Germany’s Critical Infrastructure Protection (KRITIS)

Germany is one of the world’s leading economies, depending heavily on resilience and reliability of its CI to maintain national security and economic competitiveness. In response to evolving threats including cyber-attacks, natural disasters, and physical sabotage, the country continues to modernize and expand its regulatory and institutional architecture for CI protection.

German Federal government defines Critical infrastructures (KRITIS) as “organizations or facilities of vital importance to the public sector, the failure or impairment of which would result in lasting supply bottlenecks, significant disruptions to public safety, or other dramatic consequences”. Such sectors include energy, water, information technology, healthcare, transportation, finance, government and administration, media and culture.

Ensuring protection of organisations is a core task for government and business, and a central theme of Germany’s security policy. Resilience of CI increasingly becomes a priority.

Necessity of protecting Critical Infrastructure in Germany emerged in 1997 with a creation of a working group within the Federal Ministry of the Interior (BMI). The acronym KRITIS has been used ever since.

The first years of KRITIS protection were characterized by numerous discussions with industries associations, companies and authorities to identify specific sectoral needs. This also led to creation of the first recommendations and guidelines for operators of CI.

A major milestone was reached in 2009 with the adoption of the first National Strategy for the Protection of Critical Infrastructures (KRITIS Strategy). This strategy is still the foundation for overall execution of tasks, and it contributes significantly to their understanding and acceptance.

It is estimated that approximately 80% of Germany’s CI is owned and operated by private companies. Effective communication with stakeholders including government bodies, sectoral organizations, the media, and the public is often facilitated through industrial (sectoral) associations. These associations play a key role in public-private partnerships (PPPs) for infrastructure protection.

One of the key milestones in the development of Germany’s critical infrastructure protection strategy was the establishment of UP KRITIS in 2007. UP KRITIS serves as a cooperation and dialogue platform between government authorities and private-sector operators of CI. While the initial focus was on IT security, the platform has since evolved. Today, UP KRITIS includes over 1000 members and addresses a comprehensive range of topics related to CIP, encompassing both physical and cybersecurity, as well as resilience and emergency preparedness across multiple sectors.

Given the central role of IT in nearly all critical processes and its continuous and rapid development, protection of information infrastructures has become a key priority within UP KRITIS. This focus reflects increasing complexity and dynamic nature of cyber threats.

In addition to IT-related issues, UP KRITIS addresses broader dimensions of infrastructure robustness, emphasizing that physical protection and cybersecurity must be designed and implemented as interconnected and mutually reinforcing elements of a comprehensive security strategy.

The platform’s structure facilitates public-private knowledge sharing, enabling integration of business expertise with governmental capabilities in protecting critical information infrastructure. This collaborative approach has notably strengthened cross-company and cross-sector communication, which is now embedded in all UP KRITIS activities.

The Federal Republic of Germany’s approach is closely aligned with evolving EU legislation, particularly the CER Directive, NIS2 Directive, and DORA Regulation. National legislation transposing these directives, such as the KRITIS Umbrella Act and the NIS2 Implementation Act establishes obligations for CI operators across physical and cyber domains. This Act regulates resilience and physical security of critical infrastructures, from 2025 onwards.

The Act sets minimum requirements and establishes a catalogue of obligations demanding operators of critical facilities to implement resilience measures. The all-hazards approach applies: every conceivable risk must be considered, from natural disasters to sabotage, terrorist attacks, and human error. Smaller critical infrastructures have the option of voluntarily implementing resilience measures and can rely on industry-specific standards. Potential funding measures are intended to help them improving.

Penalties for violating the law’ provisions are intended to ensure that compliance with security standards is taken seriously and that critical infrastructures remain protected. Amounts have yet to be determined.

Federal ministries are authorized to issue legal regulations to specify resilience measures for the areas within their jurisdiction.

The regulatory landscape is set to evolve further.

The forthcoming National KRITIS Resilience Strategy (2026) will provide a strategic roadmap to strengthen national coordination and sectoral resilience planning.

In contrast to cybersecurity, physical security has historically received less focus, partly due to the complex federal structure of the country, which consists of sixteen federal states (Länder) with differing responsibilities and approaches. With Germany transposing the EU Critical Entities Resilience (CER) Directive into national law by the end of the year, framework for physical resilience of critical entities will enhance.

