Public Law

Resilience compliance as a board-level duty: mandatory counter-sabotage and business continuity measures

Companies outside the traditional defence and security industries are increasingly being required to contribute to Germany’s overall resilience in the face of threats to national security. In future, boards of companies without integrated resilience compliance will risk broad liability and tough fines of up to 2% of aggregate turnover.

Companies and management will need to structurally adjust to new and far-reaching compliance requirements to avoid potential penalties. The scope of the new legal regime goes beyond the energy, transport, IT/telecommunications, finance and healthcare sectors to include companies in manufacturing and other areas relevant to public needs. Putting robust compliance structures in place reduces D&O liability and boosts company competitiveness by meshing new regulatory requirements on resilience (network and information security, critical infrastructure and personnel screening) with operational resilience (business continuity management, emergency and crisis management). Resilience compliance protects companies against the consequences of miscalculation and ensures they remain able to act in the face of hybrid threats.

The announced amendment of the NIS 2 Directive and the Commission’s new proposal for a revised Cybersecurity Act (CSA2) (see our article) form a cybersecurity package that fits into the evolving regulatory framework of resilience compliance.

Interdisciplinary resilience compliance

In Germany as elsewhere, threats to critical infrastructure from sabotage have increased since the start of the war in Ukraine, targeting energy and transport infrastructure such as the rail network. A recent attack on the Berlin power grid, cutting electricity and heating to 50,000 households and 2,000 businesses , highlighted the vulnerability of key infrastructure and the impact of such attacks. Conventional forms of sabotage have been joined by hybrid threats from drones, used to both disrupt and spy on airports and other critical infrastructure. Between January and March 2025 alone, the Federal Criminal Police Office (Bundeskriminalamt) registered over 500 flights over military bases and critical infrastructure by drones. These incidents highlight the urgent need to strengthen the resilience of the country’s civilian infrastructure. They also raise the question of what measures private operators can and must take to protect such infrastructure, given that statutory requirements have recently been tightened.

The Federal Government has launched three key pieces of legislation to improve the protection of infrastructure across all areas relevant to security in Germany. The new statutory resilience requirements apply to many companies, impacting some of them for the first time. The crucial point about these new laws is that they act in tandem to create a new legal regime covering various aspects of security in companies.

  • KRITIS-Dachgesetz (KRITIS-DachG, resolution of the Bundestag, printed paper 21/3906, not yet in force):
    • Protection of physical facilities and infrastructure (e.g. power plants, grids, transport assets)
    • Key content: New compliance requirements. Not only companies but also management are obliged to take physical and organisational measures to improve resilience.
  • Act implementing the NIS 2 Directive and regulating the Key Features of Information Security Management in the Federal Administration (NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz, “NIS2UmsuCG”), Federal Law Gazette I 2025, no. 301, 5 December 2025, in force since 6 December 2025):
    • IT and cybersecurity of companies’ entire digital systems and processes
    • Key content: Far wider applicability of the Act on the Federal Office for Information Security (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik, “BSIG”) than previously. Effectively a “KRITIS light”, the BSIG will place compliance obligations on approx. 29,500 companies in future (rather than 4,500 to date).
  • An update of the Security Screening Act (Sicherheitsüberprüfungsgesetz, “SÜG (new version)”, Federal Law Gazette I 2026 no. 6, 15 January 2026, in force since 16 January 2026): 
    • Vetting of staff in sensitive roles
    • Key content: Security screening to be extended, reporting obligation to be introduced.

Resilience compliance: company obligations

The new package of laws is designed to consolidate and integrate current resilience requirements for companies, putting compliance obligations on a new footing to ensure seamless security for critical infrastructure. Companies within the package’s scope will need to incorporate new digital, physical and staffing security requirements in their existing systems. These new obligations are more complex and entail high liability risks. Companies that fail to meet them in full can expect severe penalties, and management could face personal liability, even for merely formal infringements of reporting or registration requirements. Depending on the applicable liability regime, administrative fines could be as high as EUR 10 million or a percentage of company turnover.

