Germany has enacted the KRITIS law, effective immediately from September 10, 2025, to bolster the security of critical infrastructure amid rising threats from hybrid warfare, sabotage, and natural disasters.

This legislation, which covers sectors such as energy, water, transportation, and food, aims to improve resilience by setting security standards and requiring operators to assess risks, develop resilience plans, and report major incidents.

Operators are mandated to register their facilities, implement security measures like fences and cameras, and report incidents to a centralized platform managed by federal agencies, with non-compliance risking fines.

Fines for violations can reach up to 500,000 euros, though critics argue these penalties are insufficient to motivate significant investments in infrastructure resilience.

The law is part of broader efforts to align with EU cybersecurity directives, including the NIS2 regulation, which is still subject to political debate and calls for improvements.

Critics, including opposition parties and industry groups, contend the law is too fragmented and does not fully unify physical and digital security standards or fully implement EU directives.

Experts suggest improvements such as pre-approving critical components before deployment instead of relying solely on trust lists for IT security.

The legislation emphasizes the importance of understanding sectoral interdependencies, like transport routes vital for food supply, to enhance overall resilience.

Supporters, including government officials, believe the law will improve resilience through standardized risk analysis and monitoring, but critics consider it 'toothless' due to low fines and exemptions for some government agencies.

Authorities have linked recent firebomb attacks on mail infrastructure in Germany and Poland to Russia, citing sabotage threats from Russia and cyberattacks from China, though Russia denies involvement.

Incidents like the burning of high-voltage pylons in Berlin, which caused power outages, highlight the urgent need for enhanced protective measures against attacks.

The legislation aims to bolster Germany's crisis resistance by setting minimum security standards and aligning with European directives like NIS-2 for cyber protection.

Critical facility operators are required to implement physical security measures, create inventories of vulnerable infrastructure, and ensure compliance to prevent incidents and mitigate impacts.