Increasing threat situation - KRITIS and NIS-2 as a response
Europe-wide and global interconnected processes, as well as the increasing digitalization of all areas of life and business, are leading to greater vulnerability to external, often uncontrollable factors. This development has intensified the cyber threat landscape and created new challenges that require coordinated and innovative responses in all EU member states. The number, scope, complexity, frequency, and impact of incidents are increasing and pose a significant threat to the uninterrupted operation of companies and institutions. The EU NIS-2 Directive, which came into force in 2023 (formerly the NIS Directive of 2016), defines the minimum cybersecurity standards within the European Union. The objective is to strengthen resilience and cybersecurity measures in critical sectors (KRITIS sectors).
Resilience generally refers to the ability to protect against disruptions, attacks, or other unexpected events, to respond, to recover without lasting impairments, and to adapt to changing conditions. The focus is on both security incidents in network or information systems and the physical security of the infrastructure of these systems, as well as personnel security.
Who is affected?
Digitization increases vulnerability to cyber threats. The EU NIS-2 Directive establishes minimum cybersecurity standards to strengthen the resilience of critical sectors. In Germany, this affects around 30,000 entities.
But what are the “areas of application” and “Who actually belongs to critical infrastructure”?
The BSI Act (BSIG) and the BSI Critical Infrastructure Ordinance (BSI-KritisV) provide the answer through the definition of the nine KRITIS sectors. In addition, the entities are defined by the “Act on the implementation of the NIS-2 Directive and on the regulation of essential principles of information security management in the Federal Administration,” published in the Federal Law Gazette on 5 December 2025 (“Act on the implementation of the NIS-2 Directive”). This classifies companies, as well as other organizations, as operators and as entities