Inquiry

Critical Infrastructure (KRITIS) – Physical Security Takes Center Stage

The role of physical security is being strengthened. On November 6, the German Federal Cabinet approved the draft of the new “KRITIS Framework Act.” Its aim is to protect critical infrastructure.

Man in protective clothing with a laptop under his arm looks at an industrial plant

On November 6, the Federal Cabinet approved the draft of the new KRITIS Framework Act. The aim is to improve the protection of critical infrastructure going forward. Physical security, in particular, is gaining importance.

With this new law, officially titled the “Act to Implement Directive (EU) 2022/2557 and to Strengthen the Resilience of Critical Facilities,” physical protection of critical infrastructure will, for the first time, be regulated across sectors and uniformly at the federal level. Companies and operators of critical facilities are increasingly exposed to a wide range of threats, including cybercrime, sabotage, terrorist attacks, and natural disasters. To ensure that all conceivable risks are considered under an “all-hazards approach,” these entities will be required to meet certain minimum standards. These standards are intended to help plan and implement targeted security measures.

Strengthening Resilience

Similar to the NIS2 Implementation Act, the goal is to enhance the resilience and security of infrastructures that are essential for supplying the population and the economy. Whether an entity is affected depends on specific criteria - for example, if it provides services to more than 500,000 people.

Companies and operators identified as part of the critical infrastructure will be required to meet strict minimum requirements and obligations, including:

  • Registration with the Federal Office of Civil Protection and Disaster Assistance (BBK)
  • Conducting risk analyses and assessments
  • Implementing resilience measures for prevention, mitigation, and recovery of facilities. These measures must be outlined in resilience plans
  • Reporting security incidents to the BBK and the Federal Office for Information Security (BSI) via an online portal
  • Providing evidence of compliance through audits

Focus on Physical Security

Resilience measures include physical protection strategies, regular risk assessments, and the establishment of disruption monitoring systems. In the area of physical security, structural and technical measures for facility protection - such as perimeter barriers, detection devices, video surveillance, and access control systems - are particularly important. Companies are encouraged to use modern technologies like software-based access control systems with real-time monitoring to enhance their security measures. These technologies support rapid response and recovery in emergencies and provide audit-proof documentation for supervisory authorities. They also improve personnel safety by assigning and logging access rights to critical facilities based on roles and criteria - for both employees and external service providers.

Although the Federal Cabinet has approved the draft, the law has not yet come into force. It has now entered the parliamentary process. What changes, clarifications, or adjustments will be made in the coming weeks and months remains to be seen. The law is expected to come into effect in spring 2025.