NIS2 vs KRITIS: What Actually Changed
NIS2 does not replace KRITIS – it extends it dramatically. From roughly 2,000 operators to about 30,000 entities, seven new sectors, personal management liability, and tighter reporting deadlines.
KRITIS Was the Warm-Up. NIS2 Is the Main Event.
If your company was already classified as KRITIS (Kritische Infrastruktur) under the old BSI-KritisV regime, you know what cybersecurity regulation looks like. You have dealt with BSI audits, incident reporting, and IT security measures. The good news: your existing work is not wasted. The challenging news: NIS2 raises the bar, broadens the scope, and adds obligations that did not exist before.
If your company was NOT previously KRITIS, this is likely your first encounter with mandatory cybersecurity regulation. NIS2 – transposed into German law through the amended BSIG – brings roughly 28,000 additional companies into the regulatory perimeter. Many of these companies have never reported an incident to a government agency, never been audited for IT security, and never thought of cybersecurity as a legal compliance topic.
| Aspect | KRITIS (BSI-KritisV) | NIS2 / BSIG (new) |
|---|---|---|
| Scope | Approximately 2,000 operators of critical infrastructure in 10 sectors, identified by exceeding specific threshold values (e.g., 500,000 people served) | Approximately 30,000 entities across 18 sectors, using a simple size threshold: 50+ employees or €10M+ annual revenue. Includes both 'essential' and 'important' categories |
| Threshold model | Sector-specific quantitative thresholds (e.g., 500,000 supplied persons for energy, 500,000 residents for water). Complex to calculate, many borderline cases | Uniform size criteria: medium enterprise (50+ employees or €10M+ revenue) across all sectors. Much simpler to determine. Some sectors have additional criteria regardless of size |
| Registration | Self-declaration to BSI with optional verification. No formal registration portal for most KRITIS operators initially | Mandatory registration via BSI portal under §33 BSIG. Must provide entity details, sector classification, contact person, and IP ranges. Separate penalty provision for non-registration |
| Incident reporting | Significant incidents reported to BSI without strict timeline in earlier regulations. Later tightened but less structured than NIS2 | Three-stage mandatory reporting under §32 BSIG: early warning within 24 hours, incident notification within 72 hours, final report within one month. Each stage has defined content requirements |
| Penalties | Fines up to €100,000 for some violations. Limited enforcement in practice. Penalties rarely applied publicly | Fines up to €10M or 2% of global annual turnover for essential entities, up to €7M or 1.4% for important entities. Separate fines for registration and reporting violations. Modeled on GDPR penalty structure |
| Management liability | No specific personal liability provision for management. General corporate law duties applied | §38 BSIG introduces explicit personal liability for Geschäftsführung. Management must approve cybersecurity measures, undergo training, and can be held personally liable for damages. Cannot be waived by shareholder resolution |
| Audit requirements | Biennial evidence submission (§8a BSIG old). Primarily self-audit with BSI review of submitted evidence | Essential entities: BSI can conduct proactive audits and on-site inspections. Important entities: reactive supervision (audits triggered by incidents or evidence of non-compliance). BSI has broader enforcement powers including binding instructions |
| Supply chain security | Not a specific regulatory requirement under old KRITIS regime. Companies managed supplier risk on their own terms | §30(2)(4) BSIG mandates supply chain security measures. Must assess supplier cybersecurity, include security requirements in contracts, and monitor supplier posture throughout the relationship. Applies to all in-scope entities |
Waste management
Collection, treatment, and disposal of waste. Covered under NIS2 Annex II. Includes municipal waste services, hazardous waste processors, and recycling operations. Most waste companies have never dealt with cybersecurity regulation.
Food production and distribution
Food manufacturing, processing, and wholesale distribution. Covered under NIS2 Annex II. This extends beyond the retail food chain to include production facilities, cold chain logistics, and food safety systems.
Manufacturing of critical products
Manufacturing of medical devices, computers, electronics, optical products, electrical equipment, machinery, motor vehicles, and other transport equipment. Covered under NIS2 Annex II. A significant number of German Mittelstand companies fall into this category.
Postal and courier services
Postal service providers and courier companies. Covered under NIS2 Annex II. Includes parcel delivery services, mail sorting operations, and logistics platforms that support last-mile delivery.
Chemical production and distribution
Manufacturing, production, and distribution of chemicals. Covered under NIS2 Annex II. Overlaps significantly with existing safety regulation (Störfallverordnung) but adds cybersecurity-specific obligations.
Research organizations
Research institutions whose primary purpose is to carry out applied research or experimental development. Covered under NIS2 Annex II. Includes Fraunhofer institutes, Helmholtz centers, and private research organizations above the size threshold.
Digital infrastructure and services
Expanded scope for digital providers: managed service providers, managed security service providers, online marketplaces, search engines, social networks, and data centers. Some were partially covered before – NIS2 broadens and clarifies the definitions significantly.
- The BSI remains the central competent authority and national CSIRT for Germany
- IT-Grundschutz remains the recommended methodology for implementing security measures (§44(2) BSIG)
- The fundamental principle of 'appropriate and proportionate' measures – you must implement what is reasonable for your size and risk profile, not everything theoretically possible
- The requirement to maintain an information security management system (ISMS) in some form – whether formally certified or structured around Grundschutz
Frequently Asked Questions
We were already KRITIS – do we still need to do something new?
Yes. Even if you were a fully compliant KRITIS operator, NIS2 adds new obligations: mandatory BSI registration via the §33 portal (if not already done), tighter incident reporting timelines (24h/72h/1 month cascade), explicit management liability under §38, and mandatory supply chain security measures. Your existing security measures likely cover most of the technical requirements, but the regulatory and governance obligations are new.
What are the new sectors that were not in KRITIS?
Seven sectors are newly in scope under NIS2 that were not covered by the old KRITIS regime: waste management, food production and distribution, manufacturing of critical products, postal and courier services, chemical production and distribution, research organizations, and expanded digital infrastructure and services. Companies in these sectors are dealing with mandatory cybersecurity regulation for the first time.
Is NIS2 just KRITIS with a different name?
No. NIS2 is a fundamentally broader and deeper regulatory regime. KRITIS covered approximately 2,000 operators with high thresholds. NIS2 covers approximately 30,000 entities with much lower thresholds. NIS2 adds personal management liability, mandatory registration, structured incident reporting timelines, supply chain obligations, and significantly higher penalties. Think of KRITIS as the pilot program – NIS2 is the full rollout.
What is the biggest practical difference for companies?
Management personal liability under §38 BSIG. Under KRITIS, cybersecurity was an IT department problem. Under NIS2, the Geschäftsführung is personally responsible for approving and overseeing cybersecurity measures, must undergo cybersecurity training, and can be held liable for damages resulting from non-compliance. This liability cannot be waived, even by shareholder resolution. This changes cybersecurity from an IT budget line to a board-level governance issue.
- Directive (EU) 2022/2555 – NIS2 Directive, Annex I and Annex II (sector definitions)
- BSIG – §28 (Scope and entity definitions), §30 (Cybersecurity measures), §32 (Incident reporting), §33 (Registration), §38 (Management liability), §65 (Penalties)
- BSI-KritisV – Verordnung zur Bestimmung Kritischer Infrastrukturen (previous KRITIS threshold regulation)
- BSI – NIS2 scope guidance and sector classification documentation (2025)
- NIS2UmsuCG – Gesetz zur Umsetzung der NIS-2-Richtlinie und zur Stärkung der Cybersicherheit