Berlin – Germany has taken a significant step towards bolstering the security of its critical infrastructure with the recent passage of the KRITIS-Dachgesetz, or Critical Infrastructure Protection Act. Approved by the Bundesrat on March 6, 2026, the legislation aims to create a more unified and robust defense against a growing range of threats, from cyberattacks and sabotage to natural disasters and terrorism. The law, initially passed by the Bundestag in January, represents a landmark effort to harmonize security standards across various sectors vital to the nation’s functioning, including energy, transportation, healthcare and digital networks.
The need for such legislation has become increasingly apparent in light of escalating geopolitical tensions and a rise in hybrid warfare tactics. Recent incidents, such as the attack on the Berlin power grid in early January, highlighted vulnerabilities within Germany’s infrastructure and underscored the urgency for a comprehensive protective framework. The KRITIS-Dachgesetz seeks to address these concerns by establishing minimum security requirements for operators of critical infrastructure and mandating the development of comprehensive protection measures and emergency plans. This move aligns with an existing European Union directive on the resilience of critical entities, bringing German law into compliance with EU standards.
A Unified Approach to Critical Infrastructure Protection
Prior to the KRITIS-Dachgesetz, the protection of critical infrastructure in Germany was fragmented, with varying standards and regulations across different sectors. This created inconsistencies and gaps in security, making it difficult to establish a cohesive national strategy. The new law aims to rectify this by establishing a nationally standardized and cross-sectoral approach to safeguarding these essential assets. It defines which infrastructure facilities are indispensable for securing the population’s supply and maintaining the economy, generally encompassing those serving more than 500,000 people.
According to the German Federal Ministry of the Interior and Community, the protection of critical infrastructure is “not just any issue, but simply necessary for our country, for our security, our economy and for every single citizen.” Interior Minister Thomas Strobl emphasized the shared responsibility of the state and operators in ensuring this protection, focusing on both preventing disruptions and minimizing their consequences should they occur.
Concerns and Ongoing Refinements
While the Bundesrat’s approval marks a significant milestone, the legislation is not without its critics. Concerns have been raised regarding the threshold of 500,000 citizens for defining critical infrastructure, with some arguing that it is set too high. The vbw – Vereinigung der Bayerischen Wirtschaft e. V. (Association of Bavarian Industry), for example, has cautioned that this threshold could disadvantage rural, less densely populated areas of Germany. Bertram Brossardt, the vbw’s Chief Executive Officer, stated that the current value is “too high” and could leave certain regions vulnerable. The organization advocates for regular review of this threshold to ensure equitable protection across the country.
Another point of contention revolves around the involvement of the federal states (Länder) in defining critical infrastructure within their jurisdictions. The vbw argues that Länder should have the flexibility to establish their own criteria based on regional specificities. The organization stresses the need to incorporate state and administrative structures more prominently into the legislation, as they are currently underrepresented. Brossardt also highlighted the security risks associated with publicly accessible information about critical infrastructure, supporting a review of information and transparency requirements to strike a balance between openness and resilience.
Addressing Bureaucratic Burden and Responsibilities
The vbw also calls for an “effective and practical process” for identifying critical infrastructure in close coordination with operators. They emphasize the importance of clear responsibilities between the government and the private sector, advocating for a collaborative approach to developing and implementing protection strategies. Avoiding a “regulatory patchwork” is crucial, according to the vbw, to ensure a consistent and effective national defense against both physical and cyber threats. This sentiment echoes broader concerns about the potential for overly burdensome regulations to stifle innovation and economic growth.
The Scope of Critical Infrastructure
The KRITIS-Dachgesetz encompasses a wide range of sectors deemed essential for the functioning of modern society. These include, but are not limited to:
- Energy: Power plants, electricity grids, oil and gas pipelines.
- Transportation: Airports, railways, ports, and major roadways.
- Healthcare: Hospitals, medical facilities, and pharmaceutical supply chains.
- Digital Infrastructure: Internet exchange points, data centers, and telecommunications networks.
- Finance: Banking systems and financial markets.
- Food and Water Supply: Food processing plants, water treatment facilities, and distribution networks.
- Governmental and Military Facilities: Essential government buildings and military installations.
The law requires operators within these sectors to conduct risk assessments, implement appropriate security measures, and develop contingency plans to mitigate potential disruptions. These measures may include physical security enhancements, cybersecurity protocols, and emergency response procedures. The specific requirements will be detailed in forthcoming legal ordinances issued by the Federal Ministry of the Interior and Community.
Implementation and Future Outlook
The passage of the KRITIS-Dachgesetz is just the first step in a longer process of implementation and refinement. The law mandates an evaluation of its effectiveness within two years, allowing for adjustments based on practical experience and emerging threats. This ongoing assessment will be crucial to ensuring that the legislation remains relevant and effective in the face of evolving challenges. The Bundesrat’s approval also signals a commitment to collaboration between the federal government and the Länder in shaping the future of critical infrastructure protection in Germany.
The law’s success will depend on the effective cooperation between government agencies, private sector operators, and security experts. Clear communication, shared intelligence, and a proactive approach to threat detection and mitigation will be essential to safeguarding Germany’s critical infrastructure and ensuring the safety and security of its citizens. The legislation also underscores the growing recognition of the interconnectedness of critical infrastructure sectors and the need for a holistic, systems-based approach to security.
Key Takeaways
- Germany has enacted the KRITIS-Dachgesetz to strengthen the protection of its critical infrastructure.
- The law aims to harmonize security standards across vital sectors, including energy, transportation, and healthcare.
- Concerns remain regarding the threshold for defining critical infrastructure and the involvement of federal states.
- Implementation will require close collaboration between government, industry, and security experts.
- The law will be evaluated within two years to assess its effectiveness and identify areas for improvement.
The next key step will be the issuance of detailed legal ordinances by the Federal Ministry of the Interior and Community, outlining the specific requirements for operators of critical infrastructure. Stakeholders are encouraged to monitor these developments and actively participate in the ongoing dialogue surrounding the implementation of the KRITIS-Dachgesetz.
What are your thoughts on the new law? Share your comments below and let us know how you think Germany can best protect its critical infrastructure in the face of evolving threats.