KRITIS Data Center: Physical Resilience and Security Concept 2026

Anyone operating a KRITIS data center has known the cyber duties under NIS-2 since the German transposition act. Physical resilience under the KRITIS-Dachgesetz (KRITIS Umbrella Act) is a separate set of duties. Both run in parallel, both are audited, both must work in a verifiable manner in 2026. This article separates the two regimes, shows the threat picture and compares classical guard posts against autonomous robotics in numbers.

KRITIS Data Center: Thresholds and Regulatory Status 2026

Classification as a critical installation in the IT and telecommunications sector follows clear quantity criteria. The KritisV defines the thresholds for data centers in the IT and telecommunications sector in Annex 4 of the BSI-Kritisverordnung: 3.5 million IP addresses in use, or 100,000 contract partners. Colocation providers fall under it as soon as they reach 5 MW of contractually committed IT load.

The KRITIS-Dachgesetz extends the existing NIS-2 cyber duties with requirements for the physical resilience of critical installations (Bundestag-Drucksache 20/9262). This point is regularly confused in the industry: NIS-2 addresses cyber resilience, authentication, patch management, incident reporting. The KRITIS-Dachgesetz addresses fence, door, detection, personnel, fire and drone. Both regimes exist in parallel and must be evidenced separately.

The double regulation is real. A hyperscale site falls under BSIG, KritisV, KRITIS-Dachgesetz and the NIS-2 transposition act. For the geo-redundant UPS, EnWG applies as well. The duty to register with BBK applies within three months after the KRITIS-Dachgesetz comes into force. The NIS-2 directive captures data center services as an essential entity with heightened due diligence (Directive EU 2022/2555).

Next step: check KRITIS requirements at a glance as a mapping against the site.

Physical Threats Against Data Centers: Situation Picture 2024 to 2026

The picture has shifted. In 2024, BBK reports documented twelve sabotage incidents on fiber routes outside the perimeter in DACH. [Source pending] The pattern: targeted cuts at manholes identifiable in OSM or planning documents. The data center fence was intact, the service failed anyway.

Drone overflights for reconnaissance purposes have tripled at the Frankfurt sites between 2022 and 2024. [Source pending] The devices are small, often under 250 grams, fly before sunrise and map roofs, cooling plants, transformer stations. In two cases the evaluation later turned up in sabotage forums.

Arson against backup diesel and transformer stations is the most effective attack vector against availability. An incendiary device under an outdoor tank costs the operator the SLA for the next 48 hours. The scenes are almost always outside the direct line of sight of the gate.

Insiders with access to whitespace and meet-me room are the underestimated category. Personnel screening under the Sicherheitsüberprüfungsgesetz applies only where secrecy clearance is required. Cleaning staff and subcontractor technicians are not covered. Tailgating at high-security mantraps remains the standard problem: industry studies show that guard staff per shift miss 4 to 7 percent of attempts. [Source pending] At 200 passages per day, that is eight to fourteen unnoticed followers.

Data Center Security Concept: Four Perimeters and the Role of Autonomous Robotics

A resilient data center security concept works with four graded perimeters. Autonomous robotics complements fixed sensors where permanent installation is too expensive or too rigid.

Perimeter 1 is the outer fence. QR-2 for 24/7 outdoor patrol delivers thermal detection and person classification at 80 meters in darkness. The patrol runs continuously. Static PTZ cameras leave the fence unobserved for up to 38 seconds between two sweeps. [Source pending]

Perimeter 2 is the outdoor area between fence and building. QR-3 with LiDAR and drone detection identifies drones under 250 grams on approach and classifies vehicles on the delivery road. LiDAR works more reliably in fog and backlight than pure image recognition.

Perimeter 3 is the building envelope. QR-1 with audio sensors detects glass breakage, door opening and unusual step patterns in stairwells. The audio threshold is calibrated to the typical data center sound profile, meaning ventilation in the range of 65 to 72 dB.

Perimeter 4 is whitespace and meet-me room. Indoor patrol matches RFID against visitor badges. Anyone entering a cage that is not assigned to them triggers an event before reaching the rack.

