Operators of critical installations under NIS 2 and KRITIS at the same time
A KRITIS operator does not choose between NIS 2 and KRITIS. Both apply. The NIS 2 measures under Article 21 are the floor. The KRITIS-specific duties under §29, §32 and §65 BSIG sit on top. The BSI runs both regimes off the same evidence.
The short version
Roughly 1,500 to 2,000 entities in Germany operate a 'kritische Anlage' as defined by the BSI-KritisV. Power distribution above 500 GWh per year, drinking water above 22 million cubic metres per year, data centres above 3.5 megawatts of contracted capacity, and a long list of other sector thresholds. These operators do not sit in their own separate world. They sit inside NIS 2 like any other essential entity, and the KRITIS duties stack on top.
The baseline comes from Article 21 of the NIS 2 Directive: ten cybersecurity risk-management measures, proportionate to the risk. Germany copies that into §30 BSIG. The KRITIS layer adds three things: a higher proportionality bar under Article 21(1) because the consequences of failure are larger, a mandatory three-year evidence cycle under §29 BSIG, and the higher penalty band under §65 BSIG (up to 10 million euro or 2 percent of group turnover).
One regulator runs both regimes. The BSI registers the entity under §33 BSIG, reviews the §29 evidence, takes the §32 incident reports and enforces under §65. The same evidence base feeds both layers. This page lays out the legal stack, the additional KRITIS elements, the two principles that decide every borderline case, and the three myths we hear most often.
Article 21(1) and 21(2) NIS 2 Directive (EU) 2022/2555
Member States shall ensure that essential and important entities take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems. Those measures shall ensure a level of security of network and information systems appropriate to the risks posed, taking into account the state of the art and, where applicable, relevant European and international standards, as well as the cost of implementation.
Article 21(1) sets the proportionality clause. 'Appropriate and proportionate' means the depth of the measures has to match the risk. A KRITIS operator sits at the top of that scale: large supply area, public dependency, cascading effects. The same ten measures under Article 21(2) apply, but a KRITIS operator has to implement them deeper than a small Annex II entity.
§28, §30, §32, §33 and §65 BSIG (German transposition)
Besonders wichtige Einrichtungen, wichtige Einrichtungen und Betreiber kritischer Anlagen müssen geeignete, verhältnismäßige und wirksame technische und organisatorische Maßnahmen ergreifen.
The BSIG stacks the duties in one law. §28 sets scope (essential, important, KRITIS operator). §30 sets the ten measures. §32 sets the incident reporting cascade (24 hours early warning, 72 hours notification, one month final report). §33 sets the registration duty with the BSI. §65 sets the penalty band: up to 10 million euro or 2 percent of group turnover for essential entities and KRITIS operators, up to 7 million euro or 1.4 percent for important entities. KRITIS operators sit in the higher band even if their sector would otherwise be Annex II.
§29 BSIG and BSI-KritisV
Betreiber kritischer Anlagen müssen mindestens alle drei Jahre dem Bundesamt für Sicherheit in der Informationstechnik die Erfüllung der Anforderungen nachweisen. Der Nachweis erfolgt durch Sicherheitsaudits, Prüfungen oder Zertifizierungen.
§29 BSIG is the KRITIS-specific evidence cycle. Every three years, the operator hands the BSI an audit, an inspection or a certification that shows the measures under §30 are actually working. The Anlage is defined by the BSI-KritisV: sector-specific quantitative thresholds (electricity distribution at 500 GWh per year, drinking water at 22 million cubic metres per year, data centres at 3.5 megawatts of contracted IT capacity, and so on). Hit a threshold, you are a Betreiber kritischer Anlage. The §29 cycle attaches automatically.
NIS 2 baseline (Article 21 / §30 BSIG)
The ten risk-management measures under Article 21(2): risk analysis, incident handling, business continuity, supply chain, secure development, vulnerability handling, training, cryptography, access control, MFA. Proportionate to the risk under Article 21(1). The same list every essential and important entity has to implement. KRITIS operators start here, not somewhere else.
Three-year Nachweis under §29 BSIG
On top of the NIS 2 baseline, a KRITIS operator hands the BSI an evidence package every three years: an audit report, an inspection or a recognised certification covering the §30 measures. The cycle is fixed, not risk-based. Missing the deadline triggers enforcement under §65 BSIG. Registration under §33 also carries extra fields for KRITIS operators: critical service, supply metrics, the location of the Anlage and a 24/7 contact point.
Higher penalty band and deeper proportionality
Under §65 BSIG, KRITIS operators sit in the same penalty band as essential entities: up to 10 million euro or 2 percent of group turnover. Important entities (Annex II without a KRITIS Anlage) sit one band lower at 7 million euro or 1.4 percent. The proportionality test under Article 21(1) also moves: the cost-of-implementation argument is harder to make when the failure of the Anlage affects hundreds of thousands of supplied persons.
One regulator, one evidence base, two layers
The BSI runs both regimes from the same Bonn office. The audit you hand in under §29 BSIG is the same audit that proves your §30 measures for NIS 2. The supplier register you keep for Article 21(2)(d) is the same register the BSI reads during a §29 inspection. KRITIS does not duplicate NIS 2 evidence. It just asks you to prove the NIS 2 measures on a fixed cycle, with the higher penalty band as the backstop.
KRITIS is additive, not a replacement
A common misreading: 'we are KRITIS, so the NIS 2 rules do not apply.' Wrong direction. KRITIS sits on top of NIS 2 in the BSIG, not next to it. §28 lists KRITIS operators in addition to essential and important entities. §30 (measures), §32 (reporting) and §33 (registration) apply to all three. §29 (three-year Nachweis) and the higher §65 band are the KRITIS-specific extras. Drop the NIS 2 measures and you breach Article 21 of the Directive.
