KRITIS Pharma: Plant Security for API Production

Pharma plants with active ingredient production have been part of the KRITIS health sector for years. The KRITIS Umbrella Act (KRITIS-Dachgesetz) adds a second layer of obligations: physical resilience. Any operator exceeding 4.65 million packages of prescription medicines per year, or producing supply-relevant quantities of active ingredients, must demonstrate by 2026 that perimeter, access and detection meet the state of the art. This article describes the requirements profile, the cost structure and a 14-week implementation plan.

KRITIS Pharma: Thresholds and Scope

The health sector under KritisV §7 covers manufacturers of prescription medicines from 4.65 million packages per year. API manufacturers fall under Annex 5 of the regulation as soon as they produce supply-relevant quantities. Thresholds and calculation formulas are defined in the BSI-Kritisverordnung.

Until now, the IT security obligation under BSIG §8a dominated. With the KRITIS-Dachgesetz (Bundestag-Drucksache 20/9262), the physical resilience obligation is added. Pharma plants are now doubly regulated: digitally under NIS-2 Article 21 and BSIG, physically under the KRITIS-Dachgesetz.

Plants with high-potency active ingredients (HPAPI) carry double exposure. They bear both supply risk and substance risk. An intruder in the HPAPI area is not only a security incident but a potential incident and environmental event under StörfallV.

Groups with several production sites must register each KRITIS site individually with the BBK. A group-level report does not suffice. The BBK maintains the register and is the addressee for all reports.

For detailed sector classification: Health sector in the KRITIS framework.

Attack Vectors on Pharma Production Sites

Pharma plants attract five main vectors.

First: theft from finished goods warehouses. Oncology drugs, GLP-1 preparations and biologics achieve grey-market prices that draw organised crime. High-bay warehouses with unguarded external gates are the primary target.

Second: sabotage of cleanroom zones. A single contaminated entry into class C or D halts batches for several weeks, because GMP-compliant re-validation follows. Economic damage per day of standstill regularly reaches six figures.

Third: industrial espionage. Images of production equipment, process steps and supplier trucks are enough to give competitors clues about tonnage, active ingredient class and process.

Fourth: drone overflights. Ventilation systems, tank farms and logistics gates are scouted from 50 to 150 metres altitude. The reconnaissance prepares a later physical intrusion.

Fifth: insider risk through contractors. Maintenance windows and night-time CIP cycles bring external technicians into sensitive zones. Without continuous escort and audit trail, it remains unclear who was where and when.

What the KRITIS-Dachgesetz Specifically Requires

Four obligations stand out.

First: risk and vulnerability analysis every four years. It must be documented and demonstrable to the BBK.

Second: resilience plan with physical protection measures. It covers perimeter, access and detection. IT documentation alone does not suffice.

Third: reporting obligation for security-relevant incidents within 24 hours to the competent authority. This includes break-ins, sabotage attempts, drone incidents and insider violations.

Fourth: proof of technical and organisational measures that meet the state of the art. "State of the art" is not exhaustively defined in the law, but is specified by BBK guidance and standards such as EN ISO 13482, EN 50132 and VdS 2311.

For violations, the KRITIS-Dachgesetz provides fines up to 10 million euros or 2 percent of global annual turnover. The full list of obligations: Obligations under the KRITIS-Dachgesetz.

Pharma Perimeter Protection: Requirements Profile

The obligations translate into a clear technical requirements profile for pharma plants.

24/7 outer-skin surveillance with thermal person detection, independent of lighting conditions. Classic CCTV systems fail at dusk and in fog. Thermal imaging is independent of the visible spectrum.

Detection range of at least 80 metres for persons and 200 metres for vehicles. These values follow from typical fence-to-building distances in pharma plants and the required response time of the control centre.

Drone detection via LiDAR or RF sensors, integrated into the control centre. A separate anti-drone island without connection to the existing escalation chain is operationally worthless.

GMP-compliant documentation of all security-relevant events with time stamp and audit trail. The system must be tamper-proof and exportable.

No impairment of ATEX zones and cleanroom access through the security system. Radio-emitting sensors in EX zones are excluded, cleanroom entrances remain physically separate.

Redundant communication: LTE plus a wired return channel to the control centre. A single LTE outage must not lead to detection failure.

Pharma Plant Security with Robotics: QR-2 and QR-3 in Operation

Mobile robots fill the gap between static sensors and guard personnel. They patrol outdoor areas, tank farms and storage yards along defined routes.

