BBK Registration KRITIS: 2026 Guide

The deadline is 17/07/2026. By that date every critical installation must be entered in the BBK portal. Three complete data blocks and a signature from the executive board are mandatory (BBK, Kritische Infrastrukturen). This text walks through the fields the portal demands, the signature logic and the errors we have seen repeatedly across the first 100 registrations we supported.

What the 2026 BBK registration is meant to deliver

The BBK register is the central record of all critical installations in Germany. Previously, identification rested with sector regulators, often fragmented. From 2026 the database is the basis for supervisory, audit and notification duties under the KRITIS Umbrella Act (KRITIS-Dachgesetz) (Bundestag-Drucksache 20/9262).

The register is interlinked with the NIS-2 Notification Register. Anyone recorded as a KRITIS operator is automatically carried as a NIS-2 essential entity, provided the sector is identical. Duplicate entries are not foreseen, but data inconsistencies are a known risk: master and installation data must stay synchronous in both systems.

There is no protection of legitimate expectation for latecomers. Anyone registering after 17/07/2026 does not count as compliant on time. The BBK is required by law to forward late submissions to the competent fine-issuing authority. A "we were in the clarification phase" has so far not held up in hearings.

Next step: anyone who does not yet have a view of the full duty catalogue starts with the KRITIS Umbrella Act checklist with all 12 duties.

Who must register

Subject to registration are operators of installations above the thresholds set in the BSI-KritisV (gesetze-im-internet.de, KritisV). Despite the new umbrella act, the KritisV remains the controlling threshold ordinance. A replacement is announced for 2027 but is not yet in force.

Ten sectors are covered: energy, water, food, IT/telecoms, health, finance, transport/traffic, municipal waste, space and public administration. Each sector has its own threshold table in the KritisV annex. Subsectors are numbered, for example Annex 1 Part 3 No. 1.2.1 for electricity generation installations. This annex position is a mandatory field in the portal.

Self-classification is mandatory. There is no administrative notice that relieves the operator of the categorisation. Anyone waiting for a BBK notice misses the deadline. The BBK confirms receipt, audits samples and only issues notices in dispute cases.

Group level and installation level carry liability separately. A holding company with three electricity grid operators has four registrations, not one. Each installation has its own master data, its own threshold evidence and its own board signature. If the holding itself provides critical services, it is recorded in addition.

Three data blocks the portal demands

The BBK KRITIS portal structures input into three blocks. Each block has its own mandatory fields and its own evidence sources.

Block 1: operator master data. Mandatory entries: company name in the form used in the commercial register, register number with register court, VAT ID, registered office, address for service and board representation with name, date of birth and function. For AGs all board members authorised to represent. For GmbHs all managing directors with sole or joint representation powers. Inconsistencies between the commercial register entry and the portal entry are flagged automatically by the BBK.

Block 2: installation class. Sector, subsector, KritisV annex position (annex/part/number), installation type in plain text, geographic location (address plus geo coordinates), commissioning date. The installation class determines which supervisory authority is competent and which sector-specific duties apply. Classification drawn too narrowly is the most common error (see section 6).

Block 3: threshold evidence. This is where the supply level is documented. Mandatory fields: service provided in the KritisV unit of measurement (kWh, m³, number of insured), reference period (usually the last calendar year) and calculation method with formula. Added to that: the source of the input data, internal consumption billing, BNetzA report or Bundesnetzagentur statistics. Without a traceable source the evidence does not hold in audit.

Practical tip: we recommend one PDF evidence document per installation containing all three blocks plus raw data as appendix. The portal accepts PDF uploads up to 20 MB per installation. This document will be requested in the first BBK audit (normally 12 to 18 months after registration).

Who signs and who is liable

The registration is signed personally by a board member authorised to represent the company. Personally means: qualified electronic signature (QES) or transmission via De-Mail with sender-confirmed signature. A scanned signature under a PDF does not suffice.

