Home
Back to overview

KRITIS

KRITIS is the abbreviation for Kritische Infrastrukturen — critical infrastructures — and refers in Germany to facilities and installations whose failure or impairment would lead to significant supply shortages or threats to public safety. The sectors covered include energy, water, food, healthcare, transport, finance, and information and communications technology. The legal basis is provided by the BSI Act in conjunction with the KRITIS Regulation, which defines specific thresholds at which an operator is classified as KRITIS-relevant. With the entry into force of the NIS2 Implementation Act at the end of 2025 and the KRITIS Umbrella Act at the start of 2026, the regulatory framework in Germany was significantly expanded and tightened.

KRITIS operators are subject to specific cybersecurity obligations that go well beyond general recommendations. They must register with the BSI, implement technical and organizational security measures, report security incidents, and regularly demonstrate their protective measures. Since 2026, the KRITIS Umbrella Act has added obligations for the physical protection of critical installations, for which separate registration with the Federal Office of Civil Protection and Disaster Assistance is required. In practice, KRITIS operators therefore bear a dual registration and reporting obligation toward two authorities.

In practice, KRITIS does not only affect large corporations. Municipal utilities, municipally owned hospitals, or regional water suppliers can fall under KRITIS thresholds just as much as nationally operating companies. For IT managers in these organizations, this means that the systems and endpoints deployed must meet elevated requirements for security, documentation, and auditability that go well beyond what is standard in unregulated companies.

The key difference between KRITIS and NIS2 lies in their scope. While NIS2 covers a broad range of companies and institutions, KRITIS in the narrower sense refers only to the approximately 1,800 operators of critical installations that exceed a defined supply threshold and are therefore subject to the most stringent requirements. In public discourse, both terms are frequently used interchangeably, which can lead to misjudgments about one's own regulatory exposure.

For KRITIS operators, the comprehensive protection and documentation of all endpoints in use is a central component of the legally required protective measures. How this can be achieved with a GDPR-compliant and audit-proof device management solution is shown by a closer look at the available options.