Critical Infrastructure Firms Must Act Now to Strengthen Cyber Resilience, German Regulators Warn

By Dr. Olivia Bennett, Chief Editor, Business

LONDON — Operators of Germany’s critical infrastructure (KRITIS) face a stark reality: the legal framework is in place, but the responsibility to act lies squarely with them. As cyber threats grow in sophistication and frequency, regulators and security experts are urging these firms to move beyond compliance and proactively build resilience to withstand—and recover from—potential attacks. The message is clear: waiting for the next crisis is no longer an option.

Germany’s Federal Office for Information Security (BSI) has set stringent requirements for KRITIS operators, which include sectors such as energy, healthcare, finance and transportation. These firms are legally obligated to implement robust cybersecurity measures under the BSI Critical Infrastructure Ordinance (BSI-KritisV), which was last updated in 2021 to reflect evolving threats. However, experts warn that compliance alone is insufficient. “The regulatory framework provides the minimum standard, but resilience requires a cultural shift—one that prioritizes preparedness, rapid response, and continuous improvement,” said a spokesperson for the BSI in a statement to World Today Journal.

The urgency is underscored by recent high-profile cyber incidents. In 2025, a ransomware attack on a major German energy provider disrupted operations for nearly 48 hours, exposing vulnerabilities in the sector’s incident response protocols. While the attack did not result in a blackout, it served as a wake-up call for KRITIS operators, many of which had relied on outdated recovery plans. “The incident revealed gaps not just in technology, but in organizational readiness,” noted a report by the BSI’s 2025 Resilience Study, which surveyed 120 KRITIS operators. Only 38% of respondents reported having a fully tested incident response plan, while just 22% conducted regular cybersecurity drills.

The Legal Framework: What KRITIS Operators Must Do

Under German law, KRITIS operators are required to meet specific cybersecurity standards, including:

• Risk Assessments: Conducting annual risk assessments to identify vulnerabilities in IT systems, operational technology (OT), and supply chains. The BSI mandates that these assessments be documented and submitted for review.
• Incident Reporting: Reporting cyber incidents to the BSI within 24 hours of detection, with a full report submitted within 72 hours. Failure to comply can result in fines of up to €20 million or 4% of global annual revenue, whichever is higher.
• Technical Safeguards: Implementing measures such as multi-factor authentication, network segmentation, and encryption for sensitive data. The BSI also recommends adopting the ISO 27001 standard for information security management.
• Business Continuity Planning: Developing and testing plans to ensure critical services can be restored within predefined timeframes. For example, energy providers must demonstrate the ability to restore operations within 24 hours of a disruption.

Despite these requirements, a 2025 audit by the BSI found that 42% of KRITIS operators had not fully implemented the mandated safeguards. “The gap between regulation and reality is concerning,” said Dr. Klaus-Peter Tiedemann, a cybersecurity expert at the Fraunhofer Institute for Secure Information Technology. “Many firms treat compliance as a checkbox exercise rather than a strategic priority.”

Beyond Compliance: Building True Resilience

While the BSI’s regulations provide a foundation, experts argue that true resilience requires a more holistic approach. “Resilience isn’t just about preventing attacks—it’s about ensuring that when an attack happens, the organization can continue to function,” said Dr. Anna-Lena Müller, a senior consultant at Aon’s Cyber Solutions, a global risk management firm. “In other words investing in people, processes, and technology.”

Aon’s Cyber Loop framework outlines three key pillars for resilience:

1. Preparation: Conducting regular tabletop exercises and simulations to test response plans. These drills should involve not just IT teams but also senior leadership, legal, and communications departments. “Many organizations fail to recognize that cyber incidents are not just technical problems—they’re business problems,” Müller noted.
2. Response: Establishing clear protocols for incident detection, containment, and eradication. This includes defining roles and responsibilities, as well as setting up communication channels with regulators, law enforcement, and customers. The BSI’s 2025 study found that only 15% of KRITIS operators had a dedicated crisis communication plan in place.
3. Recovery: Developing strategies to restore systems and data quickly while minimizing financial and reputational damage. This may involve working with third-party providers, such as cyber insurance firms, to quantify losses and manage claims. “The recovery phase is where many organizations fall short,” said Müller. “They focus on getting systems back online but neglect the long-term impact on stakeholders.”

