A compliance officer and a facilities technician on the operations floor of a German data centre checking a locked server cabinet with a card reader

NIS2 and the KRITIS Umbrella Act: Two Laws, Two Deadlines, One Boardroom Matter

In 2026 Germany has two separate cyber and resilience laws in force. The NIS2 Implementation Act governs digital security through the BSI, the KRITIS Umbrella Act governs physical resilience through the BBK. Affected companies must keep them apart.

Cybersecurity in Germany has become a personal duty of the management board in 2026. The NIS2 Implementation Act has applied without a transition period since 6 December 2025 to around 29,500 to over 30,000 companies, with fines up to 10 million euros and personal liability under Section 38 BSIG (Federal Information Security Act). The KRITIS Umbrella Act (Critical Infrastructure Umbrella Act) adds physical resilience and a registration duty with the BBK from 17 July 2026, with fines up to 1 million euros. This article explains who is affected, what management liability means in practice, how the fines are tiered, and what companies should set up now.

Summary

Germany put two distinct but interlocking regimes into force in 2026. The NIS2 Implementation Act (NIS2UmsuCG) governs digital cybersecurity and has applied without a transition period since 6 December 2025 to around 29,500 to over 30,000 companies across 18 sectors; the regular registration deadline with the Federal Office for Information Security (BSI) ended on 6 March 2026. The KRITIS Umbrella Act governs the physical and organisational resilience of critical installations, has been in force since 6 March 2026, and requires operators of critical installations to register with the Federal Office of Civil Protection and Disaster Assistance (BBK) from 17 July 2026. The sharpest break with the old law is personal management liability under Section 38 BSIG: approval, monitoring and training cannot be delegated, and a waiver of liability is excluded. Essential entities face fines up to 10 million euros or 2 percent of worldwide turnover, important entities up to 7 million euros or 1.4 percent, while breaches of the physical resilience duties under the KRITIS Umbrella Act carry separate fines up to 1 million euros. The reporting duty runs in three stages: 24 hours, 72 hours and one month.

Two laws, two deadlines: what applies in 2026

Germany has put two separate but interlocking sets of rules into force in 2026. The NIS2 Implementation Act governs digital cybersecurity, the KRITIS Umbrella Act (Critical Infrastructure Umbrella Act) governs the physical and organisational protection of critical installations. Anyone affected must keep the two logics apart, because they have different authorities, duties and deadlines.

6 Dec 2025
NIS2 Implementation Act in force
no transition period
6 Mar 2026
regular BSI registration deadline
NIS2 registration with the BSI
6 Mar 2026
KRITIS Umbrella Act in force
approved by the Bundesrat
17 Jul 2026
BBK registration begins
operators of critical installations
18
regulated sectors under NIS2
essential and important entities
24h / 72h / 1mo
three-stage reporting duty
via the BSI reporting portal

The split is clear. NIS2 addresses IT and network security and applies through the BSI, while the KRITIS Umbrella Act addresses access control, perimeter protection and business continuity and applies through the BBK. The NIS2 Implementation Act was promulgated on 6 December 2025 and applies without a transition period; the regular BSI registration deadline ended on 6 March 2026. The KRITIS Umbrella Act was passed by the Bundestag on 29 January 2026, approved by the Bundesrat on 6 March 2026, and the BBK registration for operators of critical installations begins on 17 July 2026. The two regimes are interlocking, which innobu set out in its guide to BSI-compliant integration .

Who is affected: sectors and thresholds

The question is no longer whether a company is affected but how strongly. The NIS2 Implementation Act covers around 29,500 to over 30,000 companies with at least 50 employees or 10 million euros in annual turnover across 18 sectors, and it splits them into two classes with different levels of duty. The KRITIS Umbrella Act covers a much narrower group of operators of critical installations.

