Your easy switch to the appropriate brand website in the Germany:
No results found for your search
Germany | English
gu-bks-kritische-infrastruktur-hero
gu-bks-kritische-infrastruktur-hero
KRITIS and NIS-2

Questions and solutions about KRITIS and NIS-2

The requirements concerning KRITIS, NIS-2, and resilience no longer affect only traditional operators of critical infrastructure. An increasing number of companies must determine whether they belong to these regulatory requirements.

But this is exactly where uncertainty often arises: Is your company affected by the KRITIS and NIS-2 regulations? We will assist you.

Background and situation

Increasing threat situation - KRITIS and NIS-2 as a response

Europe-wide and global interconnected processes, as well as the increasing digitalization of all areas of life and business, are leading to greater vulnerability to external, often uncontrollable factors. This development has intensified the cyber threat landscape and created new challenges that require coordinated and innovative responses in all EU member states. The number, scope, complexity, frequency, and impact of incidents are increasing and pose a significant threat to the uninterrupted operation of companies and institutions. The EU NIS-2 Directive, which came into force in 2023 (formerly the NIS Directive of 2016), defines the minimum cybersecurity standards within the European Union. The objective is to strengthen resilience and cybersecurity measures in critical sectors (KRITIS sectors).

 

Resilience generally refers to the ability to protect against disruptions, attacks, or other unexpected events, to respond, to recover without lasting impairments, and to adapt to changing conditions. The focus is on both security incidents in network or information systems and the physical security of the infrastructure of these systems, as well as personnel security.

Engineer inspects industrial plant with tablet in the exterior area

Download White Paper KRITIS

Download our White Paper on KRITIS and the NIS-2 directive now.

Challenge

Who is affected?

Digitization increases vulnerability to cyber threats. The EU NIS-2 Directive establishes minimum cybersecurity standards to strengthen the resilience of critical sectors. In Germany, this affects around 30,000 entities.

 

But what are the “areas of application” and “Who actually belongs to critical infrastructure”? 
The BSI Act (BSIG) and the BSI Critical Infrastructure Ordinance (BSI-KritisV) provide the answer through the definition of the nine KRITIS sectors. In addition, the entities are defined by the “Act on the implementation of the NIS-2 Directive and on the regulation of essential principles of information security management in the Federal Administration,” published in the Federal Law Gazette on 5 December 2025 (“Act on the implementation of the NIS-2 Directive”). This classifies companies, as well as other organizations, as operators and as entities into three categories: 

 

  • Operators of critical facilities (KRITIS operators)
  • Especially important entities
  • Important entities

There are also special cases and entities of the federal administration.

Target group check

Who must take action?


Your company belongs to this category as well as other affected organisations if you are an operator of "critical infrastructure" and facilities, systems or parts in the areas of industry listed below (KRITIS sectors). These facilities or systems belong to and are very important for the functions of the local community because if they did not exist or were restricted, this could lead to significant supply bottlenecks or pose major hazards to public safety. In addition to the standard threshold value of 500,000 inhabitants to be supplied, further quantitative and qualitative criteria can also be taken into consideration.

This means for your company as operator that the following security measures arise from the Act to implement the NIS-2 Directive:
• IT security
• Reporting obligation and
• Systems for attack detection KRITIS Umbrella Act (KRITIS-DachG*): Resilience

Classification Facilities Threshold values
Operators of critical infrastructures (KRITIS)
  • Energy
  • Information technology and telecommunication
  • Transport and traffic
  • Health
  • Water
  • Food
  • Finance
  • Municipal waste disposal
  • Social security
    and basic security benefits for job seekers
Someone who carries out critical services meet the demands of the general public.
Inhabitants to be supplied: ≥ 500,000

Your company and other concerned organisations or facility/facilities fall into this category if it/they has/have at least 250 employees or an annual turnover of > €50 m and an annual balance sheet total of > €43 m, offer(s) goods or services and belong(s) to the following sectors listed below.

