The bottom line: The revised KRITIS Ordinance expands scope and thresholds while harmonizing German with European cybersecurity requirements.
Germany is clarifying the requirements for critical infrastructures through a revised KRITIS Ordinance. The new regulation specifies thresholds, expands the scope of application, and harmonizes German regulations with European standards such as the NIS2 Directive.
The amended KRITIS Ordinance brings three essential changes: an expansion of the scope to additional sectors and infrastructures, specified thresholds for determining criticality, and stronger alignment with European cybersecurity and resilience requirements. These adjustments are intended to ensure that the German regulatory framework remains consistent with international standards.
For compliance officers, this concretely means: organizations must review whether they fall under the new or stricter thresholds and are thus newly classified as KRITIS operators. This entails increased demands on IT security, notification obligations, and governance. Typically affected are energy, water, transport, health, and communications sectors, but also digital infrastructures.
Harmonization with European requirements, in particular the NIS2 Directive, reduces fragmented compliance obligations and provides clarity on cross-sectoral standards. Organizations should review their KRITIS classification, assess existing security measures, and adapt implementation plans as necessary.
Source: news.google.com · Published June 10, 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.