Two colleagues at a meeting table in a German utility office reviewing printed regulatory documents and a sector checklist on paper
The first task is the applicability check: matching the company against the 18 NIS2 sectors and the employee and turnover thresholds, and separately against the KRITIS supply threshold.
Essential entities (NIS2)
Energy, transport, banking and financial market infrastructure
Health, drinking water, waste water and digital infrastructure
Stricter duties and the higher fine ceiling of up to 10 million euros
Important entities (NIS2)
Postal and courier services, waste management and chemicals
Food, manufacturing and research
Duties apply, with the fine ceiling at up to 7 million euros

The KRITIS Umbrella Act is framed more narrowly. It affects around 1,300 to 2,000 operators of critical installations, and the decisive criterion is the supply of at least 500,000 people. A single company can therefore fall under both regimes at once: under NIS2 for its digital security and under the KRITIS Umbrella Act for the physical resilience of its critical installations. The applicability check has to be run separately for each law.

Management liability: cybersecurity becomes a boardroom matter

The biggest break with the old legal position is the personal responsibility of the management. Under Section 38 BSIG (Federal Information Security Act) managing directors must approve the risk management measures, monitor their implementation and attend training in person, and they are liable to their own entity for culpably caused damage. Cybersecurity is no longer an IT task but a duty of the management board.

Management liability (Geschaeftsfuehrerhaftung) is the personal responsibility of a company's management under Section 38 BSIG to approve, monitor and be trained on the cybersecurity risk management measures, with liability to the entity for culpably caused damage and no possibility of delegation or waiver.
Key point

Approval, monitoring and training are expressly not delegable. A waiver of liability is excluded by law, and blanket clauses in articles of association do not protect managing directors. The management must personally sign off on and document the results of the risk analysis, which turns the formal cybersecurity duty into a matter that reaches the board table.

In practice this changes how decisions are recorded. It is no longer enough for an IT department to implement controls; the management must show that it approved the measures, kept their implementation under review and took part in the required training. The documentation of that chain becomes the evidence that protects the individual managing director when supervision asks questions.

Fines and enforcement: up to 10 million euros

Breaches can become expensive, and the BSI is already conducting active supervision in 2026. Essential entities face fines up to 10 million euros or 2 percent of worldwide annual turnover, important entities up to 7 million euros or 1.4 percent. In each case the higher of the two figures, the euro cap or the turnover share, applies.

NIS2 Implementation Act (BSI)
Essential entities: up to 10 million euros or 2 percent of worldwide turnover
Important entities: up to 7 million euros or 1.4 percent of worldwide turnover
The higher of the euro cap and the turnover share applies
KRITIS Umbrella Act (BBK)
Breaches of the physical resilience duties: up to 1 million euros
Separate from the NIS2 fine framework
Missing the registration risks fines and added scrutiny

Keep the two fine frameworks distinct: The NIS2 fines up to 10 million euros relate to digital cybersecurity duties supervised by the BSI, while the KRITIS Umbrella Act fines up to 1 million euros relate to physical resilience duties supervised by the BBK. A company under both regimes can be exposed to both frameworks at once, so the applicability and the duties have to be mapped separately for each law.

The obligations catalogue: from registration to audit

NIS2 compliance is not a single step but a recurring cycle of registration, risk management, reporting channels and evidence. Whoever sets the chain up cleanly once meets the ongoing duties far more easily. The path runs from checking applicability through registration to the audits that supervision can call at any time.

Vertical flow diagram of the NIS2 compliance path from checking applicability through registration with the BSI and risk management to reporting channels and ongoing evidence and audits
The NIS2 compliance path in five steps: from checking applicability and registering with the BSI, through risk management and reporting channels, to the evidence and audits that supervision can call at any time.

The first step is registration with the BSI for NIS2, and separately with the BBK for the KRITIS Umbrella Act, with operator and installation details. The second is the substantive risk management: security concepts, emergency and backup management, and supply chain security. The third is the three-stage reporting duty, with an early warning within 24 hours, a substantive report within 72 hours, and a final report within one month. The fourth is the standing evidence base that an audit can draw on without a break.

What companies should do now

Utilities, municipal utilities and industrial firms should treat NIS2 and the KRITIS Umbrella Act as a governance and data topic, not a pure IT project. Whoever structures applicability, supply chains and evidence now avoids liability risks and is ready to deliver at the first inspection.

