On September 10, 2025, the German federal government published a comprehensive proposal to strengthen the physical resilience of the nation’s critical infrastructure. The proposal would transpose Directive (EU) 2022/2557 on the resilience of critical entities into national law. On November 3, 2025, the proposed act was submitted to the German Bundestag (Parliament), which referred it to the Bundesrat, a second legislative body through which the 16 German states participate in the legislative process. The Bundesrat discussed the proposal on November 21, 2025. While it agreed with the draft in general, the Bundesrat also proposed some amendments. (Bundesrat-Drucksache (BR-Drs.) 558/25.)
Scope of the Proposal
The aim of the proposed act—called the Umbrella Act for Critical Infrastructure Protection, or KRITIS-Dachgesetz (KRITIS-DachG)—is to establish uniform rules and procedures for critical infrastructure in 11 different sectors: 1) energy, 2) transportation and traffic, 3) finance, 4) social security benefits and basic income support for job seekers, 5) health, 6) water, 7) nutrition, 8) computer science and telecommunication, 9) outer space, 10) municipal waste disposal, and 11) federal administration, excluding the Federal Ministries of Foreign Affairs and Defense. (KRITIS-DachG, § 4, para. 1, § 7.) Additionally, the Bundesrat proposed to define sectors of critical infrastructure more precisely, while also adding media and culture as a 12th sector. (BR-Drs. 558/25, 11-14.)
Under the proposal, an entity would be deemed to supply a critical service if it contributes to the public’s supply of the service in such a way that its failure or impairment would lead to a shortage or a hazard to public security. (§ 2, no. 4.) The governmental proposal entails the presumption that entities supplying such services to more than 500,000 citizens would be defined as supplying critical services (§ 5, para. 2, sentence 2), whereas the Bundesrat proposed to lower this threshold to 150,000 citizens. With this amendment, the Bundesrat emphasized that the assessment of a critical service should focus on process-oriented criteria rather than this quantitative criterion. (BR-Drs. 558/25, 15-16.)
Operators of critical infrastructure would be obligated to ensure their resilience. (§ 13.) The proposal’s definition of resilience encompasses an entity’s ability to prevent incidents, protect itself, ward off acute incidents, react appropriately, limit consequences, and recover from incidents. (§ 2, para. 5.) To improve resiliency, entities could strengthen site security, emergency power supplies, access controls, and employee training, among other measures. (§ 13, para. 3.) The Bundesrat also proposed that the right to defend a private entity from drones should be assessed in the following legislative process. (BR-Drs. 558/25, 25, 26.)
The proposed act would impose several other obligations on critical entities. They would have to register with the Federal Office of Civil Protection and Disaster Assistance. (§ 8, para. 1.) They would also be required to draw up a risk analysis and an individual plan of resilience. (§§ 12, 13.) The competent authority would be authorized to review their compliance and demand proof of the measures taken under an individual plan. (§ 16, para. 1.) Additionally, entities would be obligated to notify the competent authority of incidents within the entities. (§ 18.)
The proposed act would make CEOs of entities that supply critical infrastructure liable to their institutions for damage caused by their negligence, regardless of the legal structure of the entity and corporate law. (§ 20.) Lastly, it would impose a fine of up to €500,000 (about US$575,000) on the entities for violating any of its obligations. (§ 24.)
Need for a Cross-Sector Regulation Encompassing All Hazards
The EU Directive 2022/2557, which the bill implements, addresses the growing interdependencies between critical infrastructure, rising threats of terrorism, and hazards stemming from climate change. (Directive (EU) 2022/2557, recital 3.) Likewise, German Federal Minister of the Interior Alexander Dobrindt stated that “[w]ith the umbrella act for critical infrastructure protection, we are making Germany more resilient to crises and attacks. To this end, we are introducing uniform minimum standards, risk analyses and incident monitoring mechanisms.”
While Germany already uniformly regulates the cybersecurity of critical infrastructure across all sectors through the Act on the Federal Office for Information Security (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik, BSIG), it does not yet regulate the physical protection of critical infrastructure. This proposal would set up such a legal framework. The proposal is also supposed to complement the Federal Office for Information Security Act, as well as EU legislation on cybersecurity of critical infrastructure, in particular, Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the EU and Regulation (EU) 2022/2554 (DORA Regulation).
EU Infringement Procedure
Article 26 of EU Directive 2022/2257 set October 17, 2024, as the deadline for member nations to transpose the directive into national law. Germany failed to meet this deadline. In November 2024, the European Commission sent a letter of formal notice to Germany starting an infringement procedure under EU law. The European Commission gave Germany an additional two months to comply. Germany again failed to meet the deadline. Hence, the European Commission further pursued infringement proceedings by issuing a reasoned opinion. If Germany does not take the necessary measures to adopt the directive, the European Commission could refer the case to the Court of Justice of the European Union with a request to impose financial sanctions. By adopting the proposed act, Germany could avoid these financial sanctions by the EU.
Next Steps
For a law to be adopted in Germany, a governmental proposal must be introduced and adopted in the Bundestag. Additionally, the Bundesrat (Federal Council) must approve the proposal, subject to exceptions enumerated in the Basic Law. It enters into force once it has been signed by the federal president and published in the Federal Law Gazette. (Basic Law, art. 82, para. 1.)
In December 2024, the German Parliament conducted a first reading of an almost identical proposal. However, it could not be adopted because early parliamentary elections were held in early 2025, following a failed vote of confidence of former Chancellor Olaf Scholz and the formation of a new Parliament. The timeframe for the final adoption of this newly proposed act remains unclear, even though there is widespread agreement that the resilience of critical infrastructure is an urgent matter. (Parliamentary Protocol 20/203, 26270-26279.)
Prepared by Kim Marie Eberhardt, Law Library Intern, under the supervision of Jenny Gesley, Foreign Law Specialist
Law Library of Congress, November 28, 2025
Read more Global Legal Monitor articles.
Read Law Library reports on Germany.