Drone defence KRITIS: duties and technology 2026

Drone defence KRITIS is no longer optional in 2026. The legislator is introducing a duty to detect airborne threats, the threat picture has shifted, and the classic fence line defends nothing that happens above 30 metres. This text orders law, technology and cost so a plant manager can walk the supervisory board through the decision in a single session.

Drone defence KRITIS: threat escalation 2026

Since 2023 BBK and the Federal Police have documented recurring drone incidents at refineries, substations and data centres in Germany, Austria and Switzerland. [insert source] The incidents range from reconnaissance flights to property damage from dropped payloads. None of these cases was detected by the affected operator. The report typically came from witnesses, not from the guard force.

The technical barrier for attackers has fallen. A consumer drone with 5 to 7 km range, thermal imaging and 4K optics costs under 2,000 euros at retail. [insert source] FPV drones with 120 km/h and one kilogram of payload sell at 400 euros. [insert source] Anyone securing an industrial park has to assume the adversary is equipped on equal terms. Swarm attacks with five to twenty drones are documented [insert source], and FPV intruders pass any classic fence and camera line in under fifteen seconds.

The most frequent damage is not sabotage but espionage. Reading supply chains from visible tank cars, capturing personnel movements at shift changes, identifying security gaps on the roof. These are reconnaissance targets that once required physical penetration. Today a single flight is enough.

The KRITIS Umbrella Act (KRITIS-Dachgesetz) draft obliges operators to put protective measures in place against airborne threats (Bundestag-Drucksache 20/9262). That is the legal basis auditors will test from 2026 onwards. Further reading: KRITIS-Dachgesetz requirements.

Legal framework: what operators may and may not do

The most common legal mistake in the plant-manager conversation is confusing detection with active defence. Detection is permitted. Passive sensing (RF, radar, acoustic, optical, LiDAR) requires no special authorisation, provided frequency bands are not disturbed and recordings are GDPR-compliant.

Active defence is reserved to state authorities. Jamming, takeover and shootdown are assigned in Germany to police and Bundeswehr, regulated through § 27 LuftSiG and the TKG (BMI). A guard force operating a jammer commits an administrative offence or a criminal act, depending on the frequency intervention. Operators must maintain detection plus alarm chain, not perform neutralisation themselves.

The KRITIS-Dachgesetz draft (Drucksache 20/9262) introduces a duty of proof for airborne detection. NIS-2 adds reporting paths for security incidents affecting essential services (EUR-Lex 2022/2555). If a drone overflies a data centre and IT effects are plausible, the incident is reportable. Details on the reporting chain: NIS-2 compliance.

Sector assignment and thresholds are governed by the BSI-KritisV. Anyone listed there cannot avoid documented drone detection.

Detection layers: the four-sensor model

Reliable KRITIS drone detection works with four sensor types in fusion. A single layer fails regularly.

RF detection. Captures control frequencies in the 2.4 GHz and 5.8 GHz bands. For most consumer drones it identifies manufacturer, model and serial number from the datalink. Range up to 5 km. Weakness: autonomous drones without radio link are invisible.

Radar with micro-Doppler. Captures rotor rotation even on RF-silent FPV drones. Range from 800 m, depending on drone size. Weakness: bird flocks produce false positives if filtering is not calibrated.

Acoustic sensing. Rotor signature as a confirmation layer. Robust under sight obstruction from fog, rain or camouflage. Effective range 300 to 500 m, depending on ambient noise. The weakest single layer in industrial environments, but valuable for confirmation.

LiDAR and optical verification. Position confirmation in three dimensions, payload detection at the airframe, forensic recording for prosecution. LiDAR sees at night and against backlight, classic optics deliver the court-admissible image.

Fusion through a sensor-fusion layer reduces false positives to under two percent. [insert source] An RF-only solution typically sits at twelve to eighteen percent false alarms [insert source], which is rated insufficient in audit because the alarm chain then does not trigger.

QR-3: mobile drone detection at the perimeter

Static detection masts have fixed coverage. A mobile platform shifts the detection zone along the patrol route and closes blind sectors. The QR-3 with LiDAR and drone detection is built for this use.

The LiDAR head detects objects up to 120 m altitude with 360-degree coverage in the patrol radius. [insert source / datasheet] Thermal verification separates drone from bird by motor heat and flight pattern, a bird has no point heat source at the centre of the body. Patrol routes extend the detection zone by a factor of four to six against static masts [insert source]. The sensor head moves along the main axes of the plant instead of being fixed to one point.

Direct integration into the control-room situation picture runs over REST API and MQTT. Detection events go into the SIEM with timestamp, GPS position and sensor signature. Automatic escalation to police and BBK reporting point runs within the statutory deadline. The guard force must confirm verification before the authority report is triggered.

