KRITIS Sectors: Classification and Thresholds 2026

The KRITIS Umbrella Act (KRITIS-Dachgesetz) classifies ten critical infrastructure sectors in 2026. Operators that reach the thresholds are recorded by the BBK, register in the reporting portal and prepare a protection concept. This text provides the sector list, the figures from the KritisV and the operational steps. It does not replace legal advice. It replaces flipping through five sources.

KRITIS sectors under the Umbrella Act: complete domain overview

The KRITIS-Dachgesetz names energy, water, food, information technology and telecommunications, health, finance and insurance, transport and traffic, municipal waste disposal, space and public administration. Each sector has its own facility category regulation with numerical thresholds (Bundestag-Drucksache 20/9262).

The space sector was added with the 2024 draft. It covers ground stations, satellite control centres and telemetry infrastructure. Operators of satellites or recipients of constellation data check this category first because it is missing in older overviews.

Municipal waste is newly classified. Disposal facilities from 500,000 population equivalents fall within scope. Waste incineration, mechanical-biological treatment and sorting plants of large municipal associations are affected.

Sector classification is not voluntary. The Federal Office for Civil Protection and Disaster Assistance identifies operators based on the thresholds (BBK). Operators that breach thresholds are KRITIS, regardless of whether they report themselves.

Multiple classification is the rule, not the exception. Municipal utilities operate energy, water and often transport (local public transit) in parallel. They face three sector obligations simultaneously, with three facility categories and three reporting chains. The KRITIS sector detail overview lists the categories per sector.

Thresholds: when a company becomes KRITIS-obligated

The thresholds are set in the BSI-KritisV, legally binding and numerical (gesetze-im-internet.de). Energy sector: 3,700 GWh per year of electricity generation, 420 MW installed generation capacity, 104 km of high-voltage grid from 110 kV. Gas supply and mineral oil have their own thresholds in the same regulation.

Water sector: 22 million cubic metres of drinking water per year or 500,000 connected residents. Wastewater follows a separate measure in population equivalents. Reaching one of these values is enough to be recorded. The other values may remain below the threshold.

Health sector: hospitals from 30,000 fully inpatient cases per year. Pharmacy suppliers, laboratories and manufacturers of prescription medicines have their own thresholds. Details on hospital obligations are provided in the article on hospitals in the health sector.

Transport sector: airports above 20 million passengers per year, ports above 8 million tonnes of cargo throughput, rail networks from 300,000 train kilometres per day. Logistics centres are captured via shipment volumes and hub function.

The values are reviewed every two years. Operators that were below the threshold in 2024 may be recorded in 2026. Causes: increased generation capacity, growing patient numbers or a lowered threshold. Self-assessment belongs in the annual closing process.

Energy sector: largest group, highest physical attack surface

The energy sector has the longest fence-line kilometre count of all sectors. Substations, power plants, wind farms, gas storage facilities and tank farms add up to several thousand kilometres of outer boundary in Germany. Each of these facilities is a potential attack target.

Sabotage incidents at substations have quadrupled since 2022 according to the BBK situation report (BBK situation report 2024). Arson at cable shafts, copper theft with consequential damage, drone overflights with reconnaissance intent are documented. The threat situation is not abstract.

Drone sightings over energy facilities are reportable under § 11 KRITIS-Dachgesetz. Operators that do not detect cannot report. Detection requires LiDAR or RF sensors in the perimeter. QR-3 with LiDAR and drone detection delivers both modalities in one platform.

The hybrid threat requires physical and cyber defence in parallel. The NIS-2 Directive applies cumulatively to the KRITIS-Dachgesetz. Operators that only harden the server and leave the gate open have failed both regulations.

Typical site sizes range from 80,000 to 400,000 square metres of perimeter per location. Two to four QR-2 units replace the classic guard patrol on this area and deliver continuous tracks instead of point-in-time rounds.

Health sector: hospitals under dual regulation

Clinics from 30,000 cases are subject to KRITIS. Smaller hospitals often fall under NIS-2 as essential entities. Dual regulation is standard, because patient data, supply security and critical supply chains must be protected simultaneously.

Physical obligations include 24/7 access control of the emergency department, protection of emergency power supply against tampering and secured storage of narcotics and high-risk medicines. These protection goals are set out in the KritisV and in the DKG sector standards.

Guard service costs in clinics in 2026 range from 18,000 to 26,000 euros per month per 24/7 post, depending on collective agreement (Manteltarifvertrag) and region (BDSW facts and figures 2025). The breakdown in guard service cost comparison shows the range.

QR-1 with audio detection is suitable for indoor patrols in non-clinical areas such as technical floors, underground car parks and delivery zones. QR-2 secures supplier access, waste yard and helipad. Patient contact is handled by staff, never by the robot.