A small team in a German municipal utility operations room reviewing printed process maps and ring binders beside an access control panel and a locked equipment cabinet
Routine compliance preparation in a municipal utility: process maps, access control and a locked cabinet bring the digital duties of NIS2 and the physical duties of the KRITIS Umbrella Act into one room.

  1. Check applicability per sector and threshold

    Test applicability against the 18 NIS2 sectors and the employee and turnover thresholds, then separately against the KRITIS supply threshold, and keep both deadlines, the BSI and the BBK, in view at once.

  2. Build risk management as a provable process

    Set up risk management, supply chain security and reporting channels as provable processes, not only as documents, so that controls can be evidenced rather than merely asserted.

  3. Make the management board sign off

    Have the management personally approve and document the risk analysis and attend the required training, because approval, monitoring and training under Section 38 BSIG cannot be delegated or waived.

  4. Design data architecture for audit and reporting

    Build the data architecture and logging so that audits and incident reports can be evidenced without a break, with the 24-hour, 72-hour and one-month reporting stages supported end to end.

Key point

The two laws apply now, and the registration deadlines have either passed or are close. Whoever maps applicability separately for the BSI and the BBK, builds provable processes and lets the management board sign off turns the legal duty into a defensible position. How a wider ethical and legal compliance approach fits alongside cybersecurity shows that governance and data handling under GDPR belong in the same plan.

Further reading

BSI-Compliant AI Integration: A Practical Guide AI Security and Data Protection: The Enterprise Guide Ethical and Legal AI Compliance: A Guide EU AI Act 2026: High-Risk Deadlines and the Digital Omnibus BSI: the NIS2 Implementation Act enters into force Taylor Wessing: the new KRITIS Umbrella Act and the 17 July 2026 registration Roedl & Partner: NIS2, the new duties for companies

Frequently asked questions

What is the difference between NIS2 and the KRITIS Umbrella Act? +

The NIS2 Implementation Act governs digital cybersecurity. It applies through the Federal Office for Information Security (BSI), demands risk management and reporting, and carries fines up to 10 million euros. The KRITIS Umbrella Act governs the physical and organisational resilience of critical installations. It applies through the Federal Office of Civil Protection and Disaster Assistance (BBK), demands access control, perimeter protection and business continuity, and carries fines up to 1 million euros. They have different authorities, duties and deadlines, so affected companies must keep the two regimes distinct.

Who is affected by NIS2 in Germany? +

The NIS2 Implementation Act covers around 29,500 to over 30,000 companies in 18 sectors that have at least 50 employees or 10 million euros in annual turnover. It splits them into essential entities, such as energy, transport, banking, health, drinking water, waste water and digital infrastructure, and important entities, such as postal and courier services, waste management, chemicals, food, manufacturing and research. The KRITIS Umbrella Act covers a narrower group of around 1,300 to 2,000 operators of critical installations, defined mainly by the supply of at least 500,000 people.

What does management liability under Section 38 BSIG mean? +

Under Section 38 BSIG the management must approve the risk management measures, monitor their implementation and attend training in person, and it is liable to its own entity for culpably caused damage. Approval, monitoring and training cannot be delegated, and a waiver of liability is excluded by law. Blanket clauses in articles of association do not protect managing directors. The management must personally sign off on and document the results of the risk analysis.

How high are the fines under NIS2? +

Essential entities face fines up to 10 million euros or 2 percent of worldwide annual turnover, important entities up to 7 million euros or 1.4 percent, with the higher of the euro cap and the turnover share applying in each case. Breaches of the physical resilience duties under the KRITIS Umbrella Act carry separate fines up to 1 million euros. Missing the registration deadline risks fines and additional regulatory scrutiny, and the BSI is already conducting active supervision in 2026.

What are the NIS2 reporting deadlines? +

The reporting duty has three stages, submitted through the BSI reporting portal: an early warning within 24 hours, a substantive incident report within 72 hours, and a final report within one month. The registration duty for operators of critical installations under the KRITIS Umbrella Act, handled by the BBK, begins on 17 July 2026, while the regular BSI registration deadline under NIS2 ended on 6 March 2026.