KRITIS Airports: Perimeter and Counter-Drone 2026

Airport operators face two parallel rule sets in 2026: NIS-2 for cybersecurity and the KRITIS Umbrella Act (KRITIS-Dachgesetz) for physical resilience. Both land on the same security lead, both demand documented protection concepts. This text describes operational implementation at the perimeter: from threshold assessment to BBK acceptance.

KRITIS Airport: What the Thresholds Mean for Transport Operators

Traffic airports above 20 million passengers per year fall under the transport sector in the KRITIS framework (BSI-KritisV, Annex 1, air traffic category). Thresholds for traffic airports are set in the BSI Kritis ordinance, §7 governs air traffic. Mid-sized airports with 8 to 20 million passengers fall under thresholds based on cargo volume and slot numbers.

The KRITIS-Dachgesetz extends the duties to physical resilience, not only IT security. Bundestag-Drucksache 20/9262 defines in §5 and §11 the requirements for the transport sector and explicitly names sabotage protection, access control and an all-hazards approach. Operators must submit a protection concept that treats perimeter, airside and landside separately.

The registration obligation with the BBK applies from the moment of identification as a critical facility. Missing the deadline risks fines up to 10 million EUR or 2 percent of global annual turnover, whichever is higher (KRITIS-Dachgesetz-E §42, BT-Drs. 20/9262). Supervision reviews not only formal notification but effectiveness of measures.

Next step: reconcile your own protection concept with the KRITIS-Dachgesetz requirements for transport operators.

Airport Perimeter Architecture: Three Zones, Three Sensor Logics

An airport has no single perimeter. Three zones demand three sensor logics.

Outer fence. Thermal detection and approach recognition must work in every visibility condition: fog, rain, snow, backlight. Fixed cameras deliver continuous line surveillance, mobile platforms verify alarms on site. Climbing, undermining and cutting must be detected separately.

Apron and airside. Runway incursions are the most expensive security incidents. Persistent patrol reduces the probability that people or vehicles reach taxiway areas unnoticed. Classic CCTV solutions fail at distance and with moving objects in the field of view.

Cargo areas. Here access control combines with verification outside the camera field of view. Containers, trucks and loading bridges create blind spots. Mobile sensors close these gaps.

The hybrid architecture works: fixed cameras cover lines, robots close blind spots and verify. The decisive factor is latency from alarm to verification. Over 90 seconds means: the intruder is gone before the patrol arrives. Under 90 seconds keeps operational response possible.

Next step: sensor mapping per zone, documented in the Dachgesetz checklist 2026.

Counter-Drone as a Mandatory Element under KRITIS-Dachgesetz

Drones are the most frequent cause of runway closures in Europe. The KRITIS-Dachgesetz names drone detection implicitly through the all-hazards approach, the LuftSiG complements the requirements.

QR-3 with drone detection captures objects via LiDAR and RF sensors within a 400 metre radius (QR-3 technical data sheet, Rev. 2025-Q4). Detection is the operator's duty. Active countermeasures, meaning jammers or kinetic defence, remain a sovereign task of the Bundespolizei. This separation is legally binding. A private operator who actively jams violates telecommunications law and aviation law.

Geocoordinates of the detected drone are handed to the control room in under 5 seconds (QR-3 technical data sheet, Rev. 2025-Q4). Integration with the existing situation centre runs via standard API, no replacement of control room software needed. Incidents are logged BSI-compliant. The 24-hour reporting obligation applies also to attempted drone overflights, not only successful intrusions (LuftSiG §16b in conjunction with KRITIS-Dachgesetz-E §11).

Important for documentation to the BBK: the escalation matrix must explicitly name the handover to Bundespolizei. Otherwise the impression arises that the operator is overstepping its powers.

Next step: align drone detection radius with approach corridors and mark blind sectors.

TCO Comparison: Static Guard Post versus Autonomous Patrol

A 24/7 staffed guard post at an airport costs between 15,000 and 25,000 EUR per month (Bundesverband der Sicherheitswirtschaft BDSW, wage cost survey 2024). The range reflects collective bargaining, night and holiday allowances and qualification level under §34a GewO or extended Sachkundeprüfung aviation security.

QR-3 with drone detection costs 3,800 EUR per month in the RaaS model without CapEx (Quarero Robotics price sheet 2026, on request). Three guard posts at the outer fence can be replaced by two QR-3 plus one central control room function. Personnel shift to the verification and escalation role. They are needed there anyway under LuftSiG.

The ROI threshold is reached at mid-sized airports within 7 months (internal TCO calculation Quarero Robotics, basis: three guard posts at 18,000 EUR/month). Delivery in 48 hours, minimum contract term 24 months, training effort for operators below 4 hours.

The trade-off honestly stated: robots replace patrols at the fence and in cargo lanes. They do not replace the inspector at passenger checkpoints, not the federal police officer, not the shift supervisor. Anyone selling full automation is selling a legal problem.