In the case of joint signature the second signatory must be coordinated. The portal accepts two signatures sequentially, both must occur within 14 days, otherwise the case lapses. In groups with distributed boards, scheduling is the bottleneck, not data collection.

Delegation to the security function is not permitted. The KRITIS-Dachgesetz explicitly assigns registration to the management body, parallel to the construction in NIS-2 Article 20. Prokura and general power of attorney do not suffice. The security function prepares, the board signs.

Liability stays with the signing board member. False entries in Block 3 (understated threshold evidence to avoid registration) are pursued as an administrative offence, in serious cases as a criminal false statement to authorities (KRITIS-Dachgesetz § 62, Gesetze im Internet). The liability logic follows the known line from NIS-2 board liability in detail: personal, not insurable, subject to documentation.

After registration: ongoing duties

The BBK acknowledgement arrives by De-Mail or portal message, usually within 72 hours (BBK, Kritische Infrastrukturen). This acknowledgement is requested in the first audit. It belongs in the compliance archive unchanged, with timestamp and file reference.

Change notifications are due within four weeks (KRITIS-Dachgesetz § 34, Gesetze im Internet) as soon as installation class, thresholds or responsible persons change. Triggers are: installation expansion (new transformer station, additional data centre), exceeding the threshold, change of board, relocation of registered office, change of company name. We recommend a quarterly internal reconciliation, automatic triggers are rarely reliable.

A self-confirmation of the data is due annually, on the anniversary of initial registration. The portal sends a reminder. With updated data the process takes 30 minutes per installation. Without confirmation the entry is treated as overdue after 90 days, which triggers a supervisory signal (BBK, Kritische Infrastrukturen).

Registration is linked to the protection concept duty under the KRITIS-Dachgesetz. Anyone registered must submit a protection concept within 24 months (KRITIS-Dachgesetz § 38, Gesetze im Internet) covering both physical and cyber-related measures. For perimeter and site protection this includes a demonstrable detection procedure. One option is perimeter protection with autonomous patrol, which delivers patrol logs as audit evidence.

Common errors across the first 100 registrations

Error 1: threshold calculation without a traceable source. The most frequent finding. The supply level is in the portal, the calculation sits in an Excel on the security function's drive, the raw data are not versioned. In audit the BBK asks for the data source as at the reference date. Anyone reconstructing then loses. Fix: PDF evidence document per installation, signed, with date and source stamp.

Error 2: installation class drawn too narrowly. An operator registers a substation as "electricity transmission" but overlooks the medium-voltage distribution connected on the same site. The second installation remains unregistered, surfaces in audit, counts as omitted registration with its own fine range (KRITIS-Dachgesetz § 62, Gesetze im Internet). Fix: installation inventory before registration starts, with physical walk-down and reconciliation against the KritisV annex.

Error 3: unclear board representation in multi-tier group structures. The operating company has two managing directors with sole representation, the holding one board member with joint representation. Who signs for the installation? Answer: the representatives of the operating company, not the holding. Frequent false assumption: the holding board can "reach through". That works only if the holding itself is operator within the meaning of the KritisV.

Error 4: acknowledgement not in the compliance archive. The acknowledgement comes by De-Mail, gets printed by the secretariat, filed, forgotten. At the auditor's visit 14 months later it cannot be located. The BBK can produce an extract on request, that takes four to six weeks and counts as a procedural signal. Fix: De-Mail directly into the DMS, with a ten-year retention rule.

Anyone looking at guard service and patrol logs as integrated audit evidence finds the cost structure in Guard service cost 2026 TCO. The Robotics-as-a-Service model shifts patrol documentation into a rentable OpEx item, which helps in audits via tamper-resistant logs.

For individual clarification of group structure, sector assignment and signature questions, contact Marcus Köhnlein, Sales Lead Switzerland or go directly to the KRITIS consulting page. A 30-minute appointment is usually enough to sketch the registration path for the installations concerned.