KRITIS Bundesnetzagentur: Oversight and Audit Duties

For security managers in energy and telecoms, the Bundesnetzagentur (BNetzA) is the most important oversight body next to the BSI. With the KRITIS Umbrella Act (KRITIS-Dachgesetz) its audit scope grows substantially. This text separates the mandates, lists the duties, and describes a 14-week plan to compliance.

KRITIS Bundesnetzagentur: jurisdiction and oversight mandate

The BNetzA is the sectoral oversight body for energy, telecommunications, post and rail. Thresholds derive from the BSI Critical Infrastructure Ordinance, the operational duty from EnWG, TKG and Postal Act. The audits cover proofs under §11 EnWG for energy and §165 TKG for telecoms. This audit runs in parallel to the BSI reporting duty under §8b BSIG, it does not replace it.

With the KRITIS-Dachgesetz the BNetzA additionally takes over the audit of physical resilience for electricity and gas operators. Sanctions: fines up to 10 million EUR or 2 percent of group turnover, depending on sector and offence (§14 KRITIS-Dachgesetz draft, BT-Drs. 20/9262). The reporting line is split. BNetzA audits sectoral requirements under EnWG and TKG, the BBK audits physical protection under the Dachgesetz. Security managers who fail to set this split up cleanly duplicate reports or miss deadlines.

For the full framework, start with the overview of KRITIS duties.

Which sectors the BNetzA regulates directly

In the energy sector this covers transmission grid operators without a threshold, distribution grids from 100,000 connected customers (Annex 1 BSI-KritisV), gas long-distance pipelines and storage facilities above the KritisV thresholds. In the telecoms sector public TK networks above the §109 TKG threshold fall in scope, as do data centres with carrier function. Post and rail include sorting centres, signal boxes and safety-critical switchgear.

Thresholds are reviewed every two years. The trend is clear: they fall. Operators just below the line today plan for KRITIS status in 2026. From 2026 onwards, operators below the KritisV threshold must also demonstrate baseline protection under the Dachgesetz as soon as they are classified as "particularly important entities".

Details per sector: KRITIS sector breakdown.

Audit duties under §11 EnWG and §165 TKG

The audit is due every two years. It is produced by an accredited audit body and submitted to the BNetzA. Content: state of the art in physical protection, access control, perimeter surveillance, detection and documented response chains.

The BNetzA security catalogue explicitly requires detecting measures. A fence is a deterrent, not proof. A fixed camera covers one line of sight, not a 360-degree view. The BNetzA requires demonstrable detection across the entire perimeter, with timestamp, sensor log and escalation path.

Defects lead to a notice with a 6-month deadline. If the deadline is missed, fines and public disclosure follow. Public disclosure hits listed energy suppliers harder than the fine. The BNetzA accepts robotic patrols as state-of-the-art proof, provided 24/7 coverage is fully documented and integrated into the control room.

Physical resilience: what the BNetzA audits since the Dachgesetz

Five points have been the focus of on-site audits since the Dachgesetz entered into force:

1. Perimeter integrity. Gapless detection along the entire fence line. Camera lines of sight alone are insufficient, since blind spots arise.
2. Response time. Documented intervention chain under 15 minutes from first alarm to arrival of a responding patrol or police (BNetzA security catalogue electricity/gas, 2023).
3. Drone defence. Airspace detection up to 500 m radius for substations, gas pressure regulation stations and KRITIS data centres (BNetzA security catalogue electricity/gas, 2023).
4. Redundancy. Two independent detection layers at critical plant sections, for instance transformer hall, switchgear, cooling.
5. Exercise record. Annual stress test with documented evaluation and correction loop.

These requirements are operational. A PowerPoint security strategy will not survive the audit. The auditors want to see sensor logs, alarm chains and exercise records.

Robotic patrol as an audit building block

Robotics is not a universal answer. It is the detecting building block that §11 EnWG requires, and it delivers the log material that the accredited audit body demands.

