Overview

• Ministers adopted the Kritis-Dachgesetz draft, which establishes a federal framework for safeguarding critical infrastructure and sends it to the Bundestag and Bundesrat.
• Operators must register by 17 July 2026 and prepare resilience plans detailing protective measures against outages and disruptions.
• The draft imposes duties for physical security, risk analyses, and incident reporting, applying an all-hazards approach covering natural events, sabotage, terrorism, human error, and cyber risks.
• Rules target major facilities in sectors such as energy, transport, finance, health, water, food, and IT/telecom, with coverage focused on operators serving large populations.
• Non-compliance can trigger fines ranging from €50,000 to €500,000, and the framework complements Germany’s ongoing transposition of the EU NIS2 cybersecurity rules.