From Draft to Final Government Proposal: What Has Changed in the KRITIS Umbrella Act

With the Final Government Draft of the KRITIS Umbrella Act, Germany Specifies National Implementation of the EU CER Directive

The German government has finalized its draft of the KRITIS-Dachgesetz (KRITIS Umbrella Act), concretizing the national implementation of the EU Directive on the Resilience of Critical Entities (CER Directive). While the economic-related requirements remain largely unchanged, the version adopted on September 10, 2025, introduces several relevant adjustments compared to the earlier draft from August 27, 2025.

Ambitious Timeline Remains

The timeline remains unchanged and ambitious: by January 17, 2026, the responsible authorities must present a national KRITIS resilience strategy and a comprehensive risk analysis. These documents will form the basis for obligations imposed on operators of critical infrastructure, who will be required to conduct their own risk analyses at least every four years.

Key Changes in the Final Draft (as of September 10, 2025)

1. Responsibility in the Space Sector: The designated authority has changed. Instead of the Federal Office for Economic Affairs and Export Control, the Federal Ministry for Research, Technology, and Space is now responsible.
2. Expanded Exemptions (§4 para. 2): The list of exemptions now includes paragraphs 14 and 15. Paragraph 24 is no longer listed as an exemption.
3. Registration of Critical Facilities (§8 para. 1 no. 2): Operators are now only required to report the public IP ranges of the critical facilities themselves – not all public IP ranges of the entire company.
4. Availability of Contact Point (§8 para. 1 no. 6): The contact point no longer needs to be available at all times. This change reduces the organizational burden for operators.

Additional Obligations for Operators

• Creation of a Resilience Plan including emergency preparedness measures. Templates are expected to be provided by the Federal Office of Civil Protection and Disaster Assistance (BBK) by January 2026.
• No specific proof-checking mechanism is planned, but the BBK may review documentation under §39 of the BSIG-E.
• Executive liability applies in cases of culpable damage. Unlike the NIS2 Implementation Act, there is no mandatory training requirement.
• Fines of up to €500,000 for violations.

Amendments to the Energy Industry Act (EnWG)

The Federal Network Agency will be authorized to define an IT Security Catalog (IT-SiKat) for the energy sector. Operators must implement and potentially certify compliance with this catalog. Random inspections are also planned.

Conclusion

The final draft introduces targeted clarifications, particularly regarding responsibilities and technical reporting obligations. The core economic requirements remain intact, and the timeline leading up to January 2026 continues to be ambitious. Companies should begin internal implementation early and closely monitor the evolving details.