Live · DACH ops
03:47 · QR-2 · Sektor B · 0 anomalies04:03 · QR-7 · Gate 4 · handover ack04:11 · QR-2 · Sektor B · patrol complete · 4.2 km04:14 · Filderstadt · ops ack · all green04:22 · QR-12 · Stuttgart-W · charge cycle 84%04:30 · QR-3 · Karlsruhe · perimeter sweep · pass 3/404:38 · QR-9 · Wien-N · weather check · IP65 nominal04:45 · QR-2 · Sektor B · thermal hit reviewed · benign04:52 · QR-15 · Zürich-O · escalation queue · empty05:00 · all units · shift turnover · zero incidents03:47 · QR-2 · Sektor B · 0 anomalies04:03 · QR-7 · Gate 4 · handover ack04:11 · QR-2 · Sektor B · patrol complete · 4.2 km04:14 · Filderstadt · ops ack · all green04:22 · QR-12 · Stuttgart-W · charge cycle 84%04:30 · QR-3 · Karlsruhe · perimeter sweep · pass 3/404:38 · QR-9 · Wien-N · weather check · IP65 nominal04:45 · QR-2 · Sektor B · thermal hit reviewed · benign04:52 · QR-15 · Zürich-O · escalation queue · empty05:00 · all units · shift turnover · zero incidents
← All articles
KRITIS · Umbrella Act · NIS-2

KRITIS Water: Duties and Perimeter Protection 2026

KRITIS water sector overview: thresholds, KRITIS-Dachgesetz duties from 2026, and a concrete perimeter solution for waterworks and reservoirs.

Dr. Raphael Nagel (LL.M.) & Marcus Köhnlein
Investor & Author · Founding Partner
Follow on LinkedIn

Municipal water utilities face double supervision from 2026. The KRITIS-Dachgesetz (KRITIS Umbrella Act) governs physical protection, NIS-2 governs the digital side. Both frameworks demand a documented protection concept, a named officer, and verifiable measures at the perimeter. This article addresses plant managers who must secure their reservoirs, well fields, and treatment plants in an audit-proof manner without breaking the municipal budget.

KRITIS water: legal framework 2026

The water sector covers two sub-areas: drinking water supply and wastewater disposal. The reference text is BSI-Kritisverordnung §6. The current threshold for KRITIS obligation is 500,000 people supplied per facility. Operators above this line count as critical infrastructure operators and are supervised by the BBK.

The KRITIS-Dachgesetz extends the physical protection duty from 2026. The threshold drops in steps, and the duty to perform a risk analysis and provide structural protection applies below the 500,000 line. In parallel, the NIS-2 Directive captures water utilities from 50 employees upward as essential entities. The cyber requirements from Article 21 apply on top.

Anyone processing both frameworks separately produces duplicate work and gaps. The physical protection concept and the information security management system must converge in one document. The KRITIS sectors overview shows the cross-links to energy, telecommunications, and health.

Protection goals and threat landscape

Water infrastructure is geographically distributed. The main plant usually has staff and access control. Reservoirs, well fields, and transfer points sit on the periphery, often on hills or in forests, unmanned around the clock. This is exactly where the documented incidents concentrate.

Three scenarios dominate the risk analysis: intrusion into clean-water reservoirs with intent to contaminate, manipulation of chlorination and dosing systems, sabotage of valves and pumps. Since 2022 the BBK has registered a rising number of incidents at water facilities, documented in the civil protection situation reports.

Classic fences and static cameras detect an intruder only after the perimeter has been breached. The recording then serves law enforcement, not prevention. External guard services typically react to an alarm within 15 to 30 minutes. By that time, a contamination is long since complete.

Duties from the KRITIS-Dachgesetz for water utilities

The act's requirements break into six points:

  1. Registration with the BBK within the deadlines set after entry into force. The BBK registration step by step describes the procedure.
  2. Written protection concept with risk analysis, updated at least every three years.
  3. Evidence of structural and technical protection measures at the perimeter including detection, delay, response.
  4. Reporting duty for security-relevant incidents within 24 hours to the BBK.
  5. Security officer with documented qualification, named and disclosed to the supervisory authority.
  6. Fines up to 10 million euros for violations, documented in Bundestag-Drucksache 20/9262.

The KRITIS-Dachgesetz checklist walks through the individual records and names the typical questions asked by the supervisory authority.