BSI runs both regimes
The Bundesamt für Sicherheit in der Informationstechnik is the central competent authority under §40 BSIG. It registers KRITIS operators, reviews §29 evidence, takes §32 incident reports and enforces under §65. The same Bonn office handles a 60-person Annex II manufacturer and a 5,000-person electricity distributor. Different scale, same regulator, same legal stack.
Energy and telecoms have a second regulator
Two sectors do not have the BSI alone. Energy operators answer to the Bundesnetzagentur for grid security under §11 EnWG. Telecoms answer to the Bundesnetzagentur for network integrity under §165 TKG. These overlays sit alongside BSIG, not instead of it. A KRITIS electricity distributor reports to the BSI for NIS 2 incidents and to the BNetzA for grid-relevant events. Same building, two inboxes.
No direct KRITIS equivalent at EU level
The NIS 2 Directive does not contain a KRITIS regime. ENISA does not run a three-year evidence cycle. The closest comparable construct is the CER Directive (2022/2557) on the resilience of critical entities, which is about physical resilience, not cybersecurity. Other member states transpose Article 21 and Article 23 the same way, but the additional German KRITIS layer is a national choice carried forward from the 2015 IT-Sicherheitsgesetz. Foreign subsidiaries of a German KRITIS operator do not pick up the §29 duty abroad.
We are KRITIS, so the new NIS 2 rules do not apply to us.
Wrong direction. §28 BSIG lists KRITIS operators as one of three regulated categories alongside essential and important entities. §30 (measures), §32 (reporting), §33 (registration) and the Article 21 baseline apply to all three. The KRITIS-specific extras are §29 (three-year Nachweis) and the §65 penalty band. If you drop the NIS 2 measures because 'KRITIS already covers it,' you breach Article 21 of the Directive and the German transposition.
We sit below the KRITIS-V threshold, so we are out of NIS 2 too.
The BSI-KritisV threshold (e.g. 500 GWh per year for electricity distribution, 22 million cubic metres per year for water, 3.5 megawatts for data centres) decides KRITIS, not NIS 2. A municipal utility that supplies 80,000 people is below the KRITIS threshold but still in Annex I sector 1 (energy) and almost certainly a medium enterprise. That puts it in NIS 2 scope as an essential entity, with §30, §32 and §33 obligations. Just no §29 three-year cycle and the lower §65 penalty band.
We just passed our §29 audit, so we are done for NIS 2 too.
Passing a §29 Nachweis covers the evidence cycle. It does not switch off the rest of NIS 2. The §32 incident reporting cascade (24 hours / 72 hours / one month) runs continuously. The §33 registration data has to be kept current within two weeks of any change (Article 27(2) NIS 2). Supplier risk under §30(2) point 4 runs as a continuous obligation. The §29 audit is a snapshot. The rest of the BSIG is the operating system.
Take a municipal utility (Stadtwerk) in a city of 200,000. Electricity distribution, drinking water, district heating, public transport, and a fibre subsidiary. Sit the BSI-KritisV next to the company chart. Electricity distribution above 500 GWh per year crosses the threshold. Drinking water above 22 million cubic metres per year crosses it. District heating below the threshold does not. Public transport sits in Annex II of the Directive but has no Anlage classification in Germany.
The result is one company under three reading levels at once. Two business lines (Strom, Wasser) are KRITIS Anlagen with the full §29 Nachweis cycle on top. One business line (Fernwärme) is Annex I sector 1 but below the KRITIS threshold, so NIS 2 essential without §29. One business line (ÖPNV) is Annex II transport. The fibre subsidiary is Annex I sector 8 if it crosses the size threshold on its own. One §33 registration covers the legal entity. The §29 audit covers only the KRITIS Anlagen. The §30 measures cover everything.
The applicability check walks the BSI-KritisV thresholds line by line: which Anlage, which sector, which quantitative metric, which threshold. If you cross one, the page flags the §29 Nachweis cycle and switches the company profile to KRITIS operator. The registration module then surfaces the additional §33 fields (critical service, supply metrics, location, 24/7 contact). The penalty calculator switches to the higher §65 band.
The evidence base is shared. The same controls that satisfy §30 BSIG produce the audit trail you hand the BSI under §29. The supplier register under Article 21(2)(d) is the same register that gets reviewed during a §29 inspection. The incident reporting form covers the §32 cascade (24 hours / 72 hours / one month) for both regimes. One evidence base, two reporting destinations when needed (BSI plus, for energy and telecoms, the BNetzA).
- Directive (EU) 2022/2555 (NIS 2), Article 21(1) (proportionality), Article 21(2) (ten measures), Article 27 (registration update) — eur-lex.europa.eu/eli/dir/2022/2555/oj
- BSIG (NIS2-Umsetzungsgesetz), §28 (scope), §29 (three-year Nachweis for KRITIS operators), §30 (measures), §32 (incident reporting), §33 (registration), §65 (penalties) — gesetze-im-internet.de/bsig_2009
- BSI-KritisV (Verordnung zur Bestimmung kritischer Anlagen), sector-specific thresholds for electricity, water, food, health, transport, finance, IT and telecoms, waste, space — gesetze-im-internet.de/bsi-kritisv
- BSI, 'Kritische Infrastrukturen' Informationspaket and NIS 2 FAQ — bsi.bund.de/DE/Themen/KRITIS-und-regulierte-Unternehmen
- Bundesnetzagentur, IT-Sicherheitskatalog gemäß §11 EnWG (energy sector overlay) — bundesnetzagentur.de
- Directive (EU) 2022/2557 (CER) on the resilience of critical entities (physical resilience, distinct from NIS 2) — eur-lex.europa.eu/eli/dir/2022/2557/oj