What follows is an overview of future resilience obligations, the companies they apply to, and key risks with practical significance.

Key resilience requirements 

The new statutory regime will place binding resilience requirements on companies that fall within its scope, in some cases for the first time. The goal is to improve protection of critical infrastructure against the growing number of hybrid threats such as cyberattacks, sabotage or espionage. The new rules have considerable practical relevance. Surveys reveal that a mere 17% of German companies consider themselves fit to face cyberattacks, so a detailed look at these future obligations is in order. They fall into three areas: physical resilience, cybersecurity, and protection against sabotage by inside agents.

I. Physical resilience and counter-sabotage

The most wide-ranging physical resilience requirements impact operators of critical facilities, who are now obliged to secure their facilities systematically against physical disruption, acts of sabotage, and other security incidents. The relevant obligations include both material and formal requirements: 

1. Risk assessment and management

Regular, comprehensive and obligatory risk management is at the heart of the new requirements.

  • Operators must perform a comprehensive risk assessment every four years as a minimum, and more frequently than that if needs be. The risk assessment must cover natural, technical and anthropogenic risks including hybrid threats and terrorism (section 12(1) KRITIS-DachG).
  • Suitable technical, security and organisational measures will need to be taken on this basis to prevent incidents and ensure that facilities are protected physically.
  • The measures must be documented in a structured resilience plan that sets out the underlying considerations. Cybersecurity measures under the NIS2UmsuCG will also apply, not least the obligation to use intrusion detection systems.

2. Verification and reporting obligations

The requirements already in place are now backed up by wide-ranging verification and reporting obligations.

  • Operators of critical facilities must be able to prove at all times that they are compliant with resilience obligations and must provide public authorities with a resilience plan on request (section 16(2) KRITIS-DachG). Compliance is regularly verified by audits whose results must be sent to the competent authority, including any deficiencies found.
  • Security incidents must be reported without undue delay, and within 24 hours of becoming known, to the joint reporting point run by Germany’s Federal Office of Civil Protection and Disaster Assistance (Bundesamt für Bevölkerungsschutz und Katastrophenhilfe, “BBK”) and Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, “BSI”) (section 18(1) KRITIS-DachG). A detailed incident report must also be filed within one month.
  • It can be assumed that unauthorised flights by drones over critical infrastructure constitute security incidents and that operators must report them to the BBK and BSI’s joint reporting point. 

3. Registration obligations

Operators of critical facilities are obliged to register with the BBK and BSI’s joint platform (section 8(1) KRITIS-DachG).

In addition to basic information such as the entity’s name, legal form, address and a point of contact (available 24/7 to deal with BSIG measures), operators must also provide details about the facility, including the critical service it performs, the category of facility it belongs to, service and supply metrics, and where the facility is located.

4. Note on countering unauthorised drone flights as part of resilience compliance

Physical resilience risks for critical infrastructure (section 11 KRITIS-DachG) include unauthorised drone flights for spying purposes or to deliberately disrupt the operations of a facility.

Although the KRITIS-DachG does not explicitly provide for civil defence against drones by facility operators, a potential future scenario is that critical infrastructure operators will be required under section 13(1) KRITIS-DachG to take drone defence measures.

In this case, operators may be required to complement public drone defence and strengthen resilience by instituting structural and technical protection measures and/or using drone detection systems. The Bundesrat had previously asked the Bundestag to consider an explicit provision on the detection, reporting and countering of drones by operators of critical facilities (Bundesrat document 558/25 (B), 21 November 2025, p. 25 et seq.), but the Bundestag declined to include such provision in section 13(1) KRITIS-DachG. So the question of whether structural and/or technical protection measures or drone detectors are mandatory remains to be addressed in ordinances yet to be issued by the Federal Government (section 14(1) KRITIS-DachG).

