Flux Platform is now available! Start your free 14-day trial

All resources

NIS2 vs. KRITIS: differences, overlapping obligations, and 2026 deadlines

Frederik Haller· Managing Director, starnode solutions GmbH8 min read

In short

KRITIS and NIS2 are not an either-or: KRITIS is Germany's regime for operators of critical facilities — determined by facility-based thresholds (standard threshold: 500,000 supplied persons), roughly 1,200 operators. NIS2 is the EU-wide cybersecurity regulation and captures around 29,500 companies in Germany across 18 sectors based on company size. Since Germany's NIS2 implementation act (in force since December 6, 2025), KRITIS operators are a subset of NIS2 entities — with additional duties such as attack detection and recurring audits. The KRITIS umbrella act (in force since March 17, 2026) adds physical resilience.

What is KRITIS?

KRITIS is the German term for critical infrastructures: organizations and facilities whose failure would seriously endanger public supply or safety. Germany has regulated KRITIS since the IT Security Act of 2015, through the BSI Act (BSIG) and the BSI Criticality Ordinance (BSI-KritisV).

The defining feature is the facility focus: you are a KRITIS operator if you run a facility in a defined category that reaches or exceeds the sector-specific threshold. Thresholds are generally derived from supplying 500,000 people — in drinking water supply, for example, 22 million m³ per year. Under the current BSI Act, covered sectors are energy, water, food, IT and telecommunications, health, finance, social insurance, transport and traffic, space, and municipal waste disposal. In Germany, this applies to roughly 1,200 operators running some 2,100 registered critical facilities (BSI, as of March 2026).

What is NIS2?

NIS2 is Directive (EU) 2022/2555 for a high common level of cybersecurity across the EU. Germany transposed it through the NIS2 implementation act (NIS2UmsuCG), which entered into force on December 6, 2025 and fundamentally rewrote the BSI Act.

Unlike KRITIS, NIS2 does not attach to facilities but to the company: if you operate in one of the 18 sectors and meet the size threshold — 50 or more employees, or both annual turnover and annual balance sheet total above €10 million — you generally fall under the law. German law distinguishes “particularly important entities” (including large companies with 250+ employees, or turnover above €50 million and a balance sheet total above €43 million, in core sectors) and “important entities.” In total, around 29,500 companies in Germany are affected — many times the previous KRITIS population.

How do NIS2 and KRITIS differ?

The two regimes differ in origin, logic, and reach:

  • Origin: KRITIS is a German concept (BSIG, BSI-KritisV); NIS2 is an EU directive creating harmonized obligations across all member states
  • Trigger: KRITIS is facility-based (facility category plus threshold, standard threshold 500,000 supplied persons); NIS2 is entity-based (sector plus company size)
  • Reach: roughly 1,200 KRITIS operators versus around 29,500 NIS2 entities in Germany
  • Protective goal: KRITIS targets security of supply for the population; NIS2 targets the cyber resilience of the economy at large — including supply chains
  • Level of obligation: KRITIS operators face the strictest requirements (including attack detection systems and recurring audits), while NIS2 entities follow a tiered catalog of measures based on Article 21

Importantly, KRITIS and NIS2 are not parallel regimes but nested ones. Under the new BSI Act, operators of critical facilities automatically count as particularly important entities — they are the most heavily regulated subset of the NIS2 universe.

What additional obligations do KRITIS operators have under NIS2?

All NIS2 entities owe the risk management measures (incident handling, business continuity, supply chain security, access control, MFA, and more), registration with the BSI, and the three-stage reporting process with a 24-hour early warning and a 72-hour notification. KRITIS operators must additionally:

  • Deploy attack detection systems that continuously and automatically capture and evaluate parameters from live operations (Section 31 BSIG)
  • Demonstrate implementation of their measures regularly — every three years to the supervisory authority (Section 39 BSIG)
  • Include details on the type of the affected facility, the critical service concerned, and the incident's impact on that service when reporting incidents (Section 32 BSIG)
  • Expect stricter, proactive supervision: the BSI can audit particularly important entities and KRITIS operators on its own initiative, without specific cause

Violations expose particularly important entities to fines of up to €10 million or 2% of global annual turnover, and important entities to up to €7 million or 1.4% — with management explicitly accountable.

What does the KRITIS umbrella act change?

While NIS2 governs cybersecurity, the KRITIS umbrella act (KRITIS-DachG) addresses the physical resilience of critical facilities. It transposes the EU's CER directive (Directive (EU) 2022/2557) and entered into force on March 17, 2026. For the first time, sabotage, natural disasters, staff and supply chain failures, and physical site protection are regulated uniformly across sectors at the federal level.

For operators of critical facilities this means concrete deadlines: registration with the Federal Office of Civil Protection and Disaster Assistance (BBK) no later than three months after a facility qualifies as critical. The originally planned cut-off date of July 17, 2026 was struck by the legislator in June 2026 because the KRITIS ordinance defining the decisive thresholds is still pending — the deadline now runs three months from that ordinance's entry into force. Registration is followed by a risk analysis no later than nine months after registration, and a resilience plan covering technical, structural, and organizational measures no later than ten months after. KRITIS operators must satisfy NIS2 and the umbrella act in parallel — the new laws added obligations, they did not replace them.

What should companies do now?

The statutory BSI registration deadline passed in March 2026 — but the BSI has granted late entities a final grace period until July 31, 2026. The BBK registration for KRITIS operators becomes due once the KRITIS ordinance enters into force. If you have not yet determined whether you are in scope, do it now:

  • Check applicability twice: do I operate a critical facility above the threshold (KRITIS)? And do I fall under NIS2 via sector and company size?
  • Catch up on or complete registrations: with the BSI (NIS2) and — for KRITIS operators — with the BBK (umbrella act)
  • Run a gap analysis against the BSI Act's risk management measures; KRITIS operators should additionally verify attack detection and audit readiness
  • Align and test incident response against the 24h/72h reporting deadlines
  • For KRITIS operators: schedule the risk analysis and resilience plan required by the umbrella act
  • Consolidate cyber and physical resilience in one management system instead of building two parallel silos

An ISO 27001 ISMS is the sustainable foundation for this: asset inventory, risk register, and controls cover the core of both regimes. Flux Platform maps this directly — assets from the CMDB, risks with assessment workflows, controls mapped to ISO 27001 and NIS2, and incident workflows that keep the reporting deadlines in view.

ISMS, risk, and compliance in one platform

Flux Platform unifies asset inventory, risk register, controls, and evidence — mapped to ISO 27001, NIS2, SOC 2, and GDPR.