KRITIS & NIS-2

NIS-2 & KRITIS Resilience: Physical Security as the Foundation of Your Cybersecurity

Protect your critical facilities with BKS. We offer manufacturer-neutral solutions for risk management, access control, and incident management – fully compliant with NIS-2 and the KRITIS umbrella law.

BKS supports you in ensuring the availability of your infrastructure and efficiently fulfilling legal reporting obligations.

Background and Situation

Increasing Threat Situation - KRITIS and NIS-2 as a Response

Europe-wide and globally networked processes, as well as the increasing digitalization of all areas of life and business, lead to greater vulnerability to external, often uncontrollable factors. This development has intensified the cyber threat situation and created new challenges that require coordinated and innovative responses in all EU member states. The number, scope, complexity, frequency, and impact of incidents are increasing and pose a significant threat to the smooth operation of companies and institutions. The EU NIS-2 Directive, which came into force in 2023 (formerly the NIS Directive of 2016), sets minimum cybersecurity standards in the European Union. The aim is to strengthen resilience and cybersecurity measures in the critical sectors (KRITIS sectors).

Resilience generally refers to the ability to protect against disruptions, attacks, or other unexpected events, to respond, to recover without lasting impairments, and to adapt to changing conditions. The focus is both on security incidents in network or information systems as well as the physical security of the infrastructure of these systems and personnel security.

“It simply wasn’t on the radar!”

IT security does not start at the door of a server room, nor is it solely the responsibility of the cloud provider. Physical security, its availability, and resilience are based on risk assessments, the use of future-proof solutions, implementation, compliance, review and adaptation, reporting obligations, and ongoing training.
Additionally, many companies often underestimate how quickly ‘internal’ anomalies in a building or property can lead to a chain of events due to the multitude of integrated systems. These events can ultimately cause security incidents and damages, resulting in significant time and economic disruptions as well as outages. For example: the failure of the air conditioning for the UPS control, which is considered unimportant, may only be fixed on the next working day or even later. If, by chance, further problems (factors) occur during this downtime, such as a malfunction at the local power utility, this may cause the backup power system (emergency generator) to attempt to activate. But before this happens, the uninterruptible power supply (UPS) fails completely due to the overheated control unit. As a result, the entire operation can come to a standstill for a long time.”

Voice of a Security Consultant

Challenge

Who is affected?

Digitalization increases vulnerability to cyber threats. The EU NIS-2 Directive sets minimum cybersecurity standards to strengthen the resilience of critical sectors. In Germany, this affects around 30,000 institutions.

But what are the “areas of application” and “who actually belongs to critical infrastructure”?
The BSI Act (BSIG) and the BSI-Kritis Regulation (BSI-KritisV) provide the answer by defining the nine KRITIS sectors. In addition, the definition of institutions is provided by the “Act to Implement the NIS-2 Directive and to Regulate Essential Principles of Information Security Management in Federal Administration” (“Act to Implement the NIS-2 Directive”), published in the Federal Law Gazette on December 5, 2025. As a result, companies as well as other organizations are classified as operators and as institution(s) in three categories:

Operators of critical facilities (KRITIS operators)
Particularly important institutions
Important institutions

There are also special cases and institutions of the federal administration.

Target Group Check

Who needs to act?

This includes your company as well as other affected organizations if you are an operator of “critical infrastructure” and facilities, plants, or parts from the sectors listed below (KRITIS sectors). These facilities or plants are of great importance for the functioning of society, as their failure or impairment would result in significant supply shortages or threats to public safety. In addition to the standard threshold of 500,000 people to be supplied, further quantitative and qualitative criteria may also be considered.

This means for your company: As an operator, the following security measures arise from the Act to Implement the NIS-2 Directive:
• IT security
• Reporting obligation and
• Attack detection systems KRITIS umbrella law (KRITIS-DachG*): Resilience

Classification	Institutions	Thresholds
Operators of critical facilities (KRITIS)	Energy Information technology and telecommunications Transport and traffic Health Water Food Financial sector Municipal waste disposal Social security services and basic income support for jobseekers	Someone who provides critical services to the public. Served population: ≥ 500,000

This includes your company as well as other affected organizations or your institution(s) with at least 250 employees or an annual turnover > €50 million and an annual balance sheet total > €43 million, if you offer goods or services and belong to the sectors listed below.

