KRITIS Umbrella Act: Physical security documentation now mandatory

On January 28, 2026, the German Bundestag passed the KRITIS Umbrella Act. Most coverage focuses on IT security and NIS-2. Less attention goes to the section most operationally critical for security service providers: the law now regulates physical security of critical infrastructures for the first time. Patrol rounds, access controls, incident reports – everything must now be documented. Time-stamped, complete, auditable.

Approximately 30,000 companies fall under expanded regulation. Executive boards face personal liability – with their private assets. Security service providers guarding KRITIS facilities face indirect pressure: their clients contractually pass documentation requirements downstream.

In summary: The KRITIS Umbrella Act demands auditable proof of physical security for the first time. Security providers without complete documentation risk losing KRITIS contracts – registration deadline with the BBK is July 17, 2026.

What the KRITIS Umbrella Act requires for physical security

The KRITIS Umbrella Act transposes the EU Directive on Critical Infrastructure Resilience (CER Directive) into German law. Core requirement: operators of critical infrastructure must not only secure their IT systems (regulated by NIS-2), but also organize and document physical security of their facilities to defined minimum standards.

Regulation applies to operators in energy, transport, health, water and wastewater, banking, digital infrastructure, and space sectors. The criticality threshold is supply to approximately 500,000 residents – a threshold the German Association of Cities has already criticized as too high because smaller utilities fall outside.

Specific obligations:

• Registration with BBK (Federal Office for Civil Protection and Disaster Assistance) by July 17, 2026
• Risk analysis every 4 years – comprehensive, documented, with resilience plan
• BSI audit every 3 years for physical security
• Incident reporting obligations: 24-hour initial notification, 72-hour detailed report, 1-month final report
• Personal liability of management with private assets – contractual waiver of liability claims is invalid

Violations risk fines of up to 10 million euros or 2 percent of global previous-year revenue for critical infrastructure operators (250+ employees or 50+ million euros revenue). For important infrastructure (50+ employees or 10+ million euros), fines reach 7 million euros or 1.4 percent.

Why security providers are affected despite not being KRITIS operators

Security service providers guard KRITIS facilities – energy suppliers, waterworks, hospitals, data centers – but are typically not KRITIS operators themselves. Operators face direct audit scrutiny. Still, regulation affects security services immediately.

The mechanism: KRITIS operators must prove their physical security works. They can only provide this proof if their security providers deliver the documentation. Those who cannot will be replaced by providers who can in the next tender cycle.

The Kleeberg analysis on NIS-2 implementation makes the supply-chain effect explicit: even non-regulated suppliers and service providers face contractual pressure from regulated clients. Those unable to provide auditable proof risk losing business relationships.

For a security firm guarding an energy supplier, this means concretely: at the next contract renewal, the client will ask how the provider documents patrol rounds, incidents, and key handovers. Not whether, but how.

What a KRITIS audit actually examines for physical security

The BSI audit process for physical security uses GAiN (Basic Requirements in Audit Procedures) and RUN (Maturity and Implementation Level Assessment). These aren't checklists to check off. They assess maturity levels on a scale of 1 to 5. KRITIS operators need at least maturity level 3: defined, documented processes with verifiable implementation.

For physical security, this means five concrete audit areas:

1. Patrol round evidence: Exactly when was which security officer at which checkpoint? Auditors expect time stamps and location verification – not "sometime between 2 and 3 a.m.", but: 02:17, checkpoint West Gate, GPS-verified.

2. Completeness: Were all defined checkpoints of a round completed? Are there gaps? How are skipped points documented and justified?

3. Incident documentation: The KRITIS Umbrella Act mandates a 24-hour initial reporting deadline. Auditors ask: how quickly was an incident recorded? Who was notified? Are photos available? Is the reporting chain traceable?

4. Data integrity: Are records tamper-proof? Can they be altered retrospectively? Auditors understand the weak points of manual systems.

5. Availability: Can the provider supply documentation for the last 12 months on demand? Immediately – not "we'll search for it and send it next week."

Where documentation fails for most providers

The five audit areas sound manageable. In practice, most security providers fail at documentation – not because they do poor work, but because their systems cannot produce the required proof.

Example: an auditor asks about the patrol round from January 14, night shift, waterworks facility south. With a paper duty log: find the right binder, decipher handwriting, provide no independent location verification. The time stamp was entered by the employee – that's not evidence, that's a claim.

Excel lists are barely better. Data is often entered afterwards. Connection between patrol round, incident, and shift schedule is missing. Auditors see separate files without context – no unified audit trail.

Most critical are fragmented systems: duty log in one tool, shift schedule in another, GPS data somewhere separate, key handovers on paper. Auditors want one source showing everything in context. Five different folders don't constitute an audit trail.

The BSI maturity level system is unforgiving here: "we do this already, it's worked so far" equals maturity level 1. KRITIS operators need maturity level 3 – defined processes with verifiable, documented implementation.

How KRITIS-compliant documentation for physical security works

An online guard tour system (OWKS) provides exactly the documentation layer the KRITIS Umbrella Act requires for physical security. It connects patrol rounds, incidents, shift data, and key handovers in a single, auditable system.

Concretely, this means:

• Checkpoint scans via NFC or GPS – each scan is time-stamped, location-verified, instantly visible in the portal. Patrol round monitoring automatically shows whether all checkpoints were completed – the auditor sees: 02:17, checkpoint West Gate, employee XY.
• An automatic digital duty log that writes itself from scans, events, and shift data – no manual data entry, no gaps.
• Real-time incident reporting: record an incident, attach photos, describe via voice dictation – instantly in the portal. The 24-hour reporting deadline becomes operationally achievable.
• A client portal for KRITIS operators – energy suppliers, hospitals, waterworks see their documentation directly, no email required. This simplifies proof to the BBK.
• Immutable records after upload – this is the audit trail auditors expect.

COREDINATE exemplifies this type of security provider software. The point isn't the specific product: what matters is that an integrated system exists, consolidating all physical security documentation requirements into a single audit trail. Any provider guarding KRITIS facilities needs a system that delivers on demand with a click.

Frequently asked questions about the KRITIS Umbrella Act and physical security