II. Cybersecurity and digital resilience

The second pillar of the new resilience architecture is the set of wide-ranging cybersecurity requirements under the NIS2UmsuCG, which will primarily impact the operators of essential or important entities. The following obligations are especially relevant:

1. Risk assessment and management

Broad risk management measures are the centrepiece of the new rules (section 30 BSIG (new version)). Operators must take appropriate, proportionate and effective measures to ensure the availability, integrity and confidentiality of their IT systems and processes at all times.

  • As a minimum, operators must develop concepts for risk assessment and security incident management. Note in particular that operators of essential or important entities, as part of their risk management, must also take measures to ensure the security of their supply chain. In the Federal Government’s view, contractual agreements on relevant cybersecurity requirements need to be made with suppliers and service providers, for instance.
  • So the risk management requirements apply not only directly to the operators of essential or important entities but also indirectly to the entire critical supply chain. 

2. Verification and reporting obligations

  • Operators must document their risk management measures on an ongoing basis (section 30(1), sentence 3 BSIG (new version)). The BSI can request this proof without advance notice, so companies need a reliable documentation structure that can be supplied to a public authority at any time.
  • In addition, security incidents must be reported to the BBK and BSI’s joint reporting point without undue delay and within 24 hours of becoming known. Within a month of the incident becoming known, the operator must submit a detailed report.
  • Backing this up, the audits, reviews and certifications set out in the NIS2UmsuCG to prevent any flaws in security must also be performed on critical facilities (section 39 BSIG (new version)). This puts the operators of critical facilities under the strictest requirements to monitor, manage and document threats to their facilities.

3. Registration obligations

Operators of essential or important entities, too, are obliged to register on the BBK and BSI’s joint platform (section 33(1) BSIG (new version)). In contrast to the operators of critical facilities, however, they need only provide basic information (such as the entity’s name, legal form and address). 

III. Protection against sabotage by inside agents

The third pillar of the new resilience architecture is protection against sabotage by inside agents, with particular responsibility placed on operators of facilities vital to life or national defence. This area is governed by the SÜG, which aims to ensure the reliability of persons in sensitive roles. The new version of the SÜG, which was adopted on 4 December 2025 and took effect on 16 January 2026, aims to close existing regulatory gaps and introduce uniform standards. Its principal impetus, the Federal Government explicitly states, is the heightened threat of espionage and sabotage.

1. Reporting obligations for sensitive roles

  • Under the SÜG (new version), operators of facilities vital to life or national defence must notify the authorities of sensitive roles within their facilities (section 25a SÜG (new version)). The aim is to ensure uniform standards and avoid distortions of competition to the detriment of legally compliant companies.
  • Operators are obliged as part of the security screening process to forward to the competent authority any security-relevant findings in respect of employees in sensitive roles (sections 26 and 29 SÜG). The amended section 29(2) SÜG broadens the duty to forward information to include indications of over-indebtedness, insolvency proceedings and residual debt discharge, as well as information on any secondary employment of the individual concerned.

2. Security screening and assignment of employees

The rules on security screening and the assignment of employees to security-relevant areas have also been tightened. 

  • Numerous exemptions have been dropped, bringing employee security screening pursuant to section 9 SÜG up to the standard applied to classified information.
  • There is also a new and explicit ban on assigning unscreened personnel in the non-public sector (section 27a SÜG (new version)).

Collectively, the measures are aimed at permanently eliminating previous weaknesses in the provisions to prevent sabotage by inside agents.

Who is covered? - Areas of application at a glance

The new resilience requirements work in tandem and span multiple security-related concerns in respect of corporate structures, including the physical protection of facilities, cyber resilience and personnel-related security considerations.

All three sets of rules are largely sector-specific in their application, affecting energy, transport, IT/telecommunications, finance, healthcare and other fields particularly relating to public needs. Coverage also extends beyond the core players to include up- and downstream entities along value and supply chains. As a result, not only large companies but also small and medium-sized enterprises (SMEs) may now face one or more regime for one reason or another.