Perimeter protection at water facilities: technical solution

Static cameras do not solve the problem of unmanned outdoor sites. They deliver images, not response. Autonomous patrol robots replace the camera point with mobile detection along defined routes and continuous anomaly recognition.

QR-2 for 24/7 outdoor patrol is designed for reservoirs, well fields, and mid-sized waterworks. Thermal imaging camera, person recognition, defined waypoints. The robot patrols on a fixed schedule or on request from the control room. Anomalies are reported in under 90 seconds.

QR-3 with LiDAR and drone detection covers dams, large treatment plants, and extensive sites. LiDAR delivers three-dimensional situational awareness even in darkness and fog. The integrated drone detection identifies unmanned aerial vehicles up to 500 meters away.

Both platforms are IP65-certified and operate at minus 10 to plus 45 degrees Celsius. Connection to the existing control room runs through open interfaces, common VMS systems are supported. What does not work: full replacement of human response forces. The robot detects and documents. Escalation to plant security or police remains necessary.

Economics: RaaS versus classic guarding

A 24/7 guard post costs 15,000 to 25,000 euros per month, depending on the tariff region and surcharges under the Manteltarifvertrag. Including ancillary wage costs, vacation and sickness cover. The BDSW documents rising hourly rates and personnel shortages in the guarding sector. Three shifts produce a calculated 45,000 to 75,000 euros per month per site.

QR-2 under the Robotics-as-a-Service model runs at 3,500 euros per month. No CapEx, no personnel tie-up, no ancillary wage costs. Delivery within 48 hours enables short-notice response to BBK inquiries or acute threat situations. For municipal utilities this matters: the OpEx structure relieves the investment budget.

Hybrid models work best in practice. One guard at the main plant plus two robots at the reservoir and well field replaces three guard shifts at three sites. Detailed calculation in Guard service cost compared.

What the model does not deliver: customer contact, key management, fire response. These tasks remain with personnel. The robot replaces patrol (Streife) and post (Posten) at unmanned outdoor sites, not plant security at the main plant.

Implementation in 90 days

Roll-out follows a structured procedure in four phases:

Day 1 to 14: analysis. Site walk-through, risk assessment per BBK requirements, definition of patrol routes. Definition of escalation chains with plant security, external guard service, and police. Alignment of interfaces to the existing control room.

Day 15 to 30: commissioning. Delivery of the robots, set-up of charging stations, connection to control room and video management. Calibration of detection thresholds so that wildlife and weather do not trigger false alarms.

Day 31 to 60: training. Briefing of security personnel, testing the escalation chains with simulated incidents. Documentation of response times. Coordination with local police on alerting and access procedures.

Day 61 to 90: documentation. Inclusion in the protection concept, preparation of the BBK report, update of the risk analysis. Hand-over to the security officer.

The pilot phase runs in parallel to existing guarding. No protection gap arises during the switch. Once commissioning is complete, the classic patrol can be reduced. The guard post at the main plant remains.

Common mistakes in water protection concepts

Five mistakes recur in audits by supervisory authorities:

Reduction to the main plant. The protection concept describes the treatment plant in detail and mentions the peripheral wells and reservoirs only in an annex. But that is exactly where the attack surface lies. The risk analysis must treat each site individually.

Missing response-time documentation. The concept states "alerting takes place without delay". The supervisor asks for minutes. Without measured documentation of the response time between detection, alerting, and arrival of the response force, the evidence cannot be produced.

Separation of physical and cyber protection concepts. NIS-2 and KRITIS-Dachgesetz require separate but interlocked records. Anyone maintaining both documents in isolation produces contradictions in incident reporting and in responsibility.

Guarding without nightly patrol. Most incidents take place between 22:00 and 05:00. A daytime patrol with nightly camera recording without active monitoring does not meet the protection duty.

No drone detection. Drone overflights at dams and large treatment plants are documented. A protection concept that fails to address this threat will need rework in the next audit.

Next step

Plant managers who want to assess their site against the KRITIS-Dachgesetz requirements receive a concrete evaluation in a 30-minute initial call: which facilities fall under the duty, which gaps exist in the current protection concept, and which measures are achievable in 90 days. Schedule via the contact form.

Translations

More from this cluster

Call now+49 711 656 267 63Free quote · 24 hCalculate price →