This means for your company as facility/facilities that the following security measures arise from the implementation of the NIS-2 Directive:
• IT security
• Reporting obligation

Classification Facilities Threshold values
Facilities of major importance
(companies and other organisations)
  • Energy
  • Transport and traffic
  • Fincance
  • Health
  • Water
  • Digital infrastructures
  • Space
Number of employees: ≥ 250 or
Turnover: €50 m
Balance: €43 m
  • Publicly accessible telecom services
  • Public telecom networks
Number of employees: ≥ 50 or
Turnover: €10 m
Balance: €10 m
  • Operators of critical infrastructures
  • Qualified trust service provider
  • Top Level Domain Name Registries
  • DNS service providers
  • Facilities of the federal administration -
    if also operators of critical infrastructures
Without threshold values

Important facilities are companies as well as other concerned organisations or facility/facilities that fall into the categories listed below and meet the specified thresholds.

This means for companies and facility/facilities that the following security measures arise from the implementation of the NIS-2 Directive:
• IT security
• Reporting obligation

Classification Facilities Threshold values
Important facilities
(companies and other organisations)
  • Energy
  • Transport and traffic
  • Finance
  • Health
  • Water
  • Digital infrastructures
  • Space
  • Waste management
  • Production, manufacturing and trading in chemical substances
  • Production, processing and sales of food items
  • Processing industry/manufacturing of goods
  • Digital service providers
  • Research
Number of employees: ≥ 50 or
Turnover: €10 m
Balance: €10 m
  • Publicly accessible telecom services
  • Public telecom networks
Number of employees: < 50 und
Turnover: ≤ €10 m or
Balance: ≤ €10 m
  • Trust service provider
Without threshold values
Risk management

Technical and organisational measures

With the KRITIS Umbrella Act and the EU NIS-2 Directive, not only the already known operators of critical infrastructures are now required to take organisational and technical security measures. Rather, companies, organisations and institutions that previously gave little to no thought to cybersecurity or risk management are now coming into focus. As already mentioned at the beginning, around 30,000 companies and institutions in Germany are now subject to the provisions of the KRITIS-DachG and the NIS-2 directives. 

 

The greater focus is therefore on systems/solutions that help companies and institutions meet the requirements of the KRITIS Umbrella Act and NIS-2 directives and enable efficient implementation of the requirements. This is exactly where the manufacturer-neutral and scalable building management system GEMOS from BKS comes in. 

We create solutions

GEMOS building management system (PSIM)

As a building management and organization system, GEMOS is more than just a means of technically consolidating information. Rather, it is a central risk management system that consolidates central monitoring, processing and visualization of extensive security and building information from a wide variety of areas and systems.

In short: GEMOS is a manufacturer-neutral system that consolidates, visualizes and processes security information from a wide range of sectors.

gu-bks-produktportfolio-gebauedemanagement-landscape
Individual cubes with symbols, arranged in groups on a kind of circuit board, represent the individual modules of the GEMOS building management system.
Open to your security

Perfect organisation using modules and interfaces

GEMOS caries out manufacturer-neutral pooling and integration (messages and instructions) of various physical security and information systems (GEMOS interfaces). With more than 900 existing interfaces and GEMOS’s open architecture, a wide range of systems from many different providers can already be integrated into GEMOS.

Here are some examples:

  • Fire detector and fire extinguishing systems
  • Video management systems
  • Intrusion detection systems
  • Perimeter systems
  • Escape door control systems
  • Alarm receiving systems
  • Transmission systems
  • Communication systems
  • Personal emergency signalling systems
  • Voice alarm systems
  • Key management systems
  • Building automation systems and technical systems (e.g. IT systems) using standard protocols such as BACnet, DALI, EIB/KNX, ESPA, Modbus, OPC, SNMP

Many modules support the organisation and efficient use of GEMOS. GEMOS therefore offers solutions for almost any task.

 

Detection, monitoring, response Zitate

Security Incident Management with GEMOS

With GEMOS, all security information and events—such as faults, alarms, and other statuses—of all integrated physical security and information systems (GEMOS interfaces) are monitored, detected, and presented in a transparent and clearly structured manner. Thanks to central management, GEMOS enables you to respond directly to security incidents at any time. The decisive advantage of GEMOS is that the system integrates the various systems from different manufacturers under a single central interface, allowing for centralized organization of measures across all manufacturers. Here are some examples of different systems that GEMOS can map—and also consolidate:

gu-bks-gemos-gebauedemanagementsystem-monitor-landscape

With the analysis functions of these systems, security incidents can be detected immediately via live images. For automatic or operator-controlled monitoring, GEMOS can instantly trigger the pan-tilt-zoom (PTZ) control of alarm cameras, activate live images from perimeter cameras, start recordings, and thus create archive images. In response to detected incidents, intervention forces can also be specifically deployed via the communication systems. Furthermore, GEMOS enables the linking of alarms, faults, or information messages from other physical security and information systems with the corresponding alarm image activations.

