KRITIS Energy: Duties for Utilities 2026

Energy utilities sit at the center of two regulatory waves in 2026. The KRITIS Umbrella Act (KRITIS-Dachgesetz) addresses physical resilience, NIS-2 covers cyber resilience, the KritisV defines the thresholds. This text addresses security managers and asset owners at transmission and distribution system operators as well as generators. We name the duties, threat landscape, costs, and implementation path with concrete numbers.

KRITIS energy: what utilities must protect in 2026

The energy sector under §2 KritisV covers six sub-sectors: electricity generation, transmission, distribution, gas, mineral oil, and district heating. Topologies are heterogeneous. A transmission system operator protects few high-voltage nodes with high criticality. A distribution system operator is responsible for hundreds of local substations with lower individual criticality but a large attack surface.

The threshold for electricity supply is 3,700 GWh per year or 500,000 supplied persons. The KritisV sets the threshold for electricity supply at 3,700 GWh per year. Gas, mineral oil, and district heating have their own thresholds, defined in Annex 1 of the ordinance. Whoever exceeds them falls under operator duties per BSI Act and from 2026 additionally under the KRITIS-Dachgesetz.

The KRITIS-Dachgesetz extends duties to physical resilience. Until now the focus was cyber. Now utilities must integrate perimeter protection, access control, and physical detection into a resilience plan. Primary targets are substations, switchgear buildings, gas compressor stations, and converter stations for HVDC corridors.

Sabotage cases against fiber and power lines since 2022 have redefined the threat landscape. The attack on Deutsche Bahn data cables in October 2022 and the Nord Stream sabotage showed that linear infrastructure and unmanned sites are vulnerable. An overview of affected sectors is on our page KRITIS sectors at a glance.

Legal framework: Umbrella Act, NIS-2, and KritisV interlocking

Three frameworks interlock. The KRITIS-Dachgesetz governs physical protection and resilience. NIS-2 covers cybersecurity and supply-chain risks. The KritisV defines the thresholds at which a company qualifies as an operator.

The KRITIS-Dachgesetz defines physical resilience duties for energy utilities and incident reporting deadlines. Registration with the BBK as the responsible registration and supervisory authority for critical-infrastructure operators is required within three months of crossing the threshold. The resilience plan contains risk analysis, technical and organizational protective measures, and procedures for incident reporting within 24 hours.

The NIS-2 Directive obliges energy companies to risk management and incident reporting with management board liability. Article 21 lists ten minimum measures, including physical security of facilities. Article 23 governs the staggered reporting deadlines: 24 hours early warning, 72 hours incident report, one month final report.

Fines reach 10 million euros or 2 percent of global annual turnover. Management is personally liable for failures in protective measures and reporting duties. The duties are detailed in our overview of the requirements of the KRITIS-Dachgesetz.

Threat landscape 2026: sabotage, drones, insider attackers

Drone overflights of substations in the DACH region have been documented in BBK situation reports since 2023. Profiles range from hobbyists to targeted reconnaissance flights. A drone over 250 grams in an ED-R zone is subject to reporting, and the operator must be able to respond.

Copper theft from grounding systems and busbars causes damages in the six-figure range per incident. Material value is secondary, the follow-up damages from outage and repair dominate. A distribution system operator reported a 2024 incident with 480,000 euros in damages at a material value below 8,000 euros.

Hybrid attacks combine physical sabotage with cyber components. An attacker manipulates the control system while physical detectors are triggered or disabled in parallel. Such scenarios have been logged in the Bundesnetzagentur situation reports since 2023.

Insider scenarios particularly affect decentralized sites without personnel presence. Maintenance firms, subcontractors, and former employees know keys, codes, and weak points. Response time of conventional guard services at unmanned sites runs between 20 and 45 minutes, depending on location and traffic. In that time a prepared attacker can dismantle a grounding system or manipulate control equipment.

Perimeter protection for substations and generation plants

Fence, video surveillance, and motion detectors are the minimum standard. They deliver only detection, no verification and no response. Whoever secures a substation with video surveillance alone has an audit problem: the response chain ends at the control room, not at the scene.

Thermal cameras detect persons at night, in fog, and through vegetation at 200 meters. They are robust against weather but static in perspective. Blind spots between transformers, switchgear, and buildings remain.

Autonomous patrols close the gap between static sensors and external guard response. A robot moves through the site, verifies alarms on the spot, and delivers imagery to the control room. Response time drops from 20 to 45 minutes to under 90 seconds for detection and verification.

LiDAR detection locates drones below 30 meters altitude where radar systems are blind. Conventional radar is designed for greater altitudes, small multicopters approaching a substation fly below. LiDAR fills that gap.

A multi-layer concept of detection (sensors), verification (robotics), and escalation (control room plus police) reduces false alarms by roughly 80 percent compared with sensors alone. Reason: every alarm is confirmed by a second system before escalation.