The simultaneous applicability of multiple statutes and their broad scope significantly increase the likelihood of being affected. Companies must therefore assess their direct or indirect exposure to the new resilience obligations at an early stage.

I. Operators of critical facilities – Physical security under the KRITIS-DachG

The outlined physical resilience obligations are directed at operators of critical facilities (section 4(1)). These include companies that legally or actually exercise a decisive influence on facilities of importance in supplying the general public (see section 2). While the obligations primarily relate to the physical facility, they are directed at the operating company as a legal entity.

The deliberately broad and sector-specific scope of the legislation covers numerous sectors including energy, water and food supply, waste disposal, transport and traffic, space, finance and insurance, healthcare, and IT and telecommunications infrastructure (section 4(1)).

Whether a facility must be categorised as “critical” will depend – in parallel to its sector classification – on its significance in supplying public needs. The decisive factor in this will be the objective thresholds, due to be defined for each relevant sector and facility in a regulation issued by the Federal Ministry of the Interior (Bundesinnenministerium). Consistent with previous practice under the Regulation on the Designation of Critical Infrastructures pursuant to the BSIG (BSI-Kritisverordnung, “BSI-KritisV”), the guiding criterion will be the number of people supplied, most likely 500,000 people per facility.

  • For context: Under the current BSI-KritisV, a company in the electricity generation sector will fall under the IT security requirements of the BSIG and be considered the operator of a critical facility if its generation system has an installed net nominal capacity in excess of 104 MW. The BSI-KritisV sets out the relevant thresholds and calculation methods in detail for each sector. It can be assumed that a comparable system will be taken as the basis for the future “KRITIS-DachG Regulation”.

The KRITIS-DachG does not expand what qualifies as a critical facility but largely aligns facility categorisation with the existing categorisation of critical infrastructure under the BSIG. The two Acts are to take the same approach to classification, it can be assumed. However, companies already operating systems deemed critical under the BSIG must expect a noticeable increase in regulatory demands and will have to meet both physical and cybersecurity-related resilience requirements in future (regulatory overlap). According to the BSI, as of 30 September 2025 a total of 2,135 facilities were already registered in respect of the KRITIS sectors under the BSIG (BSI - KRITIS in figures German only)). Similar numbers can therefore be expected under the KRITIS-DachG.

II. Operators of essential or important entities – cybersecurity pursuant to the NIS2UmsuCG

The NIS2UmsuCG considerably expands the scope of application of the previous BSIG and places obligations on many more companies, transforming the BSIG from IT security legislation to comprehensive cybersecurity legislation aligned with EU requirements. Previously, the BSIG’s cybersecurity requirements applied only to supply-related systems. The law’s new version covers all IT systems, components and processes used by companies – including office IT, cloud services, communication tools and accounting systems.

Whether a company is covered by the revised BSIG is largely determined by the respective sector (Annexes 1 and 2 BSIG (new version)) and by criteria for size such as number of employees, turnover or balance sheet total. The Act distinguishes between essential entities and important entities (section 28 BSIG (new version)). This classification is particularly important for determining the level of regulatory oversight and the scope of potential sanctions.

  • Essential entities (subsection 1) include operators of critical facilities and certain providers of digital infrastructure, regardless of size. They also include companies in sectors of particular relevance (Annex 1) such as energy, transport and traffic, healthcare, finance and digital infrastructure, where they meet certain criteria for size. The legislation therefore impacts not only large companies in the traditional sense but also major suppliers in the industrial, pharmaceutical and IT sectors that have generally fallen outside German IT security law to date.
  • Important entities (subsection 2) include a large number of companies from the sectors mentioned above as well as from manufacturing, digital services and research (Annex 2) where they exceed certain, much lower thresholds. Strikingly, a significant number of small and medium-sized enterprises now fall within the scope of cybersecurity requirements for the first time.

