physical protection of critical facilities, such as access control or structural safety measures. 

The Federal Office for Information Security (BSI) provides companies with extensive guidelines, assistance, and checklists to help implement legal requirements. The Federal Association for Critical Infrastructures (BKI) also regularly provides updates and practical recommendations. 

Additionally, the Federal Office of Civil Protection and Disaster Assistance (BBK) supports operators of critical infrastructures with scenarios, exercises, and disaster response handbooks – for example, in the event of widespread outages, natural events, or hybrid threat situations.

Depending on the sector and its societal relevance, a company can be classified as a KRITIS entity. This entails specific obligations for securing systems and reporting security-relevant incidents. The Federal Office for Information Security (BSI) currently identifies nine official KRITIS sectors:  

• Energy (electricity, gas, oil)
• Water (drinking water supply, wastewater disposal)
• Information technology and telecommunications
• Health (hospitals, laboratories, pharmaceuticals)
• Food (production, processing, trade)
• Transport and traffic (rail, road, air, shipping)
• Finance and insurance
• Government and administration (e.g., police, fire departments, authorities)
• Media and culture (broadcasting, press, protection of cultural assets) 

There are current discussions to include municipal waste disposal as an additional KRITIS sector. 

Whether a company is classified as a KRITIS entity is a crucial question, as it entails legal obligations, technical requirements, and potential liability risks.The classification results from a combination of various factors: industry, company size, system relevance, and the infrastructure services provided. Central to this is the question: who is being served, and to what extent? 

 Typical criteria for KRITIS classification include:

• Facility size or throughput
  For example, megawatt output in the energy sector, cubic meters in water utilities, or transaction volumes for financial service providers.
• Supply coverage
  Are more than 500,000 people provided with electricity, water, medical care, or communication services?
• Central control functions
  Such as control centers, networks, or platforms that other systems depend on.

Different threshold values apply depending on the sector. Companies that operate just below these thresholds should still prepare: with the implementation of the NIS 2 Directive, the number of obligated organizations will significantly increase.

A frequently used benchmark: if a company provides critical services to more than 500,000 people, it generally falls under the KRITIS regulation. 

The legal requirements for protecting critical infrastructures are binding. Companies classified as KRITIS entities that fail to implement the required measures must expect serious consequences.  

• With the entry into force of the NIS 2 Directive and the planned KRITIS Umbrella Act, not only will the requirements increase – the scope of sanctions will also be significantly expanded. High fines, deadlines imposed by supervisory authorities, and official directives will become standard enforcement tools.  
• Particularly relevant for management: personal liability is coming into sharper focus. If executives demonstrably fail to implement adequate security measures or fail to monitor their implementation, they can be held civilly or criminally liable in the event of damage.  

In short: inaction is not an option. Companies should therefore invest early in IT security, risk management, and compliance – to protect both their systems and their reputation.

Critical infrastructures are essential to the system and therefore require special protection. Whether it's power supply, digital communication, or medical care: companies operating in these areas bear a special responsibility. Depending on classification, they are subject to clearly defined legal obligations.  

The central task for KRITIS companies is therefore to remain operational under all circumstances. 

Modern IoT solutions help not only monitor but also actively protect critical systems. They enable early risk detection, process automation, and efficient fulfillment of legal requirements – with less effort and greater security.