Critical Infrastructures (KRITIS): Protection, Obligations, and Affected Companies
IoT Blog
Critical Infrastructures (KRITIS): Protection, Obligations, and Affected Companies
30.04.2025by
Annalena Rauen
Share
Critical infrastructures (abbreviated: KRITIS) safeguard fundamental functions of our society – from energy supply and medical care to IT and communication.
At the same time, these infrastructures are exposed to various risks: cyberattacks, technical failures, natural disasters, or human error can lead to far-reaching disruptions at any time. To prevent failures with serious consequences, the legislator has defined clear requirements for the protection of these systems. In this article, you will learn what critical infrastructures are, which sectors are affected, and how you can determine whether your company is included.
Definition: Critical infrastructure according to the federal government
“Critical infrastructures (KRITIS) are organizations or institutions of vital importance to the functioning of the community, whose failure or impairment would result in lasting supply shortages, significant disruptions to public safety, or other dramatic consequences.”
- Federal Office of Civil Protection and Disaster Assistance
Simply put: critical infrastructures include all goods, services, and structures essential to the common good of our society. This refers not only to power grids or water utilities – hospitals, data centers, traffic control systems, logistics hubs, and communication networks are also part of it.
A failure of these companies or systems is considered critical because it can have serious consequences for public safety, health, or the population’s supply. For example, if a central data center fails, entire administrative sectors or payment services may come to a standstill.
Understanding the legal framework
The protection of critical infrastructures is anchored in several legal regulations. Companies operating in this area are subject – depending on their sector, size, and relevance – to strict requirements.
The following laws and regulations form the legal basis for the protection of critical infrastructures in Germany:
KRITIS Regulation (BSI-KritisV): Defines thresholds and sectors from which a company is classified as KRITIS. Once these thresholds are exceeded, the company is deemed KRITIS-relevant – regardless of whether it is publicly or privately organized.
IT Security Act: Requires KRITIS companies to implement minimum standards in the field of cybersecurity.
NIS 2 Directive (to be transposed into national law from October 2024): Extends the obligations to additional sectors as well as medium-sized companies.
Planned KRITIS Umbrella Act: For the first time, includes requirements for the physical protection of critical facilities, such as access control or structural safety measures.
The Federal Office for Information Security (BSI) provides companies with extensive guidelines, assistance, and checklists to help implement legal requirements. The Federal Association for Critical Infrastructures (BKI) also regularly provides updates and practical recommendations.
Additionally, the Federal Office of Civil Protection and Disaster Assistance (BBK) supports operators of critical infrastructures with scenarios, exercises, and disaster response handbooks – for example, in the event of widespread outages, natural events, or hybrid threat situations.
Depending on the sector and its societal relevance, a company can be classified as a KRITIS entity. This entails specific obligations for securing systems and reporting security-relevant incidents. The Federal Office for Information Security (BSI) currently identifies nine official KRITIS sectors:
Energy (electricity, gas, oil)
Water (drinking water supply, wastewater disposal)
Information technology and telecommunications
Health (hospitals, laboratories, pharmaceuticals)
Food (production, processing, trade)
Transport and traffic (rail, road, air, shipping)
Finance and insurance
Government and administration (e.g., police, fire departments, authorities)
Media and culture (broadcasting, press, protection of cultural assets)
There are current discussions to include municipal waste disposal as an additional KRITIS sector.
KRITIS-relevant companies: Typical criteria
Whether a company is classified as a KRITIS entity is a crucial question, as it entails legal obligations, technical requirements, and potential liability risks.The classification results from a combination of various factors: industry, company size, system relevance, and the infrastructure services provided. Central to this is the question: who is being served, and to what extent?
Typical criteria for KRITIS classification include:
Facility size or throughput
For example, megawatt output in the energy sector, cubic meters in water utilities, or transaction volumes for financial service providers.
Supply coverage
Are more than 500,000 people provided with electricity, water, medical care, or communication services?
Central control functions
Such as control centers, networks, or platforms that other systems depend on.
Different threshold values apply depending on the sector. Companies that operate just below these thresholds should still prepare: with the implementation of the NIS 2 Directive, the number of obligated organizations will significantly increase. A frequently used benchmark: if a company provides critical services to more than 500,000 people, it generally falls under the KRITIS regulation.
TIP: Perform an affectedness check
To verify whether your company is affected under § 28, the BSI offers a NIS 2 Affectedness Check. This tool helps determine whether your organization falls under the new requirements – and which actions are necessary.
What are the consequences of non-compliance?
The legal requirements for protecting critical infrastructures are binding. Companies classified as KRITIS entities that fail to implement the required measures must expect serious consequences.
With the entry into force of the NIS 2 Directive and the planned KRITIS Umbrella Act, not only will the requirements increase – the scope of sanctions will also be significantly expanded. High fines, deadlines imposed by supervisory authorities, and official directives will become standard enforcement tools.
Particularly relevant for management: personal liability is coming into sharper focus. If executives demonstrably fail to implement adequate security measures or fail to monitor their implementation, they can be held civilly or criminally liable in the event of damage.
In short: inaction is not an option. Companies should therefore invest early in IT security, risk management, and compliance – to protect both their systems and their reputation.
KRITIS companies need to take action now
Critical infrastructures are essential to the system and therefore require special protection. Whether it's power supply, digital communication, or medical care: companies operating in these areas bear a special responsibility. Depending on classification, they are subject to clearly defined legal obligations.
The central task for KRITIS companies is therefore to remain operational under all circumstances.
Modern IoT solutions help not only monitor but also actively protect critical systems. They enable early risk detection, process automation, and efficient fulfillment of legal requirements – with less effort and greater security.
Walkthrough Solutions for Your IoT Project
Walkthrough Solutions for Your IoT Project
From advice on IoT hardware, networking and implementation to the right Cloud application and analytical tools, thanks to our global network and partner ecosystem we can provide single-source end-to-end solutions for your IoT project.
From advice on IoT hardware, networking and implementation to the right Cloud application and analytical tools, thanks to our global network and partner ecosystem we can provide single-source end-to-end solutions for your IoT project.
Back in 2016, Anna worked on IoT topics at Deutsche Telekom for the first time. Since then, she has been supporting customer best practices in a wide range of industries – always focusing on the benefits that the Internet of Things can provide. Her IoT blogposts describe real use cases and the value these innovations add to market players, their business models, and even entire industries.
Interested? Click here:
17.04.2025
Connected Cars: How connected vehicles are redefining mobility
Whether it's live traffic data, software-based driver assistance, or real-time fleet management – connected cars offer new opportunities for businesses, manufacturers, and drivers to make mobility safer, more efficient, and more sustainable. Learn more about the transformation of the automotive industry in this article!
FIEGE implements AI and IoT to optimize air freight handling
FIEGE Air Cargo Logistics and Deutsche Telekom are revolutionizing air freight handling at Frankfurt Airport using artificial intelligence and the Internet of Things. Learn how this becomes possible in this article!
Asset Tracking: How to keep track of your Resources
Track the location of delivery vehicles and goods in real time at any moment – just a dream? Not at all! With modern asset-tracking technologies, companies can easily enhance their inventory management. Discover the various technologies available and how to effectively implement them in this article!