Next step: detailed guard service cost comparison for your own site size.

Protection Concept for KRITIS Airport: What Supervision Reviews

The BBK reviews effectiveness, not just presence of protective measures. A protection concept that lists sensors but does not document response times will fail.

The all-hazards approach demands consideration of sabotage, drone overflight, natural event and hybrid threat. Hybrid here means: coordinated attack with a drone as distraction and ground penetration at the opposite fence section. Such scenarios must be covered in exercises.

Sensor-level redundancy is mandatory: at least two independent detection paths per zone. A camera failure must not create a protection gap. Thermal camera plus LiDAR on a mobile platform meets this requirement, dual CCTV with the same power supply does not.

Exercises at least annually, documented with response times and lessons learned. Supervision asks for concrete timestamps: alarm at 14:32:17, verification at 14:33:09, escalation at 14:33:45. Without timestamps no exercise has been documented.

The person responsible toward authorities is named, deputisation is regulated and equally documented. In an incident, availability within 60 minutes must be ensured.

Next step: test the protection concept against the BBK registration step by step.

Data Protection and Co-Determination for Robot Deployment Airside

Security robots capture image data. This triggers GDPR duties, even when deployment takes place airside and thus outside publicly accessible areas.

Person recognition is anonymised. No biometric identification, no facial matching, no linking with personnel files. The robot detects human, vehicle, drone as object classes, not as identities.

A GDPR impact assessment is mandatory before commissioning, documented under Art. 35 GDPR. The data protection officer signs off, at larger airports coordination with the competent supervisory authority of the federal state is recommended.

The works council is to be involved as soon as robots patrol in employee areas, not only airside in staff corridors but also in break areas or on apron paths used by ground personnel. §87 BetrVG applies to technical monitoring devices.

Recording is limited to 72 hours (recommended practice under DSK guidance on video surveillance, status 2023). Longer storage only with a documented incident with file reference. Notice signs under BDSG §4 must be visibly placed at all patrol zones, multilingual at international airports.

The underlying standard for robots in human environments is EN ISO 13482. It governs safety requirements for autonomous service robots and is a prerequisite for CE marking.

Next step: schedule the GDPR impact assessment with works council and data protection officer, before pilot start.

Integration into Aviation Security Organisation and Bundespolizei

Robots complement human personnel. In escalation situations they do not replace it. This boundary must stand clearly in the protection concept. If missing, liability questions arise.

The interface to the Bundespolizei control room is coordinated under LuftSiG. Which events are forwarded automatically, which does the operator's control room pre-filter? For drone alarm: immediate handover, parallel to internal verification.

The escalation matrix follows four steps. Detection by sensor or robot. Verification by operator in the control room. Notification to internal shift management and depending on the situation to Bundespolizei. Handover of operational command on arrival of police forces. Each step is logged with timestamp.

Shift handovers are documented. Robot status, meaning battery level, maintenance messages, current patrol route, is part of the situation briefing. Leaving this to the operator without clear responsibility risks gaps at shift change.

Robot operation can be taught in 4 hours: emergency shutdown, manual control and standard queries at the control desk. More complex configuration stays with manufacturer support.

NIS-2 complements the KRITIS-Dachgesetz with cyber requirements for transport operators. The interfaces between robots and control room fall under Art. 21 NIS-2 as part of network and information systems. Encryption, access logging and patch management must be evidenced.

Next step: align the escalation matrix with Bundespolizei and have it signed.

Implementation: 14 Weeks from Audit to Operational Patrol

Implementation at a mid-sized airport follows a workable schedule, provided internal coordination starts on time.

Weeks 1 to 3. Hazard analysis under KRITIS-Dachgesetz, zoning of the perimeter into outer fence, airside, cargo, landside. Sensor mapping per zone, including lighting conditions, radio shadows and existing infrastructure.

Weeks 4 to 6. Protection concept written up, internally aligned with management, data protection, works council. External coordination with Bundespolizei and BBK. First feedback incorporated.

Weeks 7 to 10. Pilot with two QR-3 in the cargo area. This zone is suitable: manageable, clear access rules, lower GDPR sensitivity than passenger areas. Data collection on false positives, detection range, latencies.

Weeks 11 to 12. Extension to the outer fence. Control room connection via API, test of handover to the Bundespolizei interface. Documentation of response times.

Weeks 13 to 14. Acceptance, final staff training, BBK registration completed. Handover into operations with defined KPIs: detection rate, false-positive rate, mean verification time.

What can go wrong. Delays in works council consultation typically cost 4 to 6 weeks (experience value from Quarero pilot projects 2024–2025). Early involvement prevents this. Radio shadows at hall walls require additional repeaters, best identified in week 3, not week 11.

Technical specification and pilot terms are available under QR-3 with drone detection.