German Infrastructure Protection Law Lacks Effectiveness Due to Missing Guidelines
One month after the enactment of Germany's new Kritis umbrella law on March 17, 2026, the legislation remains largely ineffective due to the absence of essential implementation guidelines and a unified reporting portal. The Federal Ministry of the Interior acknowledged that while the law establishes a framework for protecting critical infrastructure against sabotage and cyberattacks, specific legal regulations requiring Federal Council approval are still pending. Consequently, operators of important facilities lack clear instructions on registration and security measures. In contrast, progress is evident in cybersecurity under the NIS 2 directive, which came into force in December 2025. Over 15,000 entities have already registered via the Federal Office for Information Security (BSI) portal, with estimates suggesting nearly 30,000 establishments ultimately require registration. A joint reporting office involving the BSI and the Federal Office for Civil Protection and Disaster Assistance is currently being prepared to handle future physical infrastructure protection reports. Political friction persists regarding the threshold for critical facilities, with states arguing the current limit of 500,000 served people is too high, though their push for a lower threshold was unsuccessful.
Wire timeline
German Infrastructure Protection Law Lacks Effectiveness Due to Missing Guidelines
One month after the enactment of Germany's new Kritis umbrella law on March 17, 2026, the legislation remains largely ineffective due to the absence of essential implementation guidelines and a unified reporting portal. The Federal Ministry of the Interior acknowledged that while the law establishes a framework for protecting critical infrastructure against sabotage and cyberattacks, specific legal regulations requiring Federal Council approval are still pending. Consequently, operators of important facilities lack clear instructions on registration and security measures. In contrast, progress is evident in cybersecurity under the NIS 2 directive, which came into force in December 2025. Over 15,000 entities have already registered via the Federal Office for Information Security (BSI) portal, with estimates suggesting nearly 30,000 establishments ultimately require registration. A joint reporting office involving the BSI and the Federal Office for Civil Protection and Disaster Assistance is currently being prepared to handle future physical infrastructure protection reports. Political friction persists regarding the threshold for critical facilities, with states arguing the current limit of 500,000 served people is too high, though their push for a lower threshold was unsuccessful.
DIE ZEIT | Nachrichten, News, Hintergründe und Debatten