Audit-Proof Patrol Records for KRITIS Operators 2026

The auditor opens the patrol book and turns the pages. 14 entries, three signatures, no sensor data. That was acceptable in 2018. In 2026, every KRITIS facility fails the audit on this basis. This article describes which requirements apply to audit-proof patrol records, which legal sources carry them, and which operational consequences security managers should draw.

Audit-Proof Patrol Records: What Auditors Expect in 2026

Auditors from BSI, BBK and ISO 27001 certifiers demand a gapless timeline of every patrol. Each waypoint must carry GPS coordinates, timestamp and at least one sensor log. A time-clock punch at point 7 is not sufficient. The auditor wants to see what was perceived at point 7 between 02:14:33 and 02:14:51.

Storage must be tamper-resistant. The state of the art in 2026 is hash chaining of every record with its predecessor, stored in WORM (Write Once Read Many) for ten years. Anyone changing a line breaks the chain, and the manipulation becomes visible.

Raw data, evaluation and escalation decision must be kept separate. A sensor delivers a thermal image (raw data). An algorithm classifies it as a person (evaluation). An operator acknowledges and decides on police notification (escalation). These three layers must not merge into a single logbook entry, otherwise the guard service chain of evidence is not traceable in the audit.

Every event must be uniquely assigned to a sensor, a robot serial number and an operator ID. Anonymous entries are worthless. Written evidence under §8a BSIG and the forthcoming KRITIS Umbrella Act (KRITIS-Dachgesetz) explicitly requires this attribution.

Next step: read the KRITIS requirements for the current sector definitions.

Legal Framework: BSIG, KRITIS-Dachgesetz, NIS-2

§8a BSIG requires KRITIS operators to provide evidence of adequate measures every two years. The duty has applied since 2017 and was tightened in 2021 by the IT Security Act 2.0. The KritisV defines thresholds and duties for operators of critical facilities by sector.

The KRITIS-Dachgesetz extends the duty to physical protection measures from 2026. The draft in Bundestag-Drucksache 20/9262 requires for the first time an integrated record of IT and physical security. Perimeter monitoring, patrol routing and access control are thus explicitly part of the audit scope.

NIS-2 adds requirements at European level. Directive (EU) 2022/2555 requires documented incident detection with defined response times. Initial report to the supervisory authority within 24 hours, complete report within 72 hours (Art. 23(4) Directive (EU) 2022/2555). Without an automated patrol record, these deadlines are not organisationally sustainable.

Registration with the BBK as the competent federal authority requires a defensible evidence structure. In the self-declaration procedure, BBK demands concrete evidence, not declarations of intent.

Director liability applies in the case of missing or incomplete documentation. §43 GmbHG and §93 AktG are clear, NIS-2 Article 20 tightens the personal responsibility of the management body. Details in Director liability under NIS-2.

Components of a Tamper-Evident Patrol File

A tamper-evident patrol file consists of five layers. First, the patrol plan: target route, frequency per shift, risk justification per sector. Anyone passing the tank farm at 03:00 must be able to document why not at 02:30 and not at 03:30. Risk analysis justifies frequency.

Second, the actual track: the route actually walked with deviation markings. Every deviation requires a cause (obstacle, alarm, maintenance). Deviations without justification are a red finding in the audit.

Third, the raw sensor data. RGB frames for visual documentation, thermal images for nocturnal heat sources, LiDAR point clouds for geometry and approach, audio tracks for glass breakage and shouts. Not every patrol point requires every sensor, but the risk analysis must justify the selection.

Fourth, detection events. Each event receives a classification (person, vehicle, animal, unknown), a confidence value (0.00 to 1.00) and an operator acknowledgement with ID and timestamp. Without acknowledgement, the event counts as unprocessed.

Fifth, the escalation protocol with all timestamps from alarm to handover to police or in-house security. NIS-2 explicitly requires this time chain.

Next step: KRITIS-Dachgesetz checklist 2026 for the gap analysis of your current system.

Why Manual Patrol Books Are No Longer Sufficient in 2026

Handwritten entries can be altered after the fact. Correction fluid exists, pages can be exchanged, signatures can be forged. Forensically, a paper book without a notarial seal is worthless. Insurers and prosecutors know this.

Time clocks at checkpoints prove presence, not perception. This is the point internal auditors regularly overlook. A guard who scans the NFC chip at point 7 at 02:14 was at point 7. But he has documented nothing about the state of point 7. Was the gate locked? Was someone lying in the bushes? Was a generator running unevenly? Proof of presence without proof of perception will not withstand any damages claim.

Missing sensor evidence makes claims against insurers vulnerable. In cases of arson or burglary, the insurer asks: what did your patrol perceive at time X? Anyone delivering only timestamps pays the damage themselves.

Staff turnover compounds the problem. BDSW figures document about 17 percent fluctuation per year in the guard sector. Source: BDSW Annual Report 2023. A new Posten does not know the site in the first weeks, misses anomalies and documents inconsistently. Consistency over 24 months, as the audit requires, cannot be organisationally mapped with this turnover.