The take-home message is that the NIS2UmsuCG will directly and indirectly impact a very broad range of companies. With regard to cyber resilience, the new compliance obligations will affect companies of all sizes (large companies, SMEs) and all industries with security relevance. In healthcare, for example, not only the major pharmaceutical companies but also suppliers of pharmaceutical packaging, medical aids or applications will be subject to cybersecurity requirements if they exceed the requisite thresholds. In future, the Federal Government estimates, around 8,250 entities will be classified as essential and around 21,600 as important.

Suppliers and service providers can also expect to face new obligations in the form of contractual provisions stipulated by companies directly affected or compliance requirements passed down the line to them. The effects of the NIS2UmsuCG will be felt by many more companies than those it is explicitly directed at.

III. Operators of facilities vital to life or national defence – does the SÜG (new version) apply? 

Whether a company falls within the scope of the updated SÜG depends on whether company staff are engaged in sensitive work in a facility vital to life or national defence (section 1(2) and (5) SÜG in conjunction with the Ordinance Defining Security Screening Requirements for Public Bodies (Sicherheitsüberprüfungsfeststellungsverordnung); the scope therefore differs from that of the KRITIS-DachG or NIS2UmsuCG).

The new SÜG focuses on companies in industries of particular relevance to public needs or defence. These include the defence industry, energy (such as operators of control centres), and IT and communications technology (telecom providers). Companies that supply such entities or provide them with services may fall within the scope if their staff are engaged in sensitive work.

Standardisation, digitalisation and efficiency are the aims of the updated SÜG. No plan exists to broaden the SÜG’s statutory scope as such, but compliance is to be enforced across the board. For the companies affected, there will be no way out of staff vetting obligations in future.

Risks and penalties

Alongside the major organisational and technical requirements, the new resilience obligations entail significant liability risks and potential penalties.

Companies that fail to meet their obligations in full can expect severe fines. The proposed legislation also significantly increases the scope of management’s personal responsibility. Managers who culpably fail to implement the required measures face a liability risk of their own. These liability risks are backed up by broad regulatory powers of oversight and enforcement. Overall, these developments raise the regulatory and economic pressure on affected companies.

I. Administrative fines

The KRITIS-DachG includes its own set of administrative fines penalising violations of its provisions. Operators of critical facilities that breach registration, reporting or verification obligations, for example, face fines ranging from EUR 100,000 to EUR 1 million (section 24 KRITIS-DachG).

Penalties are particularly tough for operators of essential or important entities under the BSIG (new version). Depending on the type and severity of the violation and whether the entity is essential or important, administrative fines of up to EUR 10 million may be imposed, or up to 2% of global turnover (section 65(5-7) BSIG (new version)). Even infringements of formal obligations, such as registration requirements, can incur administrative fines of up to EUR 500,000.

Explicit penalty rules have also been included in the updated SÜG for the first time (section 38 SÜG (new version)). If an operator fails to duly report a vulnerability in a facility vital to life or national defence (section 25a SÜG (new version)), the operator risks an administrative fine of up to EUR 50,000. An administrative fine of up to EUR 10,000 applies if unvetted or rejected persons continue to be employed in sensitive areas.

II. Recourse under civil law (external liability)

Liability risks are also faced by suppliers and service providers along the entire supply and value chain. There are circumstances in which they are liable under the contracts they have with operators of critical facilities, essential or important entities, or facilities vital to life or national defence. Claims could be brought where suppliers or service providers fail to duly implement contractually defined security or risk management measures they have committed to. The compensable damage will generally be the fines imposed on the directly liable operator due to a breach of duty.

If critical infrastructure is compromised (as in the recent Berlin power cut of January 2026), the new compliance obligations under the resilience legislation could lead to more stringent standards of care under civil law and make exclusions of liability owing to force majeure more difficult. Depending on the case in question, this could facilitate contractual and tort law claims for damages by consumers against operators of supply-related infrastructure.

