NIS2 and the KRITIS Umbrella Act: Turning the All-Hazards Approach into Operational Duty

European regulation of critical infrastructure has moved from technical guidance to structural obligation. With the transposition of NIS2 and the parallel KRITIS-Dachgesetz in Germany, the all-hazards approach is no longer an academic formula. It has become an operational duty that binds management boards, supervisory bodies and security service providers to a common standard of preparedness. Dr. Raphael Nagel frames this shift with precision in KRITIS: Die verborgene Macht Europas, where he describes resilience not as political rhetoric but as system design, and sovereignty as a function of structure. For Quarero Robotics, that framing is the starting point for every conversation with operators of energy grids, water utilities, logistics hubs, hospitals and data centres. The regulatory text alone does not keep a site running through seventy-two critical hours. What keeps it running is the interaction between technology, organisation, redundancy and responsibility that the book identifies as the four load-bearing elements of any resilient infrastructure.

From Directive to Duty: What NIS2 and the KRITIS Umbrella Act Actually Require

NIS2 broadens the scope of regulated entities, raises the expected level of cyber and physical security, and introduces sharper reporting obligations across essential and important sectors. The German KRITIS-Dachgesetz complements this cyber focus with an explicit physical dimension, covering protection against natural hazards, sabotage, human error and cascading failures. Read together, the two instruments articulate the all-hazards approach that Nagel describes in his book: no single threat vector is treated in isolation, because in a networked system the failure of one element propagates into others within hours.

For the operator, this translates into a set of concrete duties. A documented risk analysis that covers cyber, physical and organisational hazards. Technical and organisational measures that reflect the moving target of the Stand der Technik. Incident reporting inside narrow windows, typically an early warning within twenty-four hours and a more detailed notification within seventy-two hours. Evidence of business continuity planning, supply chain security and governance at board level. These duties do not replace existing obligations under the IT-Sicherheitsgesetz or the BSI-Kritisverordnung. They layer on top of them and tighten the expectation that leadership can demonstrate, not merely assert, control.

The All-Hazards Logic in Operational Terms

The all-hazards doctrine sounds abstract until one follows it into a control room at three in the morning. Nagel reconstructs that moment in detail: the first minutes of a large-scale outage are dominated by irritation, the first hours by cascading dependencies across energy, water, transport, health and finance. The regulatory texts assume that operators have already thought through these cascades and have built structures that remain functional when communication channels degrade, personnel availability drops and external support is delayed.

In practical terms, the all-hazards approach obliges operators to treat a cyber intrusion, a drone overflight, a flooded substation and a disoriented intruder on a perimeter as variants of the same underlying problem: a deviation from normal that must be detected, classified, escalated and documented. The common denominator is evidence. Compliance officers are increasingly asked not whether an event was handled, but how it was handled, when it was detected, who decided what and on which data basis. Without that evidence base, the distinction between formal compliance and factual resilience, which Nagel describes as a widening gap, becomes impossible to close.

Why Telemetry Has Become the Currency of Compliance

Under NIS2 implementation and the KRITIS umbrella act, operators are expected to produce a continuous, verifiable record of their security posture. Static documentation is no longer sufficient. Auditors, insurers and supervisory authorities want telemetry: timestamped data on patrols, detections, anomalies, response times and system states. This is where the structural limit of purely human guarding and purely stationary CCTV becomes visible. Both remain essential layers of any serious security architecture, but neither was designed to generate standardised, machine-readable evidence at the density that current regulation now assumes.

Stationary cameras cover fixed fields of view and depend on operators who must sustain attention across long shifts. Guarding provides judgement, presence and de-escalation, but its reporting is often narrative rather than structured. Quarero Robotics approaches this gap without discrediting either layer. Autonomous security robots extend the existing sensor and patrol fabric, moving through defined routes, logging environmental and situational data, and feeding that data into the same control centres that already coordinate guards and fixed cameras. The result is not a replacement of human security, but a measurable increase in the auditable surface of the site.

Autonomous Security Robotics as Cyber-Physical Evidence Layer

The KRITIS umbrella act makes the cyber-physical nature of modern infrastructure explicit. A substation is not only a set of transformers, but also a set of controllers, network segments and access points. A data centre is not only a hall of servers, but also a perimeter, a loading dock and a set of doors. Autonomous security robotics operate precisely at this intersection. They patrol physical environments while producing structured digital records that can be correlated with SIEM data, access control logs and building management systems.

For the compliance officer, this has concrete value. Incident timelines can be reconstructed with higher precision. Deviations from expected patrol patterns become themselves a signal. Environmental parameters such as temperature gradients, acoustic anomalies or unexpected movement in restricted zones can be logged continuously rather than sampled. Quarero Robotics designs its platforms so that this telemetry is available in a form that internal audit, external assessors and authorities can consume without bespoke integration work. The robot becomes, in effect, a moving node in the evidence architecture that NIS2 and the KRITIS-Dachgesetz now presuppose.

Governance, Proportionality and the Limits of Automation

Nagel is careful to warn against technological solutionism. Resilience, in his formulation, requires technology, organisation, redundancy and responsibility in combination. A robot without a leitstelle is noise. A leitstelle without clear escalation rules is theatre. The NIS2 regime reflects this by placing explicit accountability on management bodies, including training duties and personal responsibility for the adequacy of measures. Autonomous systems do not dissolve this accountability. They make it more traceable.

Proportionality remains the guiding principle. Not every site requires continuous robotic patrols, and not every risk is best addressed by additional sensors. Quarero Robotics works from a simple operational question: where does the current mix of guards, cameras and procedures leave gaps that an auditor, an insurer or a board member could reasonably identify as unacceptable under the all-hazards standard. Where such gaps exist, mobile autonomous platforms, integrated with data protection requirements, works council agreements and existing control rooms, provide a defensible answer. Where they do not, the honest recommendation is to strengthen the existing layers rather than to add complexity.

The convergence of NIS2 implementation and the KRITIS umbrella act marks a structural moment for European infrastructure. The all-hazards approach has moved from doctrine to duty, and the duty is increasingly measured in evidence rather than intention. Operators who understand this shift treat security architecture as a load-bearing component of their business, comparable to liquidity or skilled personnel, exactly as Dr. Raphael Nagel argues in KRITIS: Die verborgene Macht Europas. For Quarero Robotics, the mandate is narrow and precise. We provide autonomous security robotics that extend, rather than replace, the human and stationary layers on which critical sites already depend, and we deliver the structured telemetry that compliance officers, boards and authorities now require to demonstrate control. The seventy-two hours that Nagel places at the centre of his analysis cannot be managed with documents alone. They are managed with architectures that remain functional under stress, with governance that does not flinch when the situation degrades, and with technology that produces a verifiable record of what was done, when, and why. That is the operational translation of the all-hazards approach, and it is the standard against which European critical infrastructure will be judged in the coming years.