Thus, the following security measures apply to these companies as institutions under the Act to Implement the NIS-2 Directive:
• IT security
• Reporting obligation

Classification	Institutions	Thresholds
Particularly important institutions (companies as well as other organizations)	Energy Transport and traffic Financial sector Health Water Digital infrastructures Space	Employees: ≥ 250 or Turnover: €50 million Balance sheet total: €43 million
	Publicly accessible telecommunications services Public telecommunications networks	Employees: ≥ 50 or Turnover: €10 million Balance sheet total: €10 million
	Operators of critical facilities Qualified trust service providers Top Level Domain Name Registries DNS service providers Institutions of the federal administration - provided they are also operators of critical facilities	without thresholds

Important institutions are companies as well as other affected organizations or institution(s) that belong to the sectors listed below and meet the specified thresholds.

For companies and institution(s), the following security measures arise from the Act to Implement the NIS-2 Directive:
• IT security
• Reporting obligation

Classification	Institutions	Thresholds
Important institutions (companies as well as other organizations)	Energy Transport and traffic Financial sector Health Water Digital infrastructures Space Waste management Production, manufacture and trade of chemical substances Production, processing and distribution of food Manufacturing/production of goods Providers of digital services Research	Employees: ≥ 50 or Turnover: €10 million Balance sheet total: €10 million
	Publicly accessible telecommunications services Public telecommunications networks	Employees: < 50 und Turnover: ≤ €10 million or Balance sheet total: ≤ €10 million
	Trust service providers	without thresholds

Risk management

Technical and organizational measures

With the KRITIS umbrella law and the EU NIS-2 directives, not only previously known operators of critical facilities are now required to implement organizational and technical security measures. Instead, companies, organizations and institutions that previously gave little or no thought to cybersecurity or risk management are now in the spotlight. As stated at the outset, around 30,000 companies and institutions in Germany are now subject to the provisions of the KRITIS umbrella law and the NIS-2 directives.

This increases the importance of systems/solutions that help companies and institutions meet the requirements of the KRITIS umbrella law and the NIS-2 directives and enable efficient implementation of those requirements. This is exactly where BKS's vendor-neutral and scalable Physical Security Information Management GEMOS comes into play.

We create solutions

GEMOS Physical Security Information Management (PSIM)

As a building management and organizational system, GEMOS is more than a technical measure for consolidating information. It is a central risk management system that aggregates central monitoring, processing and visualization of extensive security and building information from a wide range of areas and systems.

In short: GEMOS is a vendor-neutral system that consolidates, visualizes and processes security information from a wide variety of sectors.

Open for your security

Perfect organization through modules and interfaces

GEMOS provides vendor-neutral consolidation and integration (messages and instructions) of various physical security and information systems (GEMOS interfaces). With more than 900 existing interfaces and GEMOS’s open architecture, a wide variety of systems from many different providers can already be integrated into GEMOS.

Here are some examples:

Fire detection and extinguishing systems
Video management systems
Intrusion detection and hold-up alarm systems
Perimeter systems
Emergency exit door control systems
Alarm receiving systems
Transmission systems
Communication systems
Personal emergency signal systems
Voice alarm systems
Key management systems
Building automation systems and technical systems (e.g. IT systems) via standard protocols such as BACnet, DALI, EIB/KNX, ESPA, Modbus, OPC, SNMP

Numerous modules support the organization and efficient use of GEMOS. This way, GEMOS offers solutions for almost any task.