QR-2 delivers 24/7 thermal patrol with person detection up to 80 m at night (Quarero Robotics technical data sheet QR-2, 2025). Every patrol produces an audit-proof log file with timestamp, GPS track, thermal anomalies and escalation events. QR-3 adds LiDAR volumetry and drone detection, meeting the requirements for substations and KRITIS data centres under the Dachgesetz. Details under QR-3 for energy and data centres.

Robotics does not replace the control room. It supplies the detecting element. Alarms flow into the existing control room, the response comes from the patrol or the police. Pilot phase 4 weeks, full integration into an existing control room within 48 hours of delivery.

Once you have seen the log files, the difference becomes clear: an auditor does not tick off slides, an auditor reads sensor data.

Economics: BNetzA compliance without CapEx

A classic 24/7 guard post costs 15,000 to 25,000 EUR per month per position (BDSW industry report 2024). Three shifts, holiday, sickness, wage increases under the Manteltarifvertrag included.

QR-2 under the RaaS model sits at 3,500 EUR per month (Quarero Robotics RaaS price list, Q1 2026). No investment, no staffing lock-in, no §34a bottleneck. The minimum term of 24 months covers exactly one BNetzA audit cycle. Additional units can be stationed within 48 hours for audit preparation or crisis situations.

In the regulated energy market the OpEx model is directly recoverable through grid charges. A CapEx investment, by contrast, requires multi-year depreciation. Comparison figures: guard service cost comparison. Model description: Robotics-as-a-Service model.

What does not work: robotics alone without a control room. What works: robotics as a detection layer, integrated into an existing control room with a clear escalation chain to police or works security.

Coordinating the BNetzA, BSI, BBK interface

The three authorities have separate mandates that converge in a single incident.

• BSI owns the cyber report under §8b BSIG. Deadline: without delay for significant disruptions.
• BNetzA audits sectoral requirements under EnWG and TKG, including physical protection per the security catalogue.
• BBK coordinates physical resilience under the Dachgesetz and runs the KRITIS operator register.

A break-in at a substation with manipulation of control technology triggers three parallel reports. Without a unified incident record, contradictions arise that count against you in the oversight audit.

The NIS-2 Directive obliges member states to sectoral oversight with fines up to 10 million EUR or 2 percent of group turnover (Art. 34 NIS-2 Directive 2022/2555). The German NIS-2 transposition shifts thresholds and broadens the addressee circle significantly. The board is personally liable for omitted reports (§13 NIS2UmsuCG draft, BMI, March 2025). More on this under NIS-2 and board liability.

Practical recommendation: an integrated incident scheme that serves all three authorities. One incident class, three report templates, one contact matrix. Registration with the BBK is the organisational foundation. Step-by-step guide: BBK registration step by step.

14-week plan to BNetzA compliance

The following plan is designed for one full audit cycle and validated in multiple energy operations.

Week 1 to 2: gap analysis. Match the current state against the latest BNetzA security catalogue. Document all detection gaps, missing sensor logs and undocumented response chains. Output: defect list with priority A, B, C.

Week 3 to 4: measure selection. Select detecting measures for the A defects. Pilot agreement for robotics with defined acceptance criteria: patrol frequency, night-time person detection, log format, control room interface.

Week 5 to 8: deployment. Delivery of QR-2 or QR-3, connection to the control room, training of dispatchers, test of the escalation chain with police and works security. Document every patrol from day one, since these logs become part of the audit evidence.

Week 9 to 12: stress test. Internal audit against the security catalogue, simulated intrusion, simulated drone overflight, documented response time. Correction loop for weaknesses found, for instance line-of-sight gaps or delays in the alarm chain.

Week 13 to 14: audit report sign-off. Site walk-through by the accredited audit body, sign-off of the detection layer, production of the audit report, timely submission to the BNetzA.

Anyone starting this plan starts with the gap analysis. The hardware only solves the problems described there precisely. For an initial gap-analysis conversation: direct booking.