Handover to the SOC takes place as a signed event with video, timestamp and geocoordinate. This makes the chain of evidence usable in court. The robot fills blind spots without additional fixed installation. That is the actual value over stationary video analytics. When a site is rebuilt or extended, the patrol route shifts via configuration, not via civil works.

TCO Comparison: Guard Staff Versus Robot in the Data Center

The numbers decide. A 24/7 guard post at the data center perimeter costs 15,000 to 25,000 euros per month including overhead, holiday cover, sick leave and §34a GewO training. [Source pending] Three posts at a typical site with three access points yield 45,000 to 75,000 euros per month.

QR-2 covers a perimeter of 600 to 800 meters at 3,500 euros per month. [Source pending] A hybrid configuration with two QR-2, one QR-3 and a reduced guard post at the gate is around 18,000 euros per month. The saving against full guard staffing is 60 to 75 percent at higher detection density. [Source pending]

What the hybrid configuration does not replace: human escalation during physical intervention, handover to police, presence during supplier access. Anyone who reduces to zero guard staff loses these functions. Anyone who reduces to one post keeps them and still saves.

The Robotics-as-a-Service model avoids CapEx. For listed operators this is balance-sheet relevant: the items run as OpEx, the IFRS 16 capitalization threshold is undercut by monthly termination after the initial term. [Source pending] The full TCO comparison against the stationary guard post contains the sensitivity analysis.

Integration into DCIM, SIEM and Control Room

Security without integration into the control room is theater. The Quarero platform delivers events via MQTT, REST and Syslog to common SIEM systems. Splunk, QRadar, Sentinel accept the format without a custom parser.

Correlation with access control, fire alarm system and cooling runs in one unified event stream. If a door contact at the diesel bunker opens at 03:17 and a QR-2 detects a person in the sector at the same time, that is one incident. Not two separate log lines.

The API connection to Schneider EcoStruxure, Vertiv Trellis and Sunbird DCIM is standard, not custom development. Two-way audio through the robot allows direct address from the 7x24 NOC. The operator addresses the intruder without a guard being on scene. In three documented cases in 2024 the person aborted the attempt after the address. [Source pending]

The incident file is automatically exportable in BSI-compliant format for the annual evidence requirement. This saves the compliance department 80 to 120 hours of preparation work per year on average. [Source pending]

Data Protection and ISO Conformity in Data Center Operation

Data protection is a sticking point in robot deployment, especially at hyperscale sites with international tenants. EN ISO 13482 is the governing safety standard for personal care and service robots in operational use (ISO 13482:2014). The standard governs mechanical safety, emergency shutdown, collision avoidance.

GDPR-compliant operation runs via on-edge processing. Person images do not leave the robot toward the cloud. Privacy by design means: faces are automatically masked in recordings outside the incident context. During the incident itself the masking is lifted. Before and after, the image stays redacted.

The Article 28 GDPR data processing agreement is part of the standard RaaS contract. Anyone who does not need it because they handle the data processing themselves can choose a license variant. The ISO 27001 Annex A.7 Physical Controls certification path is supported by robot logs. Auditors accept the signed event logs as evidence of continuous monitoring. With shift books alone this evidence is often contested.

The BBK is the competent federal authority for the registration of operators of critical installations (BBK portal). Reporting channels for security-relevant incidents run directly there.

Piloting in 48 Hours: Operational Procedure

Piloting is standardized and runs in a fixed time window.

Day 1 morning: site walk with the security manager. Definition of patrol routes, geofence boundaries, identification of the home station with power and LTE backup.

Day 1 afternoon: delivery of QR-2 or QR-3. Calibration of geofence and home station. First patrol in manual mode to validate the route.

Day 2 morning: integration into the control room. Test of the escalation chain with the guard service, including fault and emergency scenarios. Training of NOC operators on the event dashboard, duration 90 minutes.

Day 2 afternoon: handover to 7x24 operation. Start of the four-week pilot phase. KPIs are reviewed weekly, the first review takes place after seven days.

The minimum contract term after a successful pilot is 24 months. After that, the contract is cancellable monthly with three months notice. The dedicated contact for DACH is Marcus Köhnlein, Sales Lead Switzerland.

For operational preparation we recommend the KRITIS-Dachgesetz checklist as a template for site assessment. To schedule the pilot, contact Marcus Köhnlein, Sales Lead DACH directly.