KRITIS
11.09.2025

eco On The German Cabinet Approval of KRITIS Act: Act Swiftly, Avoid Duplication

Today, the German Federal Cabinet approved the draft bill for the German KRITIS Umbrella Act (KRITIS DG), paving the way for further parliamentary proceedings. For the first time, uniform nationwide requirements for the physical protection of critical infrastructure will be created and the European CER Directive (Critical Entities Resilience Directive) will be transposed into German law.

The industry association eco – Association of the Internet Industry welcomes the swift legislation in view of geopolitical turmoil and the EU’s ongoing infringement proceedings. However, it sees considerable areas for improvement: a lack of legal regulations, the threat of overlap with the NIS2 implementation law, and unclear responsibilities between the federal government, the states, and the German Federal Office for Civil Protection and Disaster Assistance (BBK) and the German Federal Office for Information Security (BSI).

“Urgency is necessary, but there must be no duplication of obligations for companies,” emphasises Ulrich Plate, head of eco’s Critical Infrastructure Competence Group. The association also takes a critical view of the proposed sanction mechanisms, which it considers to be too vague at this stage. Instead, eco calls for a transparent, tiered model that first allows for improvements to be made and only then imposes sanctions.

The association positively highlights that the law creates a uniform framework for the protection of critical infrastructures – beyond cyber security, also against physical threats such as natural disasters, sabotage or terrorism.

Three points are now crucial for the further debate:

  • Regulatory ordinance on critical services and thresholds so that companies can clearly assess their obligations.
  • Harmonisation with NIS 2 to avoid double regulation in risk analyses, audits and reporting obligations.
  • Clear division of roles between the federal government, the states, the BBK and the BSI to prevent operational problems.

‘The KRITIS Umbrella Act is an important step towards greater resilience in Germany. However, it will only be effective if responsibilities are clearly defined and unnecessary duplication of work is avoided,” Plate sums up.

DORA Reporting Period Begins: Supply Chain Security as a Predetermined Breaking Point

You might also be interested in

Agenda 17
KRITIS
press release

NIS 2 Cabinet Decision Is Here: Questions Remain

The cabinet decision on the implementation of the NIS 2 Directive was announced today. This puts cybersecurity back on the political agenda – with tangible implications for companies in critical sectors. eco KRITIS expert Ulrich Plate explains the questions that remain unanswered in his latest assessment.
30.07.2025
The Fight Against Terrorism Should Not Happen at the Expense of the Security of All
Security
press release

eco Association: Europe Urgently Needs A Successor for Stopped CVE Database

Following the withdrawal of US funding, the CVE project faces shutdown – a serious blow to the global cybersecurity infrastructure. Klaus Landefeld, Member of the eco Board, warns of the consequences and calls for a swift, coordinated solution.
22.04.2025
DORA Reporting Period Begins: Supply Chain Security as a Predetermined Breaking Point
Policy & Law
press release

DORA Reporting Period Begins: Supply Chain Security as a Predetermined Breaking Point

Regulatory requirements increasingly affect non-regulated third-party providers De facto NIS2 compliance required even before coming into force Be prepared becomes a competitive factor Between 14 and 28 April 2025, financial institutions in the EU must have registered their IT service providers with the Federal...
11.04.2025