KRITIS Logistics Center: 2026 Duties and Protection

A logistics center of 100,000 m² or more is not a warehouse. It is a supply node. Once throughput crosses the thresholds of the KritisV, the same duties apply as for a substation or a hospital. This text is written for plant managers and security managers who need to know what evidence the BBK will check in 2026 and what a protection concept looks like that passes an external auditor.

KRITIS Logistics Center: When a Site Falls Under the Umbrella Act

The KRITIS Umbrella Act (KRITIS-Dachgesetz) addresses facilities whose failure endangers the supply of the population. Two triggers apply to logistics. First: throughput above 17 million tonnes per year. Second: function as a critical component in supply chains for food, health or energy. A central warehouse that carries pharmacy supply for a region falls under the act below 17 million tonnes as well. What counts is the role in the chain, not tonnage alone. The legal basis is the draft in Bundestag-Drucksache 20/9262.

For the KRITIS transport sector, the BSI-Kritisverordnung specifies the asset categories. Freight transport centers with supra-regional relevance are included, as are nodes handling more than 50,000 consignments per day. Cross-docking hubs in the CEP industry regularly exceed this threshold.

Any KRITIS operator falls under NIS-2 in parallel. That creates two regulatory regimes at a single site: physical security under the KRITIS-Dachgesetz, cybersecurity under NIS-2. Both require risk management, reporting paths and personal accountability of the management. The NIS-2 Directive sets this out in Articles 20 and 21.

The registration duty with the BBK takes effect within three months of entry into force or threshold crossing. Failure to register risks fines of up to 10 million euros or 2 percent of group turnover under the current draft Bundestag-Drucksache 20/9262. The next step is a clean threshold review: KRITIS sectors overview.

Threat Landscape 2026: What Logistics Centers Actually Face

Logistics centers carry a specific attack surface. Loading docks are open gates with defined time windows. Cross-docking areas move goods without interim storage, so any disruption hits dispatch immediately. Cold chains respond to power outages within hours with total loss.

Cargo theft causes documented damage of 1.3 billion euros per year in Germany according to BDSW industry data. Sabotage of refrigeration plants or of sorter technology at a cross-docking center cascades: an eight-hour outage at a central pharma hub hits 1,200 pharmacies the next day. [Quelle einfügen]

Drone overflights for reconnaissance became routine in 2025. Observed are loading times, truck routes, shift changes and the position of the patrol round. A drone above 200 meters cannot be detected optically. RF detection is mandatory.

Insiders with site badges account for 38 percent of all recorded incidents according to a BDSW survey. At subcontractor carriers and temporary workers in the pick area the share is higher. Hybrid attacks combine physical entry with IT manipulation at the warehouse management system. A forged delivery note and a manipulated gate code are enough for a real truck to leave the site with unauthorized goods.

Protection Concept Duty Under the KRITIS-Dachgesetz: Minimum Content

The Umbrella Act demands an all-hazards approach. Natural events, sabotage, terrorism, insiders and cyber-physical attacks must be documented. A protection concept that only addresses theft does not pass the audit.

The perimeter must be divided into three zones. Zone 1: outer fence with early warning. Zone 2: yard with loading docks, trailer park, fueling. Zone 3: high-security area with control room, server room and WMS terminal. Each zone needs its own detection, its own verification, its own escalation.

The detection-to-verification time must stay under 90 seconds and be evidenced by measurement. This is not an SLA promise, it is audit material. The auditor requires logs from the VMS and the control center system.

Redundancy means no single point of failure. Power loss, radio interference, staff absence: every scenario needs a documented fallback. UPS for detection systems, alternate radio channels, on-call duty with two independent persons.

Reporting paths to the BBK are binding. Significant disruptions must be reported within 24 hours, a full report follows within 72 hours. The protection concept is to be reviewed every two years by an independent auditor. An internal review is not sufficient.

Perimeter Protection With Patrol Robots: Architecture for 100,000+ m²

A 100,000 m² site typically has 1,400 to 1,800 meters of fence line. A human patrol needs 35 to 45 minutes for one round. During that time 95 percent of the perimeter is unobserved. Patrol robots change this math.

The QR-2 outdoor perimeter covers the outer fence. Thermal imaging detects persons in fog and darkness up to 80 meters. The robot operates 24/7 outdoors. Two units cover a 1,500-meter line with detection-to-verification under 60 seconds.