These systems prevent unauthorized access as well as physical security breaches and simultaneously detect such events as they occur. By connecting video surveillance cameras and integrating them into GEMOS, monitoring and responsiveness to security incidents are significantly enhanced. This also includes the visual representation of arming and disarming of areas and sub-areas in the site plan, especially in the event of an alarm. In addition, documented monitoring of the activation and deactivation of sensors and detectors is enabled.

These systems detect fire damage at an early stage, prevent its spread, and thus minimize potential damage. By integrating them into GEMOS, targeted intervention measures, the alerting of emergency services, the automatic provision of fire brigade route cards, and, if necessary, the control of key management systems are optimally coordinated to enable an efficient response to security incidents. In addition, time-controlled and manual execution of switching operations can be enabled, including the specification of necessity and verification by the operator.

The transmission of messages such as alarm, tamper, hold-up, fault, arming and disarming, as well as maintenance and information messages from external devices and their hazard detection systems via communication networks forms a central aspect for alarm receiving systems. With GEMOS, the triggering objects can be visually displayed in the site plan and specifically controlled through predefined intervention measures. Time-dependent and category-based actions are possible, ensuring a rapid and effective response to security incidents.

In addition to the physical protection of critical infrastructures, the protection and safety of personnel are essential components of the NIS-2 Directive, particularly with regard to physical and security-related threats. The monitoring of automatic emergency call activations via motion or position sensors, as well as manual emergency call activations via hold-up buttons or mobile alarm devices, enables rapid detection of security incidents. In combination with GEMOS, localization functions for display in the site plan and targeted responses for intervention can be implemented effectively.

The statuses of these systems and installations, such as temperature, pressure, rotational speed, velocity, fill level, meter reading, as well as damper and valve positions, are monitored in GEMOS. This information can be categorized, for example, as alarm, pre-alarm, fault, maintenance, or information messages. By visualizing these as digital or analog values in the site plan, and by defining multiple threshold ranges including their graphical representation, GEMOS enables precise detection and monitoring, allowing timely responses to critical events.

gu-international-landscape

Control access

Physical barriers such as fences, barriers, and security interlocks prevent unauthorized access, but what about control at the building entrance and within internal areas? This is where an access control system like BKS’s own GEMOS access takes over the monitoring and management within critical infrastructures. This system enables:

 

  • Restriction to authorized personnel by defining area and time zones, mapping access rights, and using security badges.
  • With “dynamic rights,” further typical functions of an access control system can be implemented, including bag checks, anti-passback, area change control, attendance accounting, multi-person presence control, and time lockout after multiple failed attempts with two-factor authentication .
  • Integration into GEMOS and linking with video surveillance cameras as well as the ability to activate lockdown scenarios significantly increases responsiveness in security incidents .
  • Direct control of security interlocks, personnel separation systems, revolving and carousel doors, and access gates is enabled .

GEMOS access

Control, overview and active management of access – requirements that attach even greater importance to KRITIS. GEMOS access is a powerful access management solution.
gu-bks-gebauedemanagement-ixalo-landscape

ixalo electronic access control systems

Electronic locking systems offer a modern, secure and convenient access solution. Thanks to digital control, you can retain control of authorisations at all times.
gu-bks-produktportfolio-gebauedemanagement-landscape

Whitepaper KRITIS

Is your company affected by KRITIS and NIS-2? If so, what impact does that have on your company? What measures do you need to take? 

Our white paper on KRITIS provides you with an initial assessment and the fundamentals for evaluation. 

Fill out the form and you will automatically receive the white paper by email. 

workflow completed

* All fields marked with an asterisk are required fields.

All information on the processing of your data can be found in our privacy policy.

gu-kontakt-bks-servicemitarbeiter-landscape
Contact

We are happy to help you!

Our service team will be happy to assist you with any questions regarding products, applications, and projects. Simply contact us by phone or email.