0%
BACK TO OVERVIEW
ARTICLE // 25. Mar 2026 // REF: NIS2-KRITIS-PHYSICAL-SECURITY-COMPLIANCE // 15 min

NIS2, KRITIS Umbrella Act & Physical Security: Concrete Steps for Critical Infrastructure Operators

NIS2, KRITIS Umbrella Act & Physical Security: Concrete Steps for Critical Infrastructure Operators
01 // The Moment of Realization

"We are affected"—now what?

It usually starts with an email from legal counsel, a tip from an auditor, or an article in the trade press. Then comes the internal research—and the realization that your company falls under NIS2 or the KRITIS Umbrella Act. Suddenly, terms like registration obligation, risk analysis, resilience plan, and evidence duty to authorities are on everyone's lips. And the big question: What does this mean concretely for our physical security—and where do we start?

This post answers exactly that. No theory, no generic summary of the directive—but a concrete roadmap: what the law requires, which deadlines apply, and how a Physical Penetration Test fulfills the evidence obligations mandated by NIS2 and the KRITIS Umbrella Act.

The NIS2 Implementation Act has been in force since December 6, 2025—with no grace period for implementation of measures. The KRITIS Umbrella Act followed on January 29, 2026. If you haven't acted yet, you are already behind.

~30,000
Companies in Germany under NIS2
Dec 6, '25
NIS2 Implementation Act in force
Jul 17, '26
Registration deadline (BBK/KRITIS)
€10M
Max fine for non-compliance (Essential entities)
02 // The Laws at a Glance

NIS2 and the KRITIS Umbrella Act: Two Laws, One Mandate

Many companies stumble over the question: Am I affected by NIS2, the KRITIS Umbrella Act—or both? The answer depends on the sector and company size. Important: both laws can apply simultaneously but address different protection goals.

NIS2 Implementation Act // In Force since Dec 6, 2025
Cybersecurity as a Management Duty
Amended BSIG · BSI as regulator · ~30,000 affected companies
Focus: IT security, network and information systems
Risk management measures incl. physical security components
Registration with BSI: by March 6, 2026
Personal liability for executive management with private assets
Reporting duty for incidents: initial report within 24h, full within 72h
KRITIS Umbrella Act // Passed Jan 29, 2026
Physical Resilience as a Legal Mandate
CER Directive EU 2022/2557 · BBK as regulator · KRITIS operators
Focus: Physical protection, resilience, all-hazards approach
First uniform national minimum standards for physical security of critical facilities
Registration with BBK: by July 17, 2026
Physical risk analysis every 4 years, evidence of measures every 2 years
Applies to facilities whose failure affects at least 500,000 people

NIS2 protects your digital infrastructure. The KRITIS Umbrella Act protects your physical facility. Many operators fall under both simultaneously—and must therefore implement both IT security and physical resilience measures. An ISO 27001 certification alone is no longer enough.

03 // Am I Affected?

Who falls under which law—and how do I know?

The first and most important question is: Does my company fall under NIS2 or the KRITIS Umbrella Act? Both laws require operators to identify themselves—an authority will not proactively contact you. If you misjudge your status and fail to register, you are still liable.

NIS2 affects you if:

  • Your company operates in one of the 18 defined sectors (see below)
  • You are classified as an Essential Entity: > 250 employees OR > €50M turnover AND > €43M balance sheet total
  • You are classified as an Important Entity: > 50 employees OR > €10M turnover AND > €10M balance sheet total
  • Regardless of size, if you are already classified as a KRITIS operator

KRITIS Umbrella Act affects you if:

  • You operate a critical facility whose failure affects at least 500,000 people
  • Your specific Federal State has defined lower thresholds—then even with lower supply reach
  • You have been identified as a KRITIS operator by the BBK or relevant specialist authority
Sector 01
Energy
Utilities, grid operators, power plants, EV charging networks
Sector 02
Water
Water suppliers, wastewater disposal, treatment plants
Sector 03
Health
Hospitals, laboratories, pharma manufacturers, medical devices
Sector 04
Transport
Rail, airports, ports, public transit operators
Sector 05
Digital Infra
Data centers, cloud providers, IXPs, telecommunications
Sector 06
Finance
Banks, exchanges, payment providers, insurance
Sector 07
Food
Food production, wholesale, distribution
Sector 08
Waste Management
Municipal disposal, recycling plants

The full list of sectors includes 18 areas—from energy and health to space and waste management. If you are unsure, the BSI provides an "affectedness checker" at bsi.bund.de. When in doubt, a legal assessment is worth the investment—the duty of self-identification applies regardless of whether an authority has contacted you.

04 // Deadlines & Obligations

The Roadmap: What to do by when

Combined, both laws create a tight calendar. The most important insight: With NIS2, there is no grace period for implementing measures. If you fell under the law when it came into force on Dec 6, 2025, you must already meet the requirements.

Dec 6, 2025
NIS2 Implementation Act
Law in effect. Measures are immediately mandatory; no transition period. Personal liability for management begins from this date.
In Force
Mar 6, 2026
NIS2 BSIG § 33
BSI Registration Deadline. Three months after the law took effect. Failure to register is a direct violation, even without a security incident.
Urgent
Jul 17, 2026
KRITIS Umbrella Act
BBK Registration Deadline. Fines apply for non-compliance from this date. Registration via the joint BSI/BBK reporting portal.
Soon
~April 2027
KRITIS Act § 12
First Physical Risk Analysis due (9 months after registration). This analysis must be documented, methodologically sound, and ready for inspection.
Prepare
~May 2027
KRITIS Act
All physical protections implemented (10 months after registration). Perimeter protection, access control, CCTV, resilience plan—fully implemented and documented.
Plan
From 2027
NIS2 § 39 BSIG
First evidence of measure implementation to BSI—earliest 3 years after the law came into force. Every 3 years thereafter for KRITIS operators.
Cyclical
05 // Physical Security Mandates in Detail

What concretely must be implemented—the physical part

Both NIS2 and the KRITIS Umbrella Act contain explicit physical security requirements. Many operators are surprised: they invested heavily in IT security, but the physical side was treated as secondary. This is fundamentally changing.