For KRITIS operators, the stakes are particularly high. A successful cyberattack on critical infrastructure could have cascading effects, disrupting essential services and endangering public safety. In 2024, a cyber incident at a German hospital led to the postponement of over 1,000 surgeries, highlighting the real-world consequences of inadequate preparedness. “The healthcare sector is a prime target for cybercriminals because the impact of an attack is immediate and severe,” said Dr. Tiedemann. “Hospitals must prioritize resilience to protect patient care.”

The Role of Cyber Insurance

As cyber threats evolve, so too does the role of cyber insurance. Once seen as a niche product, cyber insurance has grow a critical component of risk management for KRITIS operators. Policies typically cover costs related to incident response, legal fees, regulatory fines, and business interruption. However, insurers are increasingly demanding that firms demonstrate robust cybersecurity measures before offering coverage.

“Cyber insurance is not a substitute for resilience—it’s a complement,” said Müller. “Insurers aim for to see that organizations are taking proactive steps to reduce risk. Those that don’t may find themselves either uninsurable or facing sky-high premiums.”

A 2025 report by Allianz Global Corporate & Specialty found that the average cost of a cyber incident for KRITIS operators in Germany was €4.2 million, with business interruption accounting for nearly 60% of losses. The report also noted a 23% increase in ransomware attacks targeting critical infrastructure in the past year, driven in part by the growing use of artificial intelligence by cybercriminals.

What Happens Next?

The BSI has announced plans to conduct unannounced audits of KRITIS operators in 2026, with a focus on testing incident response capabilities. “We want to see that firms are not just compliant on paper but prepared in practice,” said a BSI spokesperson. The agency is also developing new guidelines for supply chain security, which will require KRITIS operators to assess the cybersecurity practices of their vendors and partners.

For firms that fail to meet the requirements, the consequences could be severe. In addition to financial penalties, operators may face reputational damage, loss of customer trust, and even temporary suspension of operations. “The message to KRITIS operators is clear: the time to act is now,” said Dr. Tiedemann. “Cyber threats are not going away—they’re only going to become more sophisticated.”

Key Takeaways for KRITIS Operators

• Compliance is the baseline: Meeting regulatory requirements is essential, but it’s not enough. Firms must go beyond the minimum standards to build true resilience.
• Invest in people and processes: Cybersecurity is not just an IT issue—it’s a business issue. Firms should involve leadership, legal, and communications teams in resilience planning.
• Test, test, test: Regular drills and simulations are critical to identifying gaps in incident response plans. The BSI’s 2025 study found that only 22% of KRITIS operators conduct regular cybersecurity drills.
• Leverage cyber insurance: Cyber insurance can help mitigate financial losses, but insurers are increasingly demanding proof of robust cybersecurity measures.
• Focus on recovery: The ability to restore systems and data quickly is just as important as preventing attacks. Firms should develop and test business continuity plans regularly.

How to Stay Informed

KRITIS operators and other stakeholders can stay updated on the latest developments by following these resources:

• Federal Office for Information Security (BSI) – Official updates on cybersecurity regulations and guidelines.
• Allianz Global Corporate & Specialty – Reports and insights on cyber risk trends.
• Fraunhofer Institute for Secure Information Technology – Research on cybersecurity best practices.

The next major checkpoint for KRITIS operators is the BSI’s 2026 audit cycle, which will begin in the third quarter of the year. Firms are encouraged to review their cybersecurity measures and incident response plans ahead of the audits to ensure compliance and resilience.

What steps is your organization taking to strengthen cyber resilience? Share your thoughts in the comments below or join the conversation on Twitter.