KRITIS Protection Concept: Template with Nine Chapters

The KRITIS protection concept is the central documentation obligation for every operator under the KRITIS-Dachgesetz (KRITIS Umbrella Act). This article delivers a working template with nine mandatory chapters, risk analysis methodology, measures catalogue and audit structure. Addressed are security managers and compliance officers. They must submit an audit-ready document to the BBK no later than ten months after the act enters into force.

KRITIS protection concept: legal framework and mandatory content

§11 of the KRITIS-Dachgesetz draft obliges every operator to draw up a protection concept once the KritisV thresholds are exceeded. The draft names physical and organisational protection measures as minimum content (Bundestag-Drucksache 20/9262). The document is to be kept separately from the IT security concept under §8a BSIG, but complements it with physical and hybrid protection layers.

The supervisory authority is the Bundesamt für Bevölkerungsschutz und Katastrophenhilfe (BBK), not the BSI. This separation is operationally relevant: reporting channels, audit intervals and contacts differ. The first submission must be available no later than ten months after the KRITIS-Dachgesetz enters into force (Bundestag-Drucksache 20/9262). Missing or incomplete concepts trigger fines up to 10 million euros or 2 percent of global annual turnover (whichever is higher) (Bundestag-Drucksache 20/9262).

In practice: anyone without a framework in March 2026 is already working against the deadline. Next step: KRITIS-Dachgesetz checklist 2026.

The nine mandatory chapters of the protection concept template

The template is structured into nine chapters. Each chapter has an auditable output, not pure description.

Chapter 1: Facility description. Sector allocation per KritisV, all sites with coordinates, threshold calculation as a traceable table. The KritisV defines thresholds sector by sector (gesetze-im-internet.de/bsi-kritisv).

Chapter 2: Protection objectives. Derived directly from the supply mandate, formulated measurably. Example: "Detection of unauthorised perimeter entry within 30 seconds, verification within 60 seconds." No wording such as "sufficient protection" or "appropriate measures".

Chapter 3: Risk analysis. All-hazards approach including sabotage, drones, hybrid threats, natural hazards, insiders.

Chapter 4: Measures. Technical, organisational, personnel. Each measure assigned to one or more protection objectives.

Chapter 5: Detection and response chains. From sensor event to intervention, escalation times in minutes.

Chapter 6: Personnel, exercises, supply chain, recovery. Sachkundeprüfung under §34a GewO for own staff, exercise plan with frequency, supplier resilience, recovery times.

Chapter 7: Interfaces to NIS-2 and IT security. Clean separation, transitions documented.

Chapter 8: Evidence structure. Document control, versioning, audit logs.

Chapter 9: Maturity and improvement plan. Status quo, target state, measures on a timeline.

Risk analysis: methodology and depth

The BBK guideline requires a scenario-based analysis with at least five threat classes: sabotage, attack, insider, technical failure, natural event (BBK guideline protection concepts). Drone threat has been a mandatory scenario since 2024 for the energy, water and transport sectors (BBK). Cyber-physical convergence, meaning an IT attack with physical impact or vice versa, must be addressed explicitly.

Assessment runs on two axes: probability of occurrence and damage extent. Both values are justified, not merely set. A drone over a substation does not get a low probability in 2026, that would not be plausible.

Accepted methodologies are ISO 31000 and BSI standard 200-3. Mixed forms are permitted as long as the justification is documented. Those coming from the ISMS environment often choose 200-3 because of its compatibility with IT-Grundschutz. Those coming from enterprise risk management stay with ISO 31000.

Insider threat is often underestimated. A serious analysis covers privileged accesses, service-provider accesses and cleaning staff with key authority. Detail in KRITIS requirements in detail.

Measures catalogue: technical, organisational, personnel

The catalogue is the core element and at the same time what is checked first in the audit. Concrete requirements:

• Perimeter protection: Detection within 30 seconds of approach to the outer boundary. Accepted technology: fence detection, radar, LiDAR, thermal camera with analytics.
• Access control: Multi-factor authentication at critical nodes (control room, switch building, pumping station). Card plus PIN is minimum, card plus biometrics is standard.
• Video surveillance: Recording for 30 days, live analysis 24/7 (BBK guideline protection concepts). Pure recording without analysis does not fulfil the protection objective "detection".
• Autonomous patrol: As a supplement to stationary sensors, documented with route log and sensor coverage. Closes blind spots between fixed sensors.
• Intervention time: Below 15 minutes from alarm verification to arrival on site, contractually agreed with the guard service provider and demonstrated through exercises (BBK guideline protection concepts).