Germany continues to experience a high volume of ransomware attacks and distributed denial-of-service (DDoS) attacks. In 2024, the cybersecurity industry recorded over 720 such incidents, representing a 67% increase compared to the previous year. Number of attacks targeting SMEs, government and municipal administrations increased sharply. Healthcare, and hospitals in particular, are under attacks. As for most of countries, many cyberattacks in Germany originate from foreign jurisdictions, making attribution and prosecution difficult. Perpetrators increasingly rely on cybercriminal supply chain where capabilities such as malware development, access brokerage, and laundering of ransom payments are outsourced or consumed as services within the new Crime-as-a-Service paradigm.

On July 24, 2024, the Federal Cabinet passed the draft law for the (EU Directive 2022/2555) NIS 2 Implementation and Cybersecurity Strengthening Act, bringing comprehensive modernisation of German IT security law. IT security and security incident reporting requirements are extended to more companies in more economic sectors, like energy, transport, health, or digital infrastructure. It is expected that the number of organizations subject to cybersecurity obligations in Germany will potentially exceed 30,000 entities. This presents considerable administrative and enforcement challenges for the federal level, while cybersecurity at the federal administration itself must strengthen too. The new laws replace the KRITIS regulations in place in Germany since 2014, with more operators implicated and more obligations. Originally scheduled for October 2024, its coming into force is delayed until new Bundestag in 2025.

The Federal Office for Information Security (BSI) receives new supervisory tools to enforce compliance with the new legal obligations. Operators of critical infrastructure facilities are required to register with the Federal Office for Information Security (BSI). Organizations must promptly report significant cybersecurity incidents there. Registered entities must submit a biennial report to the BSI, detailing cybersecurity measures they have implemented. For accountability and continuous improvement, organizations need to undergo certification and external audits, in accordance with defined standards and sector-specific requirements.

Germany’s CI protection is supported by a range of institutions operating at federal and sectoral levels. The Federal Ministry of the Interior (BMI) provides policy leadership and inter-ministerial coordination. The Federal Office for Information Security (BSI) oversees cybersecurity implementation and maintains national situational awareness. Public–private coordination is facilitated through platforms such as UP KRITIS, with strong engagement from sectoral associations.

The inter-ministerial Joint Coordination Task Force for Critical Infrastructure (GEKKIS) serves three key purposes:

• Provide situational reports on protection of critical infrastructure, supporting all federal ministries with a cross-departmental overview of the up-to-date threat landscape.

• Enable communication among ministries, identify common challenges, and develop coordinated responses.

• Convene ad-hoc coordination group for relevant incidents, ensuring rapid and cohesive government action.

This collaborative institutional setup enables Germany aligning with EU standards, and ensuring tailored implementation through cross-sector coordination, federal–state integration, and public–private engagement.

Germany’s approach to CIP follows evolving EU conceptual framework, compliance with EU directives and national implementation. Key elements include:

• Transposition of EU legal instruments into national law, notably:

• The Directive on the Resilience of Critical Entities (CER Directive)

• The Directive on Security of Network and Information Systems (NIS2)

• The Digital Operational Resilience Act (DORA).

• Lessons learned from previous regulatory cycles.

• Adaptation of EU-wide concepts to Germany’s federal system, accounting for sector-specific and state needs.

Most significant conceptual shift is transition from a protection-centric approach to a broader, dynamic focus on resilience, recognising that 100% security cannot be guaranteed. The emphasis increasingly shifts toward ensuring continuity and rapid recovery of services in the face of disruptions.

Key lesson is Germany’s well-structured system of communication, coordination, and collaboration across federal, state (Länder), and local levels. Different stakeholders play clearly defined roles in two-way communication, both government actors and public and private sectors. Mechanisms such as centralized platforms for incident reporting, secure information exchange, and cross-sector coordination, help foster mutual trust and transparency. These structures significantly enhance situational awareness, and enable rapid, coordinated responses to emerging threats.

In the energy sector, operational continuity is central. Installed capacity must match national demand while demanding dynamic power management, with renewable energy in mind, for long-term sustainability. German experience demonstrates integration of existing systems, managed decentralization, and flexible response to demand surges and supply disruptions.

Widespread digitization of CI has exposed systems to new and complex threats, rendering traditional protection methods inadequate. Cybersecurity becomes strategic to CIP. Once a peripheral concern, it has now dedicated legislation, enforcement mechanisms, and technical standards. Rules and oversight structures dedicated to cybersecurity is a response to this reality and a model worth consideration by other countries.

Historically, the focus of CIP has been on large, high-value assets. Supply chains and SMEs now have a greater role. Risk management must extend across entire ecosystems, using unified threat catalogues to support all-hazards risk assessments. If one wants compatibility, consistency, and coordinated responses across sectors and involved operators of different organization types.