Robotics on the energy perimeter: QR-2 and QR-3 in deployment

The QR-2 patrols 24/7 outdoor with thermal and person detection at substations. It handles unpaved tracks, gravel, and gradients up to 20 percent. Operating temperature from minus 10 to plus 45 degrees Celsius covers the DACH region. Details on the product page QR-2 for 24/7 outdoor patrol.

The QR-3 is built for high-security sites and generation plants. It combines LiDAR with drone detection and higher terrain capability. Converter stations, nuclear power plant grounds, and HVDC endpoints are its typical deployment locations. Specification on the page QR-3 with LiDAR and drone detection.

Patrol routes are configurable per shift, with randomized time windows against pattern recognition. An insider attacker who knows the fixed round time of a guard service has no reliable attack corridor under a randomized route.

Direct connection runs to the control room and the utility SOC via encrypted mobile channel with redundant backup. Alarms reach the dispatcher in under two seconds, including imagery.

Robotics documents every patrol in court-admissible form per resilience plan requirements. Timestamp, GPS position, sensor data, and imagery are stored tamper-proof. In the audit this is the form of evidence the supervisory authority wants to see.

Cost frame: guard service versus robot patrol

A 24/7 guard post costs 15,000 to 25,000 euros per month for full three-shift coverage. The range reflects tariff region, qualification (§34a, plant protection), and night and weekend premiums. The security industry reports personnel shortages and rising wage costs in 24/7 site protection, trend continuing upward.

QR-2 as Robotics-as-a-Service costs 3,500 euros per month, no CapEx, with a 24-month minimum term. Maintenance, software updates, and replacement unit on defect are included. More on the model on the page Robotics-as-a-Service model.

Across 12 decentralized sites this yields a difference of more than 1.5 million euros per year between full guard service and pure robot patrol. The full cost comparison is in our TCO comparison guard service.

Delivery occurs 48 hours after contract signing, commissioning by Quarero technicians. Site mapping, route definition, and control room integration run within five working days.

Hybrid models combine reduced guard presence with autonomous patrol. One guard post at the main site, robots at unmanned outlying sites. In practice this is the most economical model for distribution system operators with distributed topology.

What robots do not deliver: physical interventions with use of force, legal identity verification, social de-escalation at demonstrations. For those tasks human personnel remain necessary. Robots are a detection and verification instrument, not a replacement for every guard task.

Implementation: 14-week plan for energy utilities

Weeks 1 to 2: site inventory. All facilities are classified by criticality, the KritisV thresholds are checked against the own portfolio. Generation, transmission, distribution, and gas are recorded separately.

Weeks 3 to 6: risk analysis per site. The sensor-gap analysis records existing detection, missing detection, and response times. The draft of the resilience plan develops in parallel, coordinated with internal audit and legal.

Weeks 7 to 10: pilot operation. A QR-2 or QR-3 is deployed at a representative substation, including control room integration. Goal: measurement data on detection rates, false alarm rate, and actual response time.

Weeks 11 to 12: rollout planning. Contract staggering across sites, training of security personnel on operating and escalation procedures, adjustment of internal work instructions.

Weeks 13 to 14: BBK registration, submission of the resilience plan, sign-off by internal audit. The 12-duties checklist KRITIS-Dachgesetz structures the final review before submission.

The plan works for utilities with a clear asset list. With heavily fragmented portfolios, e.g. after mergers, phase 1 extends by two to four weeks. Whoever onboards more than 50 sites in parallel should also plan for an external project lead.

Management liability and documentation duties

Management must document protective measures verifiably, not merely resolve on them. A supervisory board resolution without operational implementation is no defense in the event of damage.

Patrol logs, alarm chains, and response times belong in the annual resilience report. The supervisor does not check the concept but the proof of effectiveness. A patrol without a log equals a patrol not carried out in the audit.

Insurers increasingly require proof of automated detection for KRITIS policies. Whoever documents only manual guard rounds pays higher premiums or loses full coverage at renewal. Several D&O insurers introduced clauses in 2024 that tie management liability to documented technical protective measures.

In the event of an incident without documented protective measures, personal liability under §43 GmbHG applies. The managing director of a GmbH is liable for damages from breach of duty of care. The concretization in the KRITIS context is set out in our article NIS-2 and management liability.

Robotics delivers gapless audit trails that manual guard services structurally cannot match. Every patrol round is documented with timestamp, GPS track, sensor data, and imagery. This is not only compliance but also evidence in damage settlement and criminal prosecution.

The next concrete step for security managers and asset owners: check the thresholds of own facilities against the KritisV and reconcile the duties per sector. The KRITIS sectors at a glance list thresholds, authority responsibilities, and deadlines per sub-sector of the energy area.