Management is personally liable in cases of proven breach of duty. The mechanism mirrors board liability under NIS-2 Article 20 and 21. D&O insurance regularly excludes wilful breach of duty, the liability hits private assets.

Transport and traffic sector: ports, airports, logistics hubs

Container terminals with more than 8 million tonnes of throughput are captured. Hamburg, Bremerhaven and Wilhelmshaven are well above the threshold, smaller specialised ports reach it through bulk cargo. The scope covers quay facilities, crane areas and hinterland connections.

Perimeters of such terminals regularly exceed 1 million square metres. Human patrol is not economically viable on this area. Two patrol rounds per shift cover less than 20 percent of the perimeter at usable frequency. (Internal benchmark; source documentation available on request.)

Thermal person detection at night is a mandatory function. QR-2 delivers a FLIR Boson stream directly to the SOC, with classification of human versus animal versus vehicle. This classification reduces false alarm rates to a magnitude that a dispatcher can process.

In the rail network, signal boxes and tunnel portals count as critical components under KritisV § 7. Operators of a signal box that controls more than a defined line load are KRITIS. The threshold is not the station but the function.

Resilience audits become mandatory from 2027. Evidence of physical protection measures goes to the BBK, with facility documentation, detection chains and response times. Operators using robotics deliver this data automatically from the operations log.

Sector classification in practice: self-assessment and BBK reporting

Step one: check annual values against KritisV thresholds. Cut-off date is 31 March of the following year. Generation capacity, water volume, patient cases, tonnage are drawn from the annual accounts and operating statistics. An Excel sheet with thresholds and actual values belongs in every compliance file.

Step two: registration in the BBK portal within three months of reaching the threshold. The BBK registration step by step explains the procedure with forms and mandatory fields. Late registration is a separate fineable offence.

Step three: appointment of a KRITIS officer with deputy. No dual role with the IT security officer, because physical and digital protection goals can produce competing priorities. Officer and deputy must be reported to the BBK by name.

Step four: prepare a protection concept, physical and digital, with risk analysis, measures catalogue and effectiveness evidence. Update every two years, or without delay on material change of circumstances. The KRITIS-Dachgesetz checklist with 14-week plan provides the structure.

Step five: incident reports via the unified reporting portal. Deadline for significant disruptions: 24 hours after detection. Follow-up report with detailed assessment within 72 hours. Operators that detect the incident late document the time of detection, the portal accepts this as the start of the deadline.

Sanctions for sector non-reporting or breach of duty

Fines reach up to 10 million euros or 2 percent of global group turnover (KRITIS-Dachgesetz draft, § 62). The level is derived from NIS-2 transposition and anchored in parallel in the KRITIS-Dachgesetz. The higher value applies, which at group level quickly means eight-figure amounts.

Management is personally liable for breach of duty. Insurability is limited, because wilful intent and gross negligence are regularly excluded from D&O policies. The managing director who overlooks the KRITIS notification risks their private assets.

Cease orders are possible for repeated violations. Plant shutdown is the last resort. In energy and water supply it is not practically considered. In logistics and health it is regulatorily conceivable. Replacement operator arrangements are prepared in advance.

The BBK can order audits and deploy external auditors at the operator's expense. The fee runs into six figures, plus costs for supervision and remediation. (Industry experience value; no official source available.) An ordered audit is regularly more expensive than avoidance through proper compliance.

Reputational damage from publicly disclosed violations often exceeds the fine. Operators that appear in the press as KRITIS failures lose customers, credit terms and employee trust. The financial impact regularly exceeds the fine. The financial impact is hard to quantify but regularly larger than the fine itself.

Robotics as the operational answer to KRITIS obligations

Continuous documentation is the operational requirement. Each patrol delivers timestamp, GPS track and sensor data. This data is audit-ready and archived without additional effort. In a BBK audit, one click delivers the patrol history of the last 24 months.

The Robotics-as-a-Service model avoids CapEx and fits the two-year protection concept cycle. Monthly service fee instead of investment, contract term synchronised with the protection concept update. Operators that lose KRITIS status terminate the service. Operators that scale add units.

Delivery time 48 hours from order enables response to acute threat situations without procurement delay. Classic investment procurement in groups takes three to nine months. This timeline does not fit a rise in sabotage during the current quarter.

Scaling as an empirical value: one QR-2 per 200,000 square metres of outdoor area in the DACH industrial perimeter. With dense built-up areas or heavy vegetation the value shifts downward, with open areas upward. The exact figure is delivered by the site survey.

Pilot start with one unit, expansion after 90-day evaluation. Operators that have verified their sector in the KRITIS sector detail overview start with the pilot enquiry with Marcus Köhnlein. Site survey and threshold verification are part of the initial discussion.