KRITIS Port: Terminal Security under Umbrella Act 2026

Port terminals are under double regulatory pressure in 2026. The KRITIS-Dachgesetz (KRITIS Umbrella Act) requires physical resilience, NIS-2 requires cyber resilience, and ISPS-regulated seaports carry the additional Port Facility Security Plan. This article separates sea from inland port terminals, quantifies the duties in euros and weeks, and positions robotics as a supplementary component between fence, quay and control room.

KRITIS Port: Thresholds and Operator Duties 2026

The transport sector covers ports whose annual throughput exceeds the thresholds of the BSI-Kritisverordnung. The KritisV defines these thresholds for sea and inland ports based on cargo volume and passenger traffic. A container terminal with throughput above the threshold is a KRITIS facility, regardless of whether the operator is publicly or privately organised.

The KRITIS-Dachgesetz per Bundestag-Drucksache 20/9262 obliges operators to physical protection measures on top of the cyber duties from NIS-2. The NIS-2 Directive 2022/2555 regulates cyber and supply-chain resilience in parallel. Both regimes apply at the terminal simultaneously.

Operationally this means four duties. First: registration with the BBK as central reporting authority within the set deadline. Second: drafting a resilience plan with structural, technical and personnel measures. Third: reporting security incidents within 24 hours to BBK and the responsible state authority. Fourth: evidence in the 2-year audit. Inland port terminals are usually not covered by ISPS, but they are covered by KritisV and the Dachgesetz. Seaport terminals carry both.

Next step: 12-duty checklist Dachgesetz.

Threat Picture at the Terminal Perimeter

A mid-sized container terminal has fence lines of two to six kilometres. The waterside is open, rail connections break the perimeter, the road gate processes thousands of trucks per day. Classic camera chains cover static sight lines but leave quay edges and container stacking areas largely blind.

Drone overflights for reconnaissance of container slots and ISPS zones have been documented since 2023. In inland ports, theft from parked trailers, reefer containers and high-value freight is added. The per-incident loss in practice runs between 40,000 and 380,000 euros, higher for pharmaceutical freight.

Sabotage potential exists at power, refrigeration and IT infrastructure. A failure of reefer power supply over twelve hours destroys the cargo of several hundred refrigerated containers. The risk is not hypothetical but part of the threat analysis the Dachgesetz requires in the resilience plan.

Next step: Perimeter protection for industrial parks.

Threat Picture and Operational Gaps in Classic Guard Service

The BDSW industry data show structural understaffing in 24/7 site protection. Ports compete with logistics centres, industrial parks and municipal contracts for the same personnel with Sachkundeprüfung under §34a GewO. Wage increases from the Manteltarifvertrag tighten the situation.

In euros: a 24/7 post costs 15,000 to 25,000 euros per month in 2026, depending on region and qualification. Three posts at a mid-sized terminal tie up 540,000 to 900,000 euros per year. Foot patrols achieve two to three rounds per shift under real conditions, giving patrol intervals of two to four hours per fence section.

Stationary cameras cover only fixed sight lines. Adaptive tracking across multiple zones is not possible without PTZ control by an operator. At peak times the same operator monitors dozens of channels simultaneously. Incident documentation often runs handwritten or via free text fields. Both are only conditionally admissible in court.

Next step: TCO comparison guard service.

QR-3 in the Terminal: Sensors and Deployment Profile

The QR-3 with LiDAR and drone detection navigates container yards, quay installations and unpaved areas autonomously. The LiDAR-based SLAM map captures stack heights in real time and adjusts routes when containers are moved. This is decisive in terminal operations because the topology changes daily.

Drone detection runs through RF detection of common control protocols and acoustic signatures up to 400 metres. The thermal camera detects persons in fog, rain and darkness, that is, under the conditions in which intrusion attempts at the waterside actually occur.

Patrol routes run with randomised intervals. This prevents predictability. Fixed patrol schedules are a known attack point. The link to the control room runs over encrypted 4G/5G with live stream. Intervention by a human operator is possible at any time. The robot is a sensor and a mobile platform. It does not make decisions.

System limit: access control to ISPS zones remains human. Robotics supplements the perimeter and container areas but does not replace the PFSO or the post at the main gate.