III. Management liability (internal liability)

The legislation introduces and explicitly codifies a personal liability regime for management.

Under the KRITIS-DachG, the management of critical facility operators is liable for damage arising from any culpable breach of its duty to establish and implement resilience measures, where internal liability is not already regulated under company law (section 20(2) KRITIS-DachG). This provision is likely to become relevant particularly when a company is subject to fines due to organisational failings. For example, management may under certain circumstances be held liable for an administrative fine imposed due to incorrect registration if there was culpable conduct.

The NIS2UmsuCG introduces a comparable liability regime: members of the management bodies of essential and important entities can be held liable for damage resulting from the culpable breach of their obligations to implement and monitor risk management measures (section 38(1) and (2i) in conjunction with section 30 BSIG (new version)).

D&O liability under this legislation covers all natural persons authorised to manage the business and represent the facility or entity (section 2, no. 11 KRITIS-DachG, section 2, no. 13 BSIG). The specific natural persons subject to these provisions will therefore depend on the operator company’s legal form.

IV. Oversight and enforcement

Regulators’ powers are being significantly expanded to ensure compliance with statutory cybersecurity requirements. Under the revised BSIG, the BSI can require companies to have independent bodies perform audits, reviews and certifications (section 61 BSIG (new version)). If deficiencies are identified, it can require operators to submit remediation plans and demonstrate that the deficiencies have been remedied.

Coercive fines have also been significantly increased: under section 63 BSIG (new version), the BSI can impose coercive fines of up to EUR 100,000 to ensure compliance with its determinations – considerably more than the figure previously possible under the Administrative Enforcement Act (Verwaltungsvollstreckungsgesetz).

Conclusion and outlook

The adoption of the KRITIS-DachG, the updating of the SÜG and the implementation of the NIS2UmsuCG together represent a comprehensive legislative package that will require many companies – some for the first time – to adopt wide-ranging resilience measures. Breaches of those obligations will result not only in significant fines, but in personal liability for members of management. The NIS2UmsuCG entered into force on 6 December 2025 and the SÜG (new version) on 16 January 2026. The KRITIS-DachG was adopted by the Bundestag on 29 January 2026.

The resilience package puts a significant burden on German business: annual compliance costs from the measures to be implemented under the NIS2UmsuCG alone are estimated to reach EUR 2.3 billion. Companies should therefore assess which resilience category they fall into and what specific measures they will need to implement. It is very likely that many operators will fall within the scope of multiple regulations and will need to comply with parallel sets of obligations.

In addition, statutory obligations will be propagated through contractual arrangements made in supply and service chains, impacting companies that are not the immediate targets of the legislation. Particularly for companies supplying and providing services to critical entities, that may mean considerable – and previously often underestimated – compliance requirements; companies further down the supply chain should also review their contractual arrangements and amend them where required.

Companies must therefore establish comprehensive compliance systems that cover internal  registration and reporting points; risk and vulnerability analyses; the implementation of organisational, technical and personnel security measures; the establishment of clear responsibilities; and legally compliant documentation.

Overall, this legislation is establishing a new form of resilience compliance – one that requires not only technical expertise, but, above all, a structured legal approach, defining the areas affected, designing internal processes and responsibilities, and incorporating safeguards in contracts with business partners. Given the more rigorous liability and penalty regime, legally robust implementation is crucial to limiting corporate risk exposure and protecting management.

Forward
Expertise
Public Law Defense & Security Energy & Infrastructure Digital Economy Automotive & Mobility Compliance & Investigations Corporate Healthcare and Life Sciences
Experts
Dr. Marc Ruttloff Dr. Dipl.-Kfm. Christoph Patrick Goller Dr. Friederike Niemann Beatrice Moira Kimmig Simon Kaifel
Keep in Touch

Keep in Touch
Gleiss Lutz keeps you informed

We would be pleased to add you to our mailing list so that we can keep you informed about current legal developments and events.

Subscribe now