QR-2 for 24/7 outdoor patrol handles the standard routes with thermal imaging and person detection. Monthly rate: 3,500 euros. Suitable for plants without R&D areas and without HPAPI production.

QR-3 with drone detection adds LiDAR and RF sensors. Suitable for sites with high-potency active ingredients, R&D areas or tank farms that could be scouted from the air.

Delivery in 48 hours. Commissioning without construction work. No intervention in GMP-validated zones, because the robots operate exclusively outdoors. Cleanroom entrances remain untouched, class C and class D areas are not entered.

Documentation of every patrol run as an audit trail. Compatible with ISO 9001 and GMP Annex 11. Event logs are exportable and tamper-proof.

The operating model is Robotics-as-a-Service: no CapEx, monthly OpEx, 24-month minimum contract. Maintenance, software updates and hardware replacement are included in the rate.

TCO Comparison: Guard Personnel versus Robot Patrol

The cost calculation is the point at which most plant managers make their decision.

A 24/7 guard post in Germany costs, according to BDSW data, between 15,000 and 25,000 euros per month per position. The figure results from the Manteltarifvertrag, allowances, sick leave and supervision requirements.

A pharma plant with three guard posts (gate, outer round, inner round) reaches 45,000 to 75,000 euros per month. Detection depth remains limited, because a single Posten oscillates between walking duty and observation.

QR-2 does not replace the human, it replaces the walking duty. A dispatcher in the control centre steers several robots in parallel. The §34a-Sachkundeprüfung of the dispatcher remains necessary, because intervention decisions are still made by personnel.

Hybrid model: one guard at the gate plus two QR-2. Total cost 15,000 to 18,000 euros per month instead of 60,000 euros. Reduction between 40 and 55 percent. Amortisation against a pure personnel concept typically occurs in the fifth month.

The detailed calculation: Guard service cost comparison.

Trade-off: a pure personnel concept remains stronger for escalations that require physical intervention. A pure robot concept does not work, because §34a-Sachkundeprüfung and detention rights are tied to persons. Hybrid is the operational standard.

Integration into Existing GMP and Quality Systems

Pharma plants operate validated systems. Any security solution must fit into the existing quality regime, not alongside it.

Interface to control-centre systems via REST API and ONVIF. No proprietary island solutions. Existing VMS platforms (Milestone, Genetec, Qognify) remain master systems.

Event logs are exported in a 21-CFR-Part-11-compatible format. Time stamp, dispatcher user ID, action and robot ID are contained in every record.

Validation documentation IQ/OQ/PQ is provided by Quarero during onboarding. Installation Qualification, Operational Qualification and Performance Qualification are standard delivery scope.

No interference with cleanroom class C/D, since the robots operate exclusively outdoors. This boundary is hard-defined and technically enforced in the route configuration. Door thresholds to GMP areas are not crossed.

EN ISO 13482 forms the basis for the safety assessment of mobile service robots. The standard defines requirements for speed, obstacle detection and emergency stop functions.

Implementation Plan for a Pharma Plant in 14 Weeks

The plan targets plant managers who must implement in parallel with ongoing production.

Weeks 1 to 2: risk analysis and mapping of all perimeter sections with the security manager. Identification of critical zones (tank farm, HPAPI building, finished goods warehouse, R&D). Delimitation of ATEX and cleanroom zones that must not be entered.

Weeks 3 to 4: definition of patrol routes. Exclusion of ATEX and cleanroom zones in route configuration. Setting frequency per route (typically 4 to 8 passes per shift). Coordination with the QA manager.

Weeks 5 to 6: delivery and setup of charging stations. Integration into the control centre via REST API. Test of LTE and wired communication. Initial calibration of detection thresholds.

Weeks 7 to 10: test operation with shift leaders. Adjustment of escalation chains to the existing plant security service instructions. Training of dispatchers. Preparation of IQ/OQ/PQ documentation.

Weeks 11 to 14: transition to regular operation. Documentation for the BBK report. Inclusion in the resilience plan under the KRITIS-Dachgesetz. First internal audit round.

Operational preparation on the compliance side runs in parallel. A structured template is provided by the KRITIS-Dachgesetz checklist.

Next Step

Pharma plants that want to fulfil their KRITIS obligation in 2026 without a construction phase and without doubling guard costs need three things: a solid risk analysis, a documented perimeter concept and an operating model that works without CapEx. Quarero supports pharma sites from risk analysis through to the BBK report. For a site assessment and a concrete offer: speak directly with the Quarero team.