TCO Comparison: 24/7 Guard Posts versus QR-3 Fleet

Three 24/7 guard posts at a mid-sized terminal cost 540,000 to 900,000 euros per year as derived above. Three QR-3 in Robotics-as-a-Service without CapEx come in at 136,800 euros per year. Delivery is within 48 hours, the contract term starts at 24 months.

The pure comparison is misleading because robotics does not replace the post at the gate. The realistic model is a hybrid: one human intervention post at the gate plus a QR-3 fleet for perimeter and container areas. This model reduces total cost in the cases we have supported by around 60 percent compared to the three-post model.

Insurance premiums drop with documented robotic patrols in several case examples. Insurers accept the time-stamped log as evidence of actual patrol frequency. Handwritten patrol books do not offer this advantage.

What works: hybrid model with one to two posts plus two to three QR-3. What does not work: pure robotics operation without a human intervention force, because ISPS duties and the §34a post at the gate must remain human.

Integration with ISPS and Port Regulations

For seaport terminals, coordination with the Port Facility Security Officer before pilot start is mandatory. Robotic routes are embedded in the Port Facility Security Plan. The responsible Wasserschutzpolizei and the Generaldirektion Wasserstraßen und Schifffahrt are informed.

Inland port terminals without ISPS obligation do not have this hurdle but must observe the respective port regulations and the KritisV provisions. Access control to ISPS zones remains human in both cases. Robotics moves by definition on the perimeter and in buffer zones, not in the restricted area of the ship.

Data protection compliance under GDPR runs through zone masking. Residential and office areas are stored in the map as no-record zones, the camera blanks these areas automatically. The interface to the PSIM system runs over open API (REST or MQTT). Incidents appear directly in the existing situation picture.

Next step: KRITIS sectors overview.

Pilot: 14 Weeks to Full Operation

The pilot phase follows a fixed scheme because the regulatory steps must run in parallel with the technical setup.

Week 1 to 2: on-site survey, radio measurement for 4G/5G coverage, mapping of patrol corridors with LiDAR. The result is the SLAM map and the radio coverage plan.

Week 3 to 4: coordination with the PFSO at seaports, BBK notification of the pilot project and data protection impact assessment under Art. 35 GDPR. Operations do not start without these documents.

Week 5 to 8: trial operation of one QR-3 on a defined section, typically a container slot with a clearly delimited perimeter. The aim is validation of routes, sensor coverage and control room connection.

Week 9 to 12: scaling to the full fleet, training of control room staff on the operator console, acceptance by internal security management.

Week 13 to 14: transfer to regular operation, court-admissible documentation of the pilot results, KPI review with patrol frequency, incident numbers and response times.

Next step: BBK registration step by step.

Evidence and Documentation toward BBK

Every patrol generates a time-stamped log with GPS track and sensor data. The log is stored immutably and secured against manipulation through hash chains. Actual patrol frequency is thereby objectively verifiable. Handwritten patrol books do not deliver this.

Incidents are classified automatically and escalated to the control room. The classification distinguishes between person in perimeter, drone in airspace, vehicle off route and technical anomaly. Each class has its own escalation profile aligned with the port regulations and the resilience plan.

Export formats cover the requirements of the audit bodies: BSI, BBK and the state supervisory authorities. Common formats are PDF with hash signature for the file, CSV for statistical analysis and JSON for API handover to the PSIM or an authority portal.

Retention periods under KritisV and port regulations are preset. Standard is three years for incident data and six months for routine patrol logs, deviating requirements of individual state authorities can be configured.

The resilience evidence in the 2-year audit under the Dachgesetz can be derived directly from the system. Auditors receive a data room with patrol frequency, incident history, response times and downtime. This replaces manual compilation. In many ports today this binds several weeks of preparation.

Concrete Entry Point

Anyone facing BBK registration in 2026 and drafting the resilience plan should not treat the physical component as secondary. KritisV, Dachgesetz and NIS-2 require verifiable patrols, documented incident classification and audit-ready data storage. Robotics delivers this evidence as a by-product of regular operation. Classic patrols deliver it only with substantial extra effort.

For a concrete TCO calculation at your own terminal, a site survey or alignment of the pilot scope with the PFSO: details on the platform, sensors and RaaS conditions are available at the QR-3 product page with LiDAR and drone detection or directly at the RaaS offer for port terminals.