NIS2 Implementation Act and KRITIS Umbrella Act: What Companies Must Now Implement in Concrete Terms

New Regulatory Tightening for Greater Resilience, Security, and Crisis Preparedness

With the KRITIS Umbrella Act and the NIS2 Implementation Act, two laws were passed at the turn of the year that, for the first time, establish nationwide, cross-sector minimum standards for the physical protection of critical infrastructures and create a stable framework for information and network security.

The KRITIS legislation and NIS2 require demonstrable IT and resilience security. They significantly increase audit and documentation pressure and, for the first time, clearly shift liability to company management.

For companies, these new regulatory tightenings mean they can no longer postpone action. They must now create structures, adapt processes, and clarify responsibilities. But what exactly does this mean for your company? What needs to be done?

Key points at a glance

What Is NIS2?
The NIS2 Implementation Act transposes the EU directive of the same name into German law. It obliges significantly more companies to implement risk management, technical security measures, and rapid reporting of cyber incidents. New elements include stricter supervision, clear governance requirements, substantial fines, and the personal responsibility of management in the event of violations.

NIS2 Implementation Act and KRITIS Umbrella Act: Two Frameworks – One Shared Goal

The KRITIS Umbrella Act and NIS2 essentially pursue the same goal: increasing the resilience of critical and security-relevant organizations.

What They Have in Common:

• A risk-based approach: Companies must systematically analyze threats.
• The obligation to implement protective measures: Technical, organizational, and transparently documented.
• Incident reporting obligations: Rapid response is crucial.
• Supply chains are now also in focus: Risks do not end at the company gate.
• Management responsibility: Security is no longer purely an IT matter.

In short: both frameworks require structured security instead of isolated measures.
However, they differ in their focus areas.

The KRITIS Umbrella Act no longer focuses solely on individual IT systems but rather on structures for comprehensive, company-wide resilience. This includes physical site security, protection of critical processes, effective emergency and crisis management, and organizational preparedness measures.

The law affects the backbone of society — companies and institutions in sectors such as energy, water, healthcare, food supply, IT and telecommunications, as well as transport and logistics. The key question is: How can operations remain functional under all circumstances?

NIS2, on the other hand, focuses on IT and information security. New elements include clearly defined minimum standards, stricter reporting obligations, personal management accountability, and substantial penalties for violations — even for non-KRITIS companies.

This massively expands the previous scope. In the future, significantly more medium-sized and large companies will fall under stricter cybersecurity requirements, even if they “only” play a critical role in supply chains.

Put simply:

The KRITIS Umbrella Act and NIS2 are not alternatives — they complement one another. While the KRITIS Umbrella Act establishes the framework for physical and organizational resilience, NIS2 defines specific requirements for cyber and information security.

Companies should therefore not view these frameworks separately, but rather as interconnected.

Successful organizations are those that think holistically about resilience (KRITIS), implement cybersecurity systematically (NIS2), and combine both in an integrated security concept. In reality, an IT outage is always an operational risk — and vice versa.

Far more companies fall under these legal requirements than expected — often indirectly. Many organizations realize too late that they are affected.

Directly Affected Organizations:

• Operators of critical infrastructures (e.g., energy, water, healthcare, transport)
• Medium-sized and large companies in defined sectors (NIS2)
• IT and cloud service providers
• Managed service providers and data center operators

Indirectly Affected Organizations:

• Suppliers and service providers of KRITIS companies
• Software vendors with high market relevance
• Industrial companies with critical production roles
• Logistics and transportation companies

What matters is not only the industry sector, but also the organization’s significance for supply, the economy, or digital infrastructure.

Why Many Companies Still Underestimate This:

• Typical misconceptions (“We are not a KRITIS company,” underestimating company size, etc.)
• Ignoring supply chains: Even companies not directly regulated may become indirectly obligated through customers or partners.
• Focusing only on IT: The KRITIS Umbrella Act aims at holistic operational resilience, including physical security and organizational preparedness.
• “This is still in the future”: Both laws have already been passed and are legally binding, including sanctions.

In short: Any company relevant to the functioning of the economy or society should proactively assess whether it is affected — not wait for inquiries from supervisory authorities.

Why Identity & Access Management Is Central to NIS2 Compliance

Identity & Access Management (IAM) is not just one building block — it is one of the central prerequisites for NIS2 compliance.

Why? Because a large portion of NIS2 requirements directly relate to access control, traceability, and risk minimization.

IAM Provides

• Access control as a core requirement: NIS2 requires that only authorized persons have access to systems and data. An integrated IAM ensures role-based, traceable access according to the least-privilege principle.
• Protection against the most common attack vectors: Many successful attacks are based on compromised accounts and excessive permissions. IAM reduces these risks through multi-factor authentication (MFA), strong authentication, and regular permission reviews.
• Auditability for authorities and audits: NIS2 requires verifiable measures. IAM delivers logs, authorization concepts, and audit trails.
• Fast response during incidents: IAM enables immediate account blocking, withdrawal of access rights, and isolation of compromised identities.
• Control over external access: NIS2 also covers supply chains and service providers. IAM regulates external partner access, time-limited permissions, and secure remote access.

Conclusion: IAM forms the foundation for nearly all NIS2 requirements. It combines security, compliance, and operational continuity. Without functioning IAM, access control, auditability, and incident response cannot be effectively implemented.

With over 25 years of experience, we are the ideal partner for businesses seeking reliable and innovative solutions in the field of Identity & Access Management (IAM). We would also be happy to advise you on which IAM tools would be suitable for your business. Book your free consultation now.

How OEDIV SecuSys Supports Implementation

As a vendor-independent cybersecurity and IAM specialist, OEDIV SecuSys provides practical and pragmatic support. The company sees itself as a long-term partner operating on equal footing with clients. Its focus lies on consulting, implementation, and long-term operations in complex IT landscapes.

Companies are encouraged to arrange a strategy consultation and register for the webinar on NIS2-compliant supply chain monitoring on June 10, 2026, featuring practical examples and concrete solutions for supply chain security.

KRITIS Umbrella Act and NIS2: Act Now!

The implementation of these standards into German law demonstrates that resilience and cybersecurity are no longer future topics but urgent management responsibilities.

Companies that now analyze systematically, implement pragmatically, and clearly define responsibilities will not only achieve regulatory security but also sustainably strengthen their own stability.

Together with a strong partner network, OEDIV SecuSys supports organizations of all sizes and structures in implementing the requirements of the KRITIS Umbrella Act and the NIS2 Implementation Act in a practical, verifiable, and future-proof manner — from initial analysis to a robust holistic security concept and successful implementation of measures.

Arrange your strategy consultation today!