The QR-3 with drone detection secures gate and dock areas. LiDAR detects persons, vehicles and unauthorized approach to loading docks. RF signature detection identifies drones in airspace up to 1.2 km range. At a cross-docking hub with 40 doors, one QR-3 per dock side is the standard layout.

The QR-1 covers indoor areas: warehouses, office blocks, cross-docking zones. RGB camera plus audio anomaly detection registers glass breakage, shouts, unusual machine sounds. A sorter machine runs at 78 dB. The system is calibrated to this baseline.

Handover points between zones need a defined latency under 5 seconds for data forwarding to the control center. Integration with existing access control and VMS runs via ONVIF Profile S and T. A proprietary island solution will be flagged by the auditor.

TCO Comparison: 24/7 Guard Post Versus Robot Patrol

A classic 24/7 guard post costs 15,000 to 25,000 euros per month. This includes social contributions under the Manteltarifvertrag, holiday cover and shift premiums for night, Sunday and holiday duty. Add §34a certification and Sachkundeprüfung. The lower bound applies to rural sites with low wage levels, the upper to metropolitan areas.

A QR-2 in the Robotics-as-a-Service model costs 3,500 euros per month. No CapEx, 48-hour delivery, minimum term 24 months. Maintenance, software updates and hardware replacement are included.

The hybrid model is the operational recommendation. One guard at the gatehouse plus three robots on patrol replaces six to eight posts at comparable coverage. The gatehouse post stays because truck check-in, ID verification and escalation require human decision.

The staffing gap in the guarding industry is structural. The BDSW reports 22 percent vacant positions, rising. Additional robots are deployable within 48 hours. Hiring with §34a training takes 8 to 14 weeks. Anyone submitting the protection concept in February 2026 and starting pilot operations in April has less than two quarters for recruitment.

Detailed calculation in the TCO comparison guard service cost.

14-Week Plan: From Registration to Audit

Weeks 1 to 2: prepare and submit BBK registration. Document the threshold review. Designate the KRITIS officer with deputy in writing. The designation is a board decision, not an HR task.

Weeks 3 to 5: risk analysis on an all-hazards basis. Draw the zone concept, produce a gap analysis against existing measures. The output is a list of prioritized measures and investment amounts.

Weeks 6 to 8: pilot operation with two QR-2 and one QR-3. Measure detection-to-verification, connect data to the control center, test interfaces to WMS and access system. The pilot phase produces the logs the auditor wants to see.

Weeks 9 to 11: rollout to full coverage. Train site security, distribute the escalation matrix, run an exercise with a documented reporting chain. One exercise per quarter is the minimum.

Weeks 12 to 14: audit preparation. Document the protection concept, commission an external pre-audit, file with the BBK. Slippage here loses the next audit window and with it a year.

A day-by-day chronology for the first two weeks is in the Dachgesetz checklist with 14-week plan. The operational guide for first registration is in BBK registration step by step.

Personal Liability of the Board and Plant Manager

Personal liability of management bodies is no theoretical concept in 2026. NIS-2 Article 20 and the KRITIS-Dachgesetz draft address management directly. In case of breach of duty of care, the individual is liable, not only the company.

The documented board decision on the security architecture is a mandatory record. A minute with resolution on protection concept, budget and accountability belongs in the files. Verbal approval in the board meeting is not sufficient.

D&O insurance regularly does not cover gross negligence where a protection concept is missing. The policy must be reviewed in detail before the board relies on coverage. An insurance broker with KRITIS experience belongs in the preparation.

The security manager needs a written mandate with budget responsibility. Without that mandate, evidence of a functioning organizational structure is missing. The auditor will ask for the org chart, the job description and the budget line.

Failure to report to the BBK within 24 hours is a separate fine offense. Anyone who notices an incident on Friday evening and reports on Monday morning has met the offense, irrespective of the incident itself. The reporting chain must work 24/7.

Next Step

A plant manager who has not submitted a protection concept by early 2026 is working against the clock. The question is not whether the BBK will check, but when. A 14-week plan is ambitious but achievable if pilot operation and audit documentation run in parallel.

For an assessment of your own site with zone concept, deployment plan and TCO calculation, book a technical first call via Quarero Robotics contact form. Bring the site plan, fence length, tonnage and the sector classification of your main customers.