Rental price 3,800 euros per month under the Robotics-as-a-Service model, 48-hour delivery, replacement unit and calibration included.

Integration into the existing security concept

Drone defence is part of the protection concept under § 8a BSI Act and KRITIS-Dachgesetz. It is not an isolated discipline. The auditor assesses the overall concept, not individual sensors.

The sensor layer must correlate with SIEM, control room and physical guard force. An island solution fails the audit because response time cannot be evidenced. If the RF detector reports a drone but the control-room situation picture shows no entry, the chain is broken.

The alarm chain is standardised: detection, verification, guard force, police, authority report. Documented in under 90 seconds, from the first sensor event to the dispatched report. [insert source] That is the metric tested in audit.

Exercise cycle twice yearly, including a tabletop with the responsible state criminal police office. One exercise per year is the minimum, two are standard for KRITIS operators above the upper thresholds. Retention obligation 90 days, GDPR-compliant masking outside the plant grounds (public traffic areas and adjacent properties). More on perimeter integration: Perimeter protection in the industrial park.

TCO: drone defence under RaaS vs. CapEx

The cost calculation decides procurement. Three scenarios are realistic.

Stationary C-UAS installation. 180,000 to 450,000 euros CapEx, depending on sensor count and mast structure. [insert source] Plus 15 percent annual maintenance, plus calibration, plus sensor replacement after 24 to 36 months. Depreciation over five years. At half its book life the system is technically obsolete.

QR-3 under RaaS. 3,800 euros per month, all updates, replacement unit on failure, sensor calibration and software updates included. No depreciation, fully OpEx, terminable at short notice after the contract end.

Static 24/7 guard post. 15,000 to 25,000 euros per month per post, depending on Manteltarifvertrag and region. [insert source] Without drone detection, so not a substitute but a complement. Details: TCO comparison guard service cost.

A hybrid model of one QR-3 and two QR-2 covers 80 hectares of industrial perimeter for under 12,000 euros per month [insert source / datasheet]. Included are drone detection, person recognition and patrol function. That is half of a single 24/7 guard post. Depreciation risk falls away entirely. With a technology on an 18 to 24-month generation cycle that is the decisive advantage.

Implementation: 90-day roadmap for operators

A realistic rollout runs in three phases.

Days 1 to 14: threat analysis. Identification of critical points. Transformer station, tank field, server-room outside wall, cooling plant, emergency power. Mapping of approach corridors from the main wind directions and along sight lines from adjacent public areas.

Days 15 to 30: pilot installation. One QR-3 along the most exposed patrol route. Baseline recording (bird density, false-alarm rate, RF background) for calibration. Training of the first guard shift on sensor interpretation.

Days 31 to 60: integration. Connection to control room and SIEM. Test the alarm chain with police, run two documented exercises, fine-tune escalation protocols. Most weaknesses become visible in this phase. They typically sit at the interface between guard force and SIEM.

Days 61 to 90: roll-out. Full perimeter, audit documentation for BBK report prepared, exercise plan set for the next 24 months. Training of the full guard team on sensor interpretation and escalation protocol running in parallel.

The roadmap assumes the rest of KRITIS compliance is in place. Anyone with gaps there works the 12-duty KRITIS checklist 2026 in parallel.

Five audit errors and their causes

Five errors appear in nearly every audit.

Error 1: reliance on a single sensor type. RF-only fails on autonomous drones without radio link. An FPV drone on a pre-programmed route is invisible to pure RF sensing. Four-sensor fusion is not optional.

Error 2: purchase instead of rental. Sensor generations age in 18 to 24 months. [insert source] A CapEx installation on five-year depreciation is technically behind the attacker after three years. RaaS shifts the generation risk to the supplier.

Error 3: detection without alarm chain. The audit tests response time, not the sensor catalogue. Anyone running a perfect radar without a documented escalation to police fails.

Error 4: active countermeasures without legal basis. Jammers are sold at security trade shows but are not permissible for operators in Germany. Use is punishable under LuftSiG and TKG. Counter-UAS Germany for private operators means: detect, report, document.

Error 5: drone defence isolated from the rest of perimeter protection. Auditors assess the overall concept. A separate drone unit without connection to guard force, SIEM and control room does not meet the requirement.

Next step

The legal duty is in place, the technology is available, the cost is calculable under RaaS. Anyone walking into a KRITIS audit in 2026 needs documented drone detection with an alarm chain. The entry point is a pilot installation along the most exposed route. Requirements and specification: QR-3 drone detection, technical overview.