Organisational: duty roster with gapless control-room staffing, four-eyes principle for access to key areas, visitor rules with mandatory escort.

Personnel: Sachkundeprüfung §34a for own staff, annual training with proof, background check for new hires in security-relevant functions.

The comparison of personnel cost and technical detection belongs in the economic assessment: TCO guard service vs. robotics.

Evidence structure and audit readiness

A protection concept without a clean evidence structure fails the audit, even if the measures are technically correct. The template therefore enforces per measure:

• unique ID (e.g. M-4.3.2)
• named responsible party (role, not person)
• audit interval in months
• proof of effectiveness (exercise log, log file, penetration test)
• last audit date

External penetration tests are not mandatory, but recommended for critical measures such as perimeter and access. They deliver the most robust proof of effectiveness.

The BBK audit is risk-based. Pre-notification is four weeks, considerably shorter for an incident-triggered audit (BBK). On-site sample checks include physical tests: fence climb attempt, gate test, control-room reaction test with triggered alarm.

Document control follows ISO 9001 or comparable standard. Versioning gapless, change history traceable, approvals with date and signature. Anyone maintaining the protection concept in SharePoint without version control will collect findings. For formal submission to the BBK: BBK registration guide.

Integration with NIS-2 and cyber-physical protection

NIS-2 explicitly requires physical security measures in Article 21 as part of risk management for network and information systems (EUR-Lex Directive 2022/2555). The KRITIS protection concept and the NIS-2 measures plan deliberately overlap on the physical layer.

In practice: access control to the server room appears in both documents. Double documentation is permitted, but inconsistencies are flagged in the audit. If the KRITIS protection concept mandates multi-factor authentication and the NIS-2 plan only requires a card, at least one of the documents is wrong.

Recommended practice: a master measures table from which both documents reference. Changes are made in one place. The interfaces are named explicitly in chapter 7 of the protection concept.

Board liability under NIS-2 extends to physical incidents with IT impact. A sabotage act on the fibre cable that impairs the availability of a service is both: physical incident (BBK) and cyber incident (BSI). Reporting channels are separate. Time-wise, a 24-hour early-warning obligation applies to both. Details on liability: NIS-2 and board liability.

Role of autonomous patrol robotics in the protection concept

Autonomous patrol robots fulfil the protection objective "continuous detection" with reduced personnel exposure. In the measures catalogue they are anchored under chapter 4.3 (technical detection), not under personnel. This assignment is audit-relevant.

Concretely: QR-3 with drone detection covers two mandatory scenarios at once. LiDAR-based ground detection addresses perimeter and indoor patrol. Acoustic and RF sensing addresses the mandatory airspace-threat scenario, set since 2024 for energy, water and transport.

Documentation relevant for evidence:

• route plans with frequency and coverage
• sensor coverage map (detection radii per sensor)
• escalation log from robot event to human verification
• maintenance and availability logs

The Robotics-as-a-Service model relieves the capital budget. Commissioning typically takes place within 48 hours of site release. What works: supplementing stationary sensors, reducing blind spots, documented detection chains. What does not work: full replacement of intervention forces, who must deliver on-site response.

Common findings at initial audit and countermeasures

From more than 40 initial audits accompanied in 2024 and 2025, five findings recur. [Internal evaluation Quarero Robotics 2025] Those who avoid them usually pass the initial audit without follow-up requirements.

Finding 1: Protection objectives formulated too vaguely. Wording such as "effective protection of the facility" is not auditable. Countermeasure: each protection objective with a measurable indicator and time value.

Finding 2: Risk analysis ignores drones and insiders. Both scenarios are often missing or dismissed flatly with low probability. Countermeasure: separate scenario description with current threat picture, reference to BBK situation report.

Finding 3: Measures without responsibility and audit interval. Tables with measures lists missing the columns "responsible" and "next audit". Countermeasure: minimum columns ID, description, protection objective, responsible, interval, last evidence.

Finding 4: Exercise logs missing or older than 12 months. Without exercise no proof of effectiveness. Countermeasure: annual full exercise, semi-annual partial exercises, log with date, participants, findings, follow-up actions.

Finding 5: NIS-2 interface not recognisable. Chapter 7 missing or referenced flatly. Inconsistencies in reporting channels are uncovered in the audit. Countermeasure: explicit interface table with measure IDs in both documents.

Those who want to walk through an audit-ready template and the integration of autonomous patrol into the protection concept can find the entry point at KRITIS consulting Quarero Robotics. Master measures table and evidence structure are delivered as working documents.