Auditors increasingly demand machine-readable logs instead of paper folders. JSON, CSV or structured PDFs with hash values. Anyone still presenting paper files in 2026 signals a lack of maturity to the auditor.

How Quarero Robots Generate the Record Automatically

Every patrol run by a Quarero robot produces a signed JSON file. This file contains the patrol plan ID, the actual track as GPX and all sensor streams with timestamp. Detection events and operator acknowledgements are also included. The file is signed with the robot's private key and countersigned with the cloud's key on upload.

QR-2 for 24/7 outdoor patrols documents thermal anomalies with image evidence and timestamp. A heat source 4 Kelvin above ambient temperature on a storage tank wall at 03:42 is a documented event, not the gut decision of a tired Posten.

QR-3 with LiDAR and drone detection adds LiDAR point clouds and acoustic drone detection up to 400 metres for KRITIS level. Both are relevant since the Bundeswehr and BSI documented increased drone overflights at energy infrastructure in 2024.

The data is stored encrypted in German WORM cloud with tenant separation. Storage location Frankfurt or Berlin, AES-256 encryption, tenant separation at database level. Quarero has no read access to tenant data without explicit release.

Export for auditors is provided as PDF/A for the reading version plus machine-readable raw data (JSON, GPX, MP4) in under ten minutes. An auditor can draw a sample in the morning and review the evidence in the afternoon.

Next step: Robotics-as-a-Service model for the commercial structure.

Retention, Deletion Periods and GDPR Conflicts

Security-relevant logs must be retained for ten years. This follows from §257 HGB for business records and from KRITIS rules on evidence under §8a BSIG. Anyone unable to present a 2018 patrol file in 2026 violates the retention duty.

Personal image data follows a different logic. Routine deletion after 72 hours without an incident is the practice agreed with supervisory authorities. Longer storage requires a legal basis.

In an incident, evidence preservation applies under Art. 6(1)(f) GDPR (legitimate interest). If there is a reporting obligation, Art. 6(1)(c) additionally applies as a legal basis. The evidence preservation decision itself must be documented: who, when, on what basis.

Data subject rights must be implemented technically via a redaction function before audit release. Faces of third parties in the background are blacked out before export, the algorithm logs the redaction. The audit file remains complete and personality rights remain untouched.

The record of processing under Art. 30 GDPR must name sensor types (RGB, thermal, LiDAR, audio), storage locations (data centre, region, provider) and recipients (authorities, insurers, external auditors). A generic record will not withstand the audit.

Audit Preparation: Checklist for Security Managers

First: spot-check patrol files of the last 24 months for completeness. Method: draw ten random dates, pull one patrol each, check whether plan, track, raw sensor data, detection events and escalation protocol are present. Missing layers are findings that must be closed before the external audit.

Second: have hash chaining verified externally, not by the same provider who produces the files. An independent third party (an auditor with IT forensics competence or a certified test centre) draws a sample and recalculates the hashes. This costs between 2,000 and 5,000 euros per check (indicative figure based on standard IT forensics offers, as of 2025) and delivers a separate verification certificate.

Third: reconcile escalation times against internal KPIs and NIS-2 requirements. Mean time from alarm to operator acknowledgement, mean time to police notification, mean time to report to the supervisory authority. Values over 30 minutes for the first two stages are critical in the KRITIS context.

Fourth: attach operator training records, including date and content. The §34a Sachkundeprüfung alone is not enough, the auditor wants to see site-specific briefing. An annual refresher with attendee list is the minimum standard.

Fifth: document the interface to the ISMS, with references to ISO 27001 Controls A.7 (personnel security) and A.8 (asset management). Patrol records are an asset within the meaning of the standard.

Cost Framework and Procurement

QR-2 is available from 3,500 euros per month, including the evidence system, storage and maintenance. The price covers WORM storage over the full retention period and the audit export.

A 24/7 guard post costs between 15,000 and 25,000 euros per month depending on Manteltarifvertrag and region (indicative figure per BDSW wage overview 2025). This sum covers wages, ancillary wage costs, holiday cover and sick leave, but no automatic record. Comparison figures are in guard service cost comparison.

The RaaS model shifts the investment to operating expense. No acquisition, no depreciation over five years, fully deductible in the financial year. For KRITIS operators with an annual budget cycle, this is the operationally simpler structure.

Delivery and commissioning take place within 48 hours of contract signature. The minimum term is 24 months. This term covers a full audit cycle under §8a BSIG and enables a closed chain of evidence to be presented at the first follow-up audit.

A 90-day pilot delivers the first audit-ready evidence file. During this period, patrol plans are calibrated and sensor parameters adjusted. Operator workflows are aligned in parallel with the internal ISMS. Anyone starting in April has an auditable file in July and three full quarters by October.

For the next stage, arrange an initial site visit via book KRITIS initial site visit. We come with an auditor from our network for the initial walk-through, review your existing evidence structure and name the concrete gaps before contract signature.