4 min read Compliance

Germany's Cybersecurity Framework in 2026: BSI, KRITIS, and the NIS2 Implementation

Germany has Europe's most-prescriptive cybersecurity framework for critical infrastructure. BSI, KRITIS, and the operational reality of compliance in 2026.

  • Germany
  • Cybersecurity
  • BSI
  • KRITIS
Germany's Cybersecurity Framework in 2026: BSI, KRITIS, and the NIS2 Implementation

Germany has Europe’s most-prescriptive cybersecurity framework for critical infrastructure, anchored by the BSI (Bundesamt für Sicherheit in der Informationstechnik) and the KRITIS regulation. The 2024 NIS2 transposition through the KRITIS-Dachgesetz has substantially expanded which entities are subject to the framework. By 2026 the operational implications are real for any meaningful-scale enterprise operating in Germany.

I want to walk through what the framework requires and what engineering teams should be doing.

Germany cybersecurity BSI KRITIS

The BSI’s role#

The Bundesamt für Sicherheit in der Informationstechnik is the federal cybersecurity authority. Established in 1991, it has progressively expanded its mandate through 2015 IT Security Act, the 2021 IT Security Act 2.0, and the 2024 KRITIS-Dachgesetz.

The BSI’s current responsibilities:

  • Federal government cybersecurity — protecting federal IT systems.
  • National CERT capability — coordinating cyber incident response.
  • KRITIS supervision — overseeing critical infrastructure operators.
  • Certification and accreditation — including smart meter gateway certification, IT-Grundschutz, and the broader certification schemes.
  • Threat intelligence and public guidance.
  • Coordination with state authorities and international peers.

The BSI is more operationally prescriptive than equivalent agencies in some other countries — it issues specific technical guidance with substantial detail.

What KRITIS covers#

The KRITIS framework identifies critical infrastructure sectors with specific thresholds:

  • Energy (electricity, gas, oil, district heating)
  • Water supply and wastewater
  • Food and agriculture
  • Health (hospitals, pharma, medical devices)
  • Information and telecommunications
  • Finance and insurance
  • Transportation (aviation, rail, road, water, logistics)
  • Government services (federal and state)
  • Media and culture
  • Waste disposal (added in 2024 NIS2 transposition)
  • Manufacturing of “important products” (added in 2024)
  • Space (added in 2024)

The thresholds — typically by capacity, customer count, or revenue — determine which specific entities are KRITIS-classified. The 2024 NIS2 expansion roughly doubled the number of in-scope entities.

The substantive obligations#

KRITIS-classified operators have specific obligations:

1. Reporting — significant incidents must be reported to the BSI within 24 hours of detection (with progressive reporting updates within 72 hours and 1 month).

2. State-of-the-art controls — appropriate technical and organizational measures, with the “state of the art” obligation reviewed every 2 years.

3. Certification — the IT-Grundschutz, ISO 27001, or sector-specific equivalent (B3S — Branchenspezifische Sicherheitsstandards) certification.

4. Audit and reporting — periodic audits with results submitted to BSI.

5. Information sharing — participation in the various sector-specific information sharing frameworks.

6. Vendor and supply-chain controls — with the 2024 update, specific obligations on supply-chain cybersecurity due diligence.

7. Personnel security — vetting and training requirements.

8. Specific technical controls — including the use of certified components for critical systems (the BSI’s CC and IT-Grundschutz certification).

NIS2 transposition specifics#

The EU’s NIS2 directive, in operational stages from October 2024, required member-state transposition. Germany’s KRITIS-Dachgesetz (the umbrella law) plus updates to the BSI Act produced the German implementation. Key changes:

  • Expanded coverage to more entities and more sectors.
  • Tiered obligation structure distinguishing “essential” and “important” entities with different but still substantial obligations.
  • Direct management accountability — board members and executives can be personally liable for non-compliance.
  • Stricter incident reporting timelines.
  • Cross-EU coordination through the EU NIS Cooperation Group and the EU CSIRTs Network.

The German implementation is at the more-prescriptive end of how member states have transposed NIS2.

The cybersecurity coordination architecture#

Beyond the BSI, several other authorities have roles:

The Bundeskriminalamt (BKA) and state criminal police for cybercrime investigation.

The Cyber Crime Coordination Center (Z-CRiMI) for cross-state coordination.

The Bundeswehr’s CIR (Cyber and Information Domain Service) for military cybersecurity.

The Bundesnetzagentur for telecommunications cybersecurity (with the BSI providing technical capability).

The state-level CERT capabilities.

Sector-specific CERTs — BSI for energy, finance, etc.

The coordination architecture has been described as overly complex; the BSI has been progressively positioned as the central coordinator.

What enterprise security teams should be doing#

For an enterprise operating in Germany in 2026:

  1. KRITIS classification assessment — determine whether your entity is in scope and at which level.

  2. SOC and incident response capability with the 24-hour BSI reporting capability.

  3. Certification path — IT-Grundschutz, ISO 27001, or B3S sector-specific certification appropriate to your sector.

  4. Information sharing posture — participation in sector ISACs and CERT collaborations.

  5. Vendor and supply chain risk management — particularly important post-2024.

  6. Personnel security — vetting and training programs.

  7. Board-level cyber reporting — increasingly expected.

  8. Technical control implementation — appropriate to the sector and risk.

  9. Documentation maintenance — substantial paperwork is required.

  10. Tabletop exercises annually with cross-functional team.

The interaction with GDPR and the AI Act#

KRITIS cybersecurity obligations sit alongside GDPR (and the German implementation, with substantial DPA-related obligations covered in the German GDPR enforcement post) and the EU AI Act (covered here).

The intersections require integrated planning — a personal data breach in a KRITIS-regulated entity has both BSI reporting and GDPR breach notification requirements with different timelines and different content.

What’s coming in 2026 and 2027#

Three things to watch:

The expanded NIS2 enforcement ramping up through 2026 as the framework matures.

Sector-specific guidance refinements from the BSI continue.

Post-quantum cryptography migration — the BSI has been an early mover on PQC, with specific guidance for long-lived secrets.

Where pdpspectra fits#

Our cybersecurity engineering and compliance work spans Germany and the broader EU. We work with KRITIS-regulated entities on compliance architecture, technical implementation, and the operational rails that make the compliance posture sustainable.

Related reading: the EU AI Act post, the India cybersecurity mandate stack post, and the UAE cybersecurity post.

German cybersecurity expectations are Europe’s most-prescriptive. Talk to our team about your KRITIS program.

Keep reading

Related posts.

Automotive

Audi's AI Evolution in 2026: The Q6 e-tron PPE Platform, A6 e-tron, and the AI Intersection

How Audi's 2026 AI stack actually works — PPE platform, E3 1.2 software, ChatGPT-powered Audi Assistant, MIB 4 infotainment, Cariad's reset, and the Volkswagen Group AI Lab.

Read post →
Automotive

BMW's AI Stack in 2026: Neue Klasse, iDrive X, and the BMW Intelligent Personal Assistant

Inside the AI architecture powering BMW's 2026 lineup — from the Neue Klasse software platform to Panoramic iDrive, Mobileye L3, and the LLM-rebuilt Intelligent Personal Assistant.

Read post →
Automotive

AI in German Automotive Industry 2026: Mercedes, Volkswagen, Porsche, and the Software Reset

MB.OS, the Cariad restructure, Porsche's PPE platform, Tier 1 AI from Bosch and ZF — how the German automotive industry is rebuilding its software stack.

Read post →