Detection, monitoring, response

Security incident management with GEMOS

With GEMOS, all security information and events (e.g. faults, alarms and other states) from all integrated physical security and information systems (GEMOS interfaces) are monitored, detected and presented transparently and clearly. Through centralized management, GEMOS enables you to respond directly to security incidents at any time. The decisive advantage of GEMOS is that the system integrates the different systems from various manufacturers under a single interface and enables centralized organization of measures across all manufacturers. Here are some examples of different systems that GEMOS can represent and consolidate:

Using the analysis functions of these systems, security incidents can be detected immediately via live video. For automated or operator-controlled monitoring, GEMOS can instantly control the pan-tilt-zoom (PTZ) functions of alarm cameras, switch live feeds from surrounding cameras, start recordings and thus create archive footage. In response to detected incidents, response teams can be deployed in a targeted manner via the communication systems. In addition, GEMOS enables the linking of alarms, faults or informational messages from other physical security and information systems with the corresponding alarm image pop-ups.

These systems prevent unauthorized access and physical security breaches and detect such events as they occur. The connection of video surveillance cameras and their integration into GEMOS significantly improves monitoring and responsiveness to security incidents. This also includes the visual display of arming and disarming of areas and subareas in the site plan, especially in the event of an alarm. Documented monitoring of the activation and deactivation of sensors and detectors is also enabled.

These systems detect fires at an early stage, prevent their spread and thus minimize potential damage. By integrating them into GEMOS, targeted intervention measures, alerting of emergency personnel, automatic provision of fire service run-cards and potential control of key management systems are optimally coordinated to enable efficient responses to security incidents. In addition, scheduled and manual execution of switching operations can be enabled, including indication of necessity and verification by the operator.

The transmission of messages such as alarm, sabotage, hold-up, fault, arming/disarming as well as maintenance and info messages from external facilities and their hazard alarm systems over communication networks forms a central point for alarm receiving systems. With GEMOS, the triggering objects can be displayed visually in the site plan and controlled by stored intervention measures. Time-dependent and category-related measures are possible, ensuring a quick and effective response to security incidents.

In addition to the physical protection of critical infrastructures, the protection and safety of personnel are essential components of the NIS-2 Directive, particularly with regard to physical and security-related threats. Monitoring of automatic emergency triggers by motion or position sensors as well as manual emergency triggers by hold-up buttons or mobile alarm devices enables rapid detection of security incidents. In combination with GEMOS, localization functions can be displayed in the site plan and targeted interventions can be implemented effectively.

The states of these systems and plants—such as temperature, pressure, speed, velocity, fill level, meter readings as well as damper and valve positions—are monitored in GEMOS. This information can be categorized as alarm, pre-alarm, fault, maintenance or info messages. By visualizing values as digital or analog in the site plan and by defining multiple threshold ranges including graphical representation, GEMOS enables precise detection and monitoring so that critical events can be addressed in a timely manner.

Control access

Physical barriers such as fences, barriers and security airlocks prevent unauthorized entry, but what about control of access to and within the building and internal areas? Here, an access control system such as BKS’s own GEMOS access takes over monitoring and control within critical infrastructures. This system enables:

Restriction to authorized personnel by defining area and time zones, mapping access rights and using security passes
With “Dynamic Rights” additional typical functions of an access control system can be implemented, including bag checks, anti-passback, area change control, accounting, multi-person presence control
and time lockout after multiple failed attempts with two-factor authentication.
Integration into GEMOS and linking with video surveillance cameras, as well as the ability to activate lockdown scenarios, significantly increases responsiveness to security incidents.
Direct control of security airlocks,
mantrap systems, swing and revolving doors as well as
access gates is possible.

GEMOS access

Control, overview and active management of access – requirements that take on even greater importance within the KRITIS framework. GEMOS access is a powerful access management solution.

Electronic access control systems ixalo

With electronic locking systems you rely on a modern, secure and convenient access solution. Digital control lets you maintain control over all authorizations at all times.

Questions about KRITIS and GEMOS?

Get in touch!

Overview of service offerings

Find the right support quickly!

Receive expert support, find the right dealer near you, and download important documents and instructions directly – quickly, easily, and reliably.

Service

Contact our service directly for professional support!
Our experienced team is at your side with advice and assistance – reliable, competent, and solution-oriented.

To Service