KRITIS Umbrella Act Checklist: 12 Duties by July 2026

The clock is running. On 17.07.2026 every operator of a critical facility must be registered with the Bundesamt für Bevölkerungsschutz und Katastrophenhilfe (BBK). This KRITIS-Dachgesetz checklist summarises the twelve operational duties, names the fine bracket and delivers a 14-week plan. It does not replace a legal opinion. It is the working basis for management and security leadership, the same basis on which we, Raphael Nagel and Marcus Köhnlein, wrote the KRITIS operator handbook (ESBN 978-3-912703-01-6) and on which operators are going into implementation today.

What the KRITIS Umbrella Act 2026 actually requires

The act covers ten sectors: energy, water, food, IT and telecommunications, health, finance and insurance, transport and traffic, media and culture, government and administration, municipal waste disposal. Thresholds are updated through the KritisV. Operators that sat just below the threshold in 2024 should re-check in 2026. Supply ratio and facility class decide, not revenue.

The key difference from the previous BSIG: physical resilience is a standalone duty. Until now perimeter protection was a side chapter in the cyber security concept. Now the legislator demands a separate threat analysis, a separate protection concept and a separate audit record for the physical layer. Drones, sabotage at the perimeter, insider threats, natural events: each is its own chapter. The draft act in Bundestag-Drucksache 20/9262 makes this explicit in § 9 and § 10.

The BBK registration deadline is 17.07.2026 according to the Bundesamt für Bevölkerungsschutz und Katastrophenhilfe. Operators not registered are in breach from day one. Fine proceedings run independently of whether an incident has occurred.

Relation to NIS-2: most KRITIS operators fall under the NIS2UmsuCG in parallel. Cyber duties under NIS-2 and physical duties under the KRITIS-Dachgesetz interlock but must be documented separately. Duplicated work is the rule, not the exception.

The 12 duties in operational overview

1. Risk assessment with threat analysis and protection concept. Written, dated, updated at least annually. Threat scenarios per BBK methodology.
2. State of the art for physical and cyber security. The § 8a BSIG legacy continues to apply. New: physical components such as perimeter detection, access control, sensor systems. State of the art is measured against available market solutions, not against procurement preferences.
3. Reporting of significant incidents within 24 hours to BBK and BSI. Initial report informal, detailed report within 72 hours.
4. Personnel reliability checks for security-relevant roles. Guard personnel under §34a GewO remains the minimum standard but does not suffice for key positions.
5. Audit-proof patrol records. Time stamp, position, sensor log. Handwritten guard logs are not audit-compliant from 2026.
6. Emergency plans with documented exercise duty. At least one full exercise per year, partial exercises quarterly.
7. Crisis management structure with named responsibilities. Deputy arrangement mandatory, 24/7 availability mandatory.
8. Supplier risk management. Security service providers, IT providers, maintenance firms become part of the risk perimeter.
9. Staff training and awareness. Records required on content, participants, date.
10. Documentation and retention duties. Ten years for security-relevant records.
11. Cooperation with authorities. Duty to provide information, grant access to BBK inspectors.
12. External audit every two years. Accredited audit body, report to BBK.

These twelve duties are not negotiable. Their implementation is. Operators documenting patrols in paper logs today have a substance problem on duty 5. Operators without a supplier register have no answer on duty 8. The cost comparison of implementation paths is laid out in detail at Guard service cost 2026 (TCO comparison).

BBK registration step by step

The BBK portal requires three data blocks. First, operator master data: company, address, commercial register number, authorised representative. Second, facility class: sector, subsector, facility category per KritisV annex. Third, threshold evidence: concrete supply ratio with calculation basis, reference date, source.

The form is signed by an authorised board member. In person. Delegation to the security manager is not provided for. Operators with joint signature in the commercial register coordinate with the second authorised signatory.

After registration an acknowledgement arrives by qualified notice. With this begins the duty of ongoing updates: changes in facility class, thresholds or responsible persons must be reported within four weeks.

The deadline 17.07.2026 is hard. There is no extension. There is no legitimate expectation protection for operators who notice their thresholds only later. Operators discovering in August 2026 that they were critical already have an open fine procedure on the desk. Next step: Perimeter protection with autonomous patrol as physical evidence for duties 2 and 5.

Fine bracket and personal board liability

The fine bracket reaches up to 10 million euros or 2 percent of global group revenue, whichever is higher. The exact amount is graded by duty breach. Missed registration, failure to report significant incidents and systematic breach of state of the art lead to the upper bracket.

Personal liability of management is carried in through the analogous transposition from NIS-2 Directive EU 2022/2555 Article 34 into German implementing law. Board members are liable with private assets for breaches they knew or should have known about. Details are worked out at NIS-2 board liability in detail.

A management ban is the ultima ratio. In repeat cases the supervisory authority can bar the responsible board member from management duties. The ban can last up to five years and applies to all companies in which the person holds a leadership role.

Criminal risks exist for wilful breach of the reporting duty. Operators concealing a reportable incident to avoid reputational damage risk criminal prosecution for breach of the KRITIS-Dachgesetz combined with general breach of trust offences where the company suffers loss as a result.

Where robotics delivers the evidence

Duty 5 is the operational bottleneck. Audit-proof patrol evidence means: every patrol must be provable with time stamp, position and sensor capture. A handwritten guard log does not meet this. A guard log can be back-filled, smoothed, polished. An entry at 03:14 reading "patrol completed, no incidents" cannot prove the patrol actually took place.

Autonomous patrol closes this gap. The QR-2 security robot with thermal imaging logs every movement with GPS position, time stamp and sensor data. The log is tamper-resistant, exportable, BBK-compliant. Thermal imaging documents early warning in night and fog automatically, without a guard having to improvise visual control through heavy snowfall.

24/7 perimeter patrol without shift gaps also means: no more polished entries. In every audit we have accompanied we found patrol entries in the guard log that, according to the access system, could not have taken place. With robotics this discrepancy disappears.

What robotics does not replace deserves honest naming: physical intervention, person checks at the gate, key handover, escalation against unauthorised persons. These shares stay human and must be covered by qualified guards under §34a GewO. The Robotics-as-a-Service model combines both layers: robots for routine and evidence, humans for intervention and decision.

Operational checklist for the next 14 weeks

The plan assumes that management approves in week 1 and releases budget up to the threshold of the protection concept.

Week 1 to 2: complete sector and threshold review internally. Map facilities, calculate supply ratio, reconcile with KritisV annex. Result: written finding whether the company is critical, with which facilities, in which facility class.

Week 3 to 6: align protection concept draft against state of the art. Document existing measures, mirror against BBK requirements, name gaps. The draft should be in a version readable by an external auditor by end of week 6.

Week 7 to 10: gap analysis and investment decision. Each gap with cost frame, implementation time, duty reference. Management decision at the end of week 10. Without this decision the schedule misses the deadline.

Week 11 to 13: implementation of identified gaps. Install physical components, commission robotics, activate audit log. Schedule training, set date for emergency exercise.

Week 14: submit BBK registration and archive confirmation. Master data, facility class, threshold evidence. File acknowledgement in the compliance archive. Duty one is then met. The eleven remaining duties run as continuous duty from the day of registration.

The tight schedule works only if management decides in week 1 who leads internally and which external partner delivers. For Swiss and southern German operators, Marcus Köhnlein, Sales Lead Switzerland coordinates the technical pre-check in the first 14 days.

Operators who start today hold the deadline. Operators who start in June 2026 do not. A structured initial discussion on threshold review and protection concept draft can be arranged at /de/contact. Bring the facility list. We deliver the gap analysis.