Physical Risk Analysis
§ 12 KRITIS Act · NIS2 Art. 21
Systematic assessment of all physical threats based on an all-hazards approach: sabotage, burglary, natural events, technical failures, human error. At least every four years. Must be documented and methodologically transparent.
4-Year Cycle
Access Control & Perimeter
KRITIS Act · § 30 BSIG
Verifiable implementation of access controls, perimeter protection, CCTV, and security personnel. The "State of the Art" is the explicit benchmark—outdated systems (e.g., MIFARE Classic, Wiegand without OSDP) can pose a compliance risk.
Immediate
Resilience Plan
KRITIS Umbrella Act
Documented concept for prevention, management, and recovery after physical incidents. Includes alarm chains, emergency measures, and communication processes. BBK provides templates, but custom adaptation is mandatory.
10 Months
Duty of Proof (Authorities)
§ 39 BSIG · KRITIS Act
NIS2: Evidence every 3 years to BSI. KRITIS Umbrella Act: Evidence every 2 years to BBK. Claims are not enough—proof must be documented, auditable, and verifiable by third parties. A documented pentest is the directly usable format for this evidence.
2-3 Years
Incident Reporting
NIS2 Art. 23 · KRITIS Act
Significant security incidents must be reported within 24 hours (early warning) and fully within 72 hours with initial assessment. Physical incidents (burglary, sabotage) are reportable if they affect critical services.
24h / 72h
06 // Self-Check

Five questions you should be able to answer today

If your company falls under NIS2 or the KRITIS Umbrella Act, these are the five questions you must have a documented answer for—not eventually, but now.

Self-Check // Physical Compliance NIS2 & KRITIS
01 Have we registered with the BSI (Deadline: March 6, 2026)—and, if a KRITIS operator, with the BBK (Deadline: July 17, 2026)?
02 Do we have a documented physical risk analysis based on an all-hazards approach covering all buildings, access points, and supply infrastructure?
03 Does our access control technology meet the "State of the Art"—or are we still relying on systems with known cryptographic vulnerabilities?
04 Do we have auditable proof that our physical protection measures work under real conditions—not just on paper?
05 Does our management know they are personally liable with private assets for violations in implementing risk management measures (§ 38 Para 2 BSIG)?

Question 4 is the most critical. "We have access control" is not proof. "We conducted a documented Physical Penetration Test that validated our measures under real-world conditions"—that is proof.

07 // The Physical Pentest as a Compliance Tool

Why a Physical Penetration Test is the most direct answer to the Duty of Proof

The KRITIS Umbrella Act and NIS2 don't just require measures to exist—they require their effectiveness to be proven. This is a fundamental shift from previous requirements. A checklist and a technical data sheet of your ACS are no longer sufficient.

A Physical Penetration Test is the most effective preparation tool because it:

  • Simulates real attack conditions: Not a theoretical test, but a controlled attempt to overcome physical protections using the same methods a real attacker would use.
  • Provides auditable documentation: The test report contains a full list of tested attack vectors, vulnerabilities found, their risk potential, and concrete recommendations. This format is directly usable as evidence for the BSI and BBK.
  • Creates the basis for risk analysis: A physical risk analysis under § 12 of the KRITIS Act builds on empirical findings—what a pentest finds is not theory, but measured risk.
  • Prioritizes investment: Without a pentest, you either over-invest in the wrong areas or under-invest without knowing it. The report provides a prioritized roadmap for capital expenditure.
  • Is repeatable: After structural changes, changes in service providers, or a security incident—a current pentest shows the actual state, not the state from three years ago.

A documented Physical Penetration Test proves that compliance obligations were met under real-world conditions, not just on paper. This is the difference between a claim and evidence—exactly what NIS2 and KRITIS demand.

08 // Conclusion

Conclusion: Regulation is here—the time for waiting is over

NIS2 has been in effect since December 2025. The KRITIS Umbrella Act was passed in January 2026. Both laws bring binding physical security obligations with the weight of evidence—including personal liability for management and fines in the millions for violations.

The question is no longer whether you must act. The question is whether you act structured—with a clear plan for registration, risk analysis, implementation, and proof. Or whether you wait until an authority comes asking.

The first concrete step is almost always the same: understanding where your physical security actually stands today. Not in the documentation—but in reality.

You know you're affected—but not where you stand on physical security?

We conduct structured Physical Penetration Tests that are directly usable as evidence for NIS2 and the KRITIS Umbrella Act. Documented, prioritized, auditable.

Request a Consultation →
Tags // #CER #CriticalInfrastructure #Resilience #NIS2 #KRITIS #Compliance

About Access Granted

Address
Albert-Einstein-Straße 1, 95028 Hof
E-Mail
hello@access-granted.de
Phone
+49 9281 5918506

Useful Links

Pentest Portfolio

Think like an Attacker, Act as a Partner

© AccessGranted X GmbH