What Companies Must Implement Now
New regulatory tightening for greater resilience, security, and crisis preparedness
After several years of delay, the time finally came on January 29, 2026. The German Bundestag passed the KRITIS Umbrella Act, establishing for the first time nationwide, cross-sector minimum standards for the physical protection of critical infrastructures. The goal is to strengthen their resilience against a wide range of serious threats and thereby ensure the continuity of essential services, even in times of crisis or disruption.
Only a few weeks earlier, on December 6, 2025, the EU’s NIS2 Directive had been transposed into national law. The NIS2 Implementation Act, adopted on November 13, 2025, creates a stable legal framework for information and network security.
For companies, these new regulatory requirements mean not acting “someday,” but establishing concrete structures, adapting processes, and clarifying responsibilities now. But what exactly needs to be done?
KRITIS Umbrella Act and NIS2: Two Frameworks – One Common Goal
The recently adopted KRITIS Umbrella Act goes beyond focusing solely on IT systems. It emphasizes company-wide resilience, encompassing physical site security, protection of critical processes, effective emergency and crisis management, and organizational preparedness measures.
It applies to the backbone of our society — companies and institutions in the energy, water, healthcare, food, IT and telecommunications, transport, and logistics sectors.
NIS2, meanwhile, significantly broadens the scope of application. Many more medium-sized and large companies will now fall under the stricter cybersecurity requirements — even if they only play a critical role within supply chains. The key changes include clearly defined minimum standards, stricter reporting obligations, personal accountability for management, and substantial penalties for non-compliance.
Who Should Pay Attention Now?
Many companies will only realize late that they are affected. In practice, the regulations apply not only to IT and cloud service providers, managed service providers, data center operators, and software vendors with major market relevance. Industrial enterprises with a critical production role, as well as logistics and transport companies, are also included.
In short: anyone essential to the functioning of the economy or society should proactively assess their exposure — not wait for an inquiry from supervisory authorities.
What Companies Must Implement Now
1. Establish a holistic risk analysis
Both the KRITIS Umbrella Act and NIS2 require a systematic risk analysis — and not just at the IT level. This includes:
- Identification of critical business processes
- Assessment of cyber, physical, and organizational risks
- Analysis of dependencies (e.g., service providers, energy supply, supply chains)
Note: The risk analysis is not a one-off project but an ongoing process.
2. Implement security measures in a verifiable way
Companies must introduce appropriate technical and organizational measures — and be able to prove them. These include:
- Network security and segmentation
- Access controls and identity management
- Patch and vulnerability management
- Backup and recovery concepts
- Physical protection of critical facilities
Essentially, it’s not only about implementation, but about verifiable documentation.
3. Prepare incident response and reporting processes
NIS2 significantly tightens reporting obligations:
- Early warning notification within 24 hours
- Detailed reports within a few days
- Traceable root-cause and mitigation analyses
To achieve this, companies need a robust incident response concept, clearly defined roles and escalation paths, and regularly tested procedures (e.g., tabletop exercises).
4. Make cybersecurity a management responsibility
One of the most significant changes: company leadership now bears implementation responsibility — personally.
In practice, this means cybersecurity must become a board-level agenda item, with regular reporting, decision-making structures, and targeted training for executives. “Delegate and forget” is no longer an option.
5. Secure supply chains and service providers
Both frameworks require looking beyond the company’s boundaries. This includes defining security requirements for service providers, setting contractual obligations and proof of compliance, and regularly assessing critical partners. IT service providers, in particular, are coming under increasing regulatory scrutiny.
Common mistakes companies should now avoid:
- Underestimating their exposure
- Focusing only on IT instead of holistic resilience
- Implementing measures without proper documentation
- Failing to involve executive management
- Neglecting to test emergency procedures
These weaknesses will become apparent at the latest during audits or security incidents — often with severe consequences.
Conclusion: Adopted Means Binding –
Act Structurally Now
The transposition of these regulatory frameworks into German law makes it clear: resilience and cybersecurity are no longer topics for the future but urgent management responsibilities.
Companies that now act in a structured way — analyzing thoroughly, implementing pragmatically, and defining responsibilities clearly — will not only achieve regulatory compliance but also sustainably strengthen their own stability.
Together with our strong partner network, we support organizations of all sizes and structures in implementing the requirements of the KRITIS Umbrella Act and the NIS2 Implementation Act in a practical, verifiable, and future-proof manner — from the initial analysis to a robust, holistic security concept and successful implementation of measures.
Contact:
Waldemar Ahrend-Reimche
CEO,
OEDIV SecuSys GmbH, Rostock
Patrick Piotrowski
Senior Business Consultant IAM
and Sales Representative,
OEDIV SecuSys GmbH, Rostock