On January 28, 2026, the German Bundestag passed the KRITIS Umbrella Act. Most coverage focuses on IT security and NIS-2. Less attention goes to the section most operationally critical for security service providers: the law now regulates physical security of critical infrastructures for the first time. Patrol rounds, access controls, incident reports – everything must now be documented. Time-stamped, complete, auditable.
Approximately 30,000 companies fall under expanded regulation. Executive boards face personal liability – with their private assets. Security service providers guarding KRITIS facilities face indirect pressure: their clients contractually pass documentation requirements downstream.
In summary: The KRITIS Umbrella Act demands auditable proof of physical security for the first time. Security providers without complete documentation risk losing KRITIS contracts – registration deadline with the BBK is July 17, 2026.
The KRITIS Umbrella Act transposes the EU Directive on Critical Infrastructure Resilience (CER Directive) into German law. Core requirement: operators of critical infrastructure must not only secure their IT systems (regulated by NIS-2), but also organize and document physical security of their facilities to defined minimum standards.
Regulation applies to operators in energy, transport, health, water and wastewater, banking, digital infrastructure, and space sectors. The criticality threshold is supply to approximately 500,000 residents – a threshold the German Association of Cities has already criticized as too high because smaller utilities fall outside.
Specific obligations:
Violations risk fines of up to 10 million euros or 2 percent of global previous-year revenue for critical infrastructure operators (250+ employees or 50+ million euros revenue). For important infrastructure (50+ employees or 10+ million euros), fines reach 7 million euros or 1.4 percent.
Security service providers guard KRITIS facilities – energy suppliers, waterworks, hospitals, data centers – but are typically not KRITIS operators themselves. Operators face direct audit scrutiny. Still, regulation affects security services immediately.
The mechanism: KRITIS operators must prove their physical security works. They can only provide this proof if their security providers deliver the documentation. Those who cannot will be replaced by providers who can in the next tender cycle.
The Kleeberg analysis on NIS-2 implementation makes the supply-chain effect explicit: even non-regulated suppliers and service providers face contractual pressure from regulated clients. Those unable to provide auditable proof risk losing business relationships.
For a security firm guarding an energy supplier, this means concretely: at the next contract renewal, the client will ask how the provider documents patrol rounds, incidents, and key handovers. Not whether, but how.
The BSI audit process for physical security uses GAiN (Basic Requirements in Audit Procedures) and RUN (Maturity and Implementation Level Assessment). These aren't checklists to check off. They assess maturity levels on a scale of 1 to 5. KRITIS operators need at least maturity level 3: defined, documented processes with verifiable implementation.
For physical security, this means five concrete audit areas:
1. Patrol round evidence: Exactly when was which security officer at which checkpoint? Auditors expect time stamps and location verification – not "sometime between 2 and 3 a.m.", but: 02:17, checkpoint West Gate, GPS-verified.
2. Completeness: Were all defined checkpoints of a round completed? Are there gaps? How are skipped points documented and justified?
3. Incident documentation: The KRITIS Umbrella Act mandates a 24-hour initial reporting deadline. Auditors ask: how quickly was an incident recorded? Who was notified? Are photos available? Is the reporting chain traceable?
4. Data integrity: Are records tamper-proof? Can they be altered retrospectively? Auditors understand the weak points of manual systems.
5. Availability: Can the provider supply documentation for the last 12 months on demand? Immediately – not "we'll search for it and send it next week."
The five audit areas sound manageable. In practice, most security providers fail at documentation – not because they do poor work, but because their systems cannot produce the required proof.
Example: an auditor asks about the patrol round from January 14, night shift, waterworks facility south. With a paper duty log: find the right binder, decipher handwriting, provide no independent location verification. The time stamp was entered by the employee – that's not evidence, that's a claim.
Excel lists are barely better. Data is often entered afterwards. Connection between patrol round, incident, and shift schedule is missing. Auditors see separate files without context – no unified audit trail.
Most critical are fragmented systems: duty log in one tool, shift schedule in another, GPS data somewhere separate, key handovers on paper. Auditors want one source showing everything in context. Five different folders don't constitute an audit trail.
The BSI maturity level system is unforgiving here: "we do this already, it's worked so far" equals maturity level 1. KRITIS operators need maturity level 3 – defined processes with verifiable, documented implementation.
An online guard tour system (OWKS) provides exactly the documentation layer the KRITIS Umbrella Act requires for physical security. It connects patrol rounds, incidents, shift data, and key handovers in a single, auditable system.
Concretely, this means:
COREDINATE exemplifies this type of security provider software. The point isn't the specific product: what matters is that an integrated system exists, consolidating all physical security documentation requirements into a single audit trail. Any provider guarding KRITIS facilities needs a system that delivers on demand with a click.
"I have secure documentation, and through GPS I know where my colleague is. With the man-down alarm, my colleague also feels secure – I know not only their location, but also their condition in an emergency."
Volker Frisse, Protection One GmbHThe KRITIS Umbrella Act defines nationwide minimum requirements for physical security of critical infrastructure for the first time. Operators in sectors like energy, water, transport, and health must conduct risk analyses, create resilience plans, and document physical security auditably. BBK registration is mandatory by July 17, 2026; BSI audits occur every three years.
KRITIS operators face direct audit scrutiny, not service providers. However: operators contractually pass documentation requirements to their security providers. Those unable to provide audit-ready documentation – time-stamped patrol records, incident reports with photo evidence, tamper-proof data – risk losing contracts in the next tender cycle.
Critical infrastructure operators (250+ employees or 50+ million euros revenue) face fines up to 10 million euros or 2 percent of global previous-year revenue. Important infrastructure (50+ employees or 10+ million euros) faces fines up to 7 million euros or 1.4 percent. Management faces personal liability with private assets – contractual waiver of liability is invalid.
Test whether your patrol round and incident documentation meets the new requirements.
Try free for 14 days →Or call us: +49 (0) 9842 80491-20