KRITIS Risk Analysis: Template and Method 2026
KRITIS risk analysis under the Umbrella Act: method, template with 12 mandatory fields, threat scenarios and a 14-week roadmap for operators.
The KRITIS risk analysis is the central proof from 2026 onward that an operator secures its critical service against all relevant hazards. It is not an annex to the protection concept, but a standalone mandatory document. This text delivers the method, a template structure with twelve mandatory fields and a 14-week roadmap that makes the analysis audit-ready.
KRITIS risk analysis: legal framework 2026
The KRITIS Umbrella Act (KRITIS-Dachgesetz) obliges operators to conduct a documented all-hazards analysis. It is kept separate from the NIS-2 cyber assessment and covers physical, hybrid and natural hazards. Bundestag-Drucksache 20/9262 fixes the sanction framework at up to EUR 10 million or 2 percent of worldwide group revenue (Bundestag-Drucksache 20/9262). Management is personally liable.
§ 8a BSIG and the KritisV define the sector thresholds. Energy, water, food, IT, health, finance, transport and municipal waste disposal each have their own facility categories and minimum supply sizes (BSI-KritisV). The risk analysis must be updated every 24 months and filed with the BBK.
Important distinction: the KRITIS risk analysis is not the occupational risk assessment under ArbSchG. The occupational assessment protects employees at the workplace. The KRITIS analysis protects the public against supply failure. Both exist in parallel, with separate responsibilities and separate documents. Anyone who mixes both into one document fails at the first spot check.
After the Baltic Sea incidents of 2024, the scope explicitly includes drone attacks and insider sabotage. Natural hazards such as flooding, storm and heat are included, as are cascade effects from upstream networks. Operators who have not yet worked through the 12-duty framework should start with the KRITIS-Dachgesetz checklist with 12 duties.
Method: from protected asset to scenario
Step 1 is the inventory of the critical service. Which facilities must work for the service to operate? Substation, pumping station, control room, emergency power supply. Facilities with no effect on the service do not belong in the analysis.
Step 2 classifies assets by recovery time (RTO). Facilities with RTO above 72 hours are highly critical and receive a separate marker in the template. Facilities with RTO below 4 hours are prioritised lower, but not excluded.
Step 3 forms scenarios using the 5x5 grid of probability and damage extent, derived from the BBK risk analysis method (BBK). For each scenario: concrete description, not generic. "Sabotage at substation North, intervention at control cabinet C-12" is usable. "Sabotage" alone is not.
Step 4 derives measures, separated into prevention (fence, access control), detection (sensors, patrol), response (intervention force, control centre) and recovery (spare parts inventory, personnel reserve). This separation prevents a single guard post from being misused as a universal answer.
Step 5 documents the residual risk in writing. Management accepts with date and signature. Without this signature the analysis counts as incomplete. The method is now set. The template follows.
Template: the twelve mandatory fields per scenario
Each scenario in the KRITIS risk assessment template contains twelve fields. This structure reproduces the BBK audit grid and is audit-ready.
| Field | Content |
|---|---|
| 1 | Scenario ID (sequential number, e.g. KRIT-2026-014) |
| 2 | Designation (short, precise, location-specific) |
| 3 | Affected facility and location |
| 4 | Critical service |
| 5 | Hazard category (physical, cyber, natural, hybrid) |
| 6 | Probability 1 to 5 with source |
| 7 | Damage extent supply 1 to 5 |
| 8 | Damage extent persons, environment, reputation 1 to 5 |
| 9 | Risk index (product, colour-coded) |
| 10 | Measures with owner, deadline, budget |
| 11 | Effectiveness metric (measurable, quarterly) |
| 12 | Reference to maintenance and exercise plan |
Probability requires a source citation. Permissible sources are sector statistics, documented incident history or a justified expert estimate with minutes. An assessment without source is rejected by the BBK.
The risk index is the product of probability and maximum damage extent. From index 12 a measure is mandatory. Indices from 6 to 11 require a justified decision. Values below 6 are documented and monitored.
Field 11 decides on audit readiness. "Detection and first response under 4 minutes, measured quarterly by red-team test" is a metric. "Guard service in place" is not. Field 12 requires the exercise record. Without a documented exercise, the measure counts as not implemented.
Threat scenarios: what belongs in every analysis in 2026
Five scenarios belong in every KRITIS risk analysis from 2026, regardless of sector.
Drone overflight with reconnaissance or drop intent: documented since 2024 in 11 federal states. All sectors with outdoor facilities are affected, from substations to waterworks. Detection requires LiDAR or RF sensors. Optical systems alone are not sufficient at night.
Sabotage by external offenders at the perimeter: cable and fibre-optic cutting is the most frequent pattern. Average restoration takes 36 hours. Measures combine mechanical hardening with early detection at the outer fence.
Insider threat with physical access: according to BDSW industry data, insider cases account for a substantial share of serious incidents (BDSW figures, data, facts). Frequently combined with a cyber component, producing a hybrid scenario within the meaning of the template.
Flooding and heavy rain: relevant for a large share of KRITIS sites according to the BBK climate projection for 2030. The analysis must consider water levels, retention areas and emergency power on raised levels.
Power outage of the upstream grid level over 24 hours: mandatory scenario since the KritisV amendment of 2025. It tests how long the operator's own service can be maintained without external power, and whether diesel, battery or PV backups are documented and tested. The NIS-2 cyber assessment runs in parallel and complements these physical scenarios with attack vectors on OT and IT (NIS-2 Directive).
A full list of sector-specific minimum scenarios is in the requirements for KRITIS operators.
Physical measures: perimeter, detection, intervention
The mechanical perimeter is a basic requirement. Fence to DIN EN 1722, turnstiles at personnel gates, bollards at vehicle entries. Mechanics alone detect nothing. They delay.
Sensor detection by thermal cameras and LiDAR identifies intrusion attempts at night, in fog and rain. Static installations have blind spots, especially at corners, behind transformer buildings and on slopes. These gaps are to be documented in the template, not concealed.
Autonomous patrol closes these gaps. QR-2 covers 24/7 outdoor perimeters with thermal and person detection. QR-3 with LiDAR and drone detection adds short-range airspace monitoring. Details on application to industrial sites are in the overview perimeter protection for industrial parks.
Police intervention time in rural areas is 12 to 18 minutes. Every measure in the template must bridge this gap with its own first response, whether mechanical, sensor-based or personnel-based. A TCO comparison of the options is in guard service cost in TCO comparison.
The effectiveness of measures is verified quarterly by red-team tests. Self-declarations without testing count as unsupported in the audit.
Documentation and audit by the BBK
The risk analysis is kept as a standalone document, not as an annex to the protection concept. Typical scope is 40 to 80 pages, depending on facility count and sector.
Mandatory components are: method description, scenario catalogue, measure matrix, residual risk declaration by management, exercise plan and revision history. If one of these parts is missing, the document is not audit-ready.
The BBK can announce spot checks with 14 days of advance notice. The full documentation must be in German. English annexes are tolerated, but not the main body. Audit readiness requires every statement to be supported by evidence: sensor log, training record, maintenance log, exercise report.
Recommendation: digital management with version control. A standalone PDF leads to inconsistencies as soon as more than two people make changes. Changes must be traceable with date, author and reason. The formal filing with the BBK is described in the BBK registration step by step.
Typical mistakes and how to avoid them
Mistake 1: adopting generic templates without site-specific content. The BBK recognises boilerplate text by stock phrases and demands rework. Every template is a starting point, not a final product.
Mistake 2: probability based on internal group incidents instead of sector statistics. Anyone evaluating only their own data systematically underestimates rare but catastrophic events. External sector data from BBK, BDSW and sector associations must be used.
Mistake 3: measures without metrics. "Guard service in place" is no evidence. "Detection and intervention under 4 minutes, measured quarterly" is. Every measure field needs a measurable, quarterly verifiable quantity.
Mistake 4: separation of cyber and physical analysis without an interface. Hybrid scenarios such as manipulated access via compromised badges otherwise fall through the grid. The template must carry a "hybrid share" column.
Mistake 5: management signs without having read the measure catalogue. In a liability case, the public prosecutor treats this as intent, not negligence. The consequences are described in detail in board liability under NIS-2.
From document to implementation: 14-week roadmap
Weeks 1 to 3: asset inventory and sector research. Workshop with operations, IT, plant security and external advisors. Result: complete facility list with RTO classification and sector benchmark.
Weeks 4 to 7: scenario building and assessment in moderated sessions. In parallel, walkdowns of all critical sites with photo and situation documentation. Result: scenario catalogue with risk indices.
Weeks 8 to 10: measure derivation with budget and suppliers. Pilot installation of sensors or robotics. Quarero delivery time is 48 hours from order confirmation for QR-2 and QR-3. Result: measure matrix with owners and deadlines.
Weeks 11 to 12: staff training, tabletop exercise with participation of control centre and management, first red-team tests at the perimeter. Result: exercise records and effectiveness metrics.
Weeks 13 to 14: finalisation of the document, residual risk declaration, signature by management, filing with the BBK. Result: filed risk analysis with confirmation of receipt.
Follow-up cycle: quarterly review of metrics, annual tabletop exercise, full update every 24 months. Ad-hoc update on incidents, structural changes or new threat situations.
Operators who have not yet started the KRITIS risk analysis, or want an existing analysis checked for audit readiness, can book a 30-minute expert session via the contact form. We supply the template structure and the sensors in one process.