After the traffic light coalition stalled both in implementing the NIS-2 Directive and the KRITIS Framework Act for the implementation of the CER Directive, a new draft for the KRITIS-DG dated August 27, 2025, has now been presented. However, little will change for businesses. First, a national KRITIS resilience strategy and a risk analysis must be prepared by the competent authorities. Both must be submitted for the first time by January 17, 2026—a highly ambitious schedule.
On this basis, operators of critical facilities must conduct their own risk analyses at least every four years. Which operators are affected will be determined by statutory ordinance. As already known from the IT Security Acts, the thresholds are based on 500,000 people supplied. In principle, a uniform statutory ordinance is planned, which will apply to both the KRITIS-DG and the NIS2UmsuCG. Requirements for this can be issued by the BMI or the BBK by ordinance.
Operators must also prepare a resilience plan that includes emergency preparedness measures and implements minimum requirements. Templates for this are to be provided by the BBK by January 2026. A specific verification procedure is not planned, but the BBK can inspect verification documents according to § 39 BSIG-E and thus monitor implementation.
Management boards are obliged to implement appropriate resilience measures and are liable for damages caused by culpable breaches. However, there is no training obligation as in the NIS2UmsuCG. In case of violations, fines of up to 500,000 euros may be imposed.
In addition, the draft provides for amendments to the EnWG. For example, the BNetzA will in future be able to define an IT-SiKat, which affected operators in the energy sector must implement and, if necessary, have certified. Random checks are also possible.
Overall, the regulations relating to the economy remain largely unchanged. What stands out is the tight schedule: by January 2026, a resilience strategy and an initial risk analysis must already be in place—provided the law comes into force in time.