Germany has long grappled with the vulnerability of its hospitals, power grids, and waterworks. Now, a new overarching law has come into force, setting uniform protection standards for such critical infrastructure across the country for the first time.
The so-called Critical Infrastructure Protection Act (KRITIS) defines, on a cross-sector basis, which companies and facilities are considered systemically important. Previously, regulations in this area were a patchwork of disparate rules. Going forward, operators in energy supply, healthcare, information technology, transport and logistics, as well as water and food supply, must meet minimum security requirements.
This move comes against a backdrop of increasing threats from cyberattacks, sabotage, and hybrid warfare. The federal government emphasizes that the law is intended to strengthen the nation's resilience. It also responds to demands from associations such as the German Association of Energy and Water Industries (BDEW) and the Association of Municipal Enterprises (VKU), which recently called for a stronger focus on protecting critical infrastructure at a KRITIS summit.
The new requirements include mandatory risk analyses, emergency plans, and regular reviews of security measures. Companies must demonstrate they are prepared for disruptions. Violations can result in fines.
Parallel to the legislative amendment, new players are emerging in the security market. For instance, cybersecurity firms ITC Secure and IronNet recently merged to form Collective Defence, a company specializing in protecting critical infrastructure from hybrid threats.
For citizens, the law means greater security in daily life. It aims to prevent blackouts, drinking water shortages, or the collapse of healthcare systems. However, implementation will take time and require significant investments from the affected companies. Experts expect the new standards to be introduced gradually.
The act marks a paradigm shift: no longer are individual sectors considered in isolation; instead, the entire network of vital services is now viewed as a single, protectable entity. In an era of geopolitical tensions and digital vulnerabilities, this approach is designed to make Germany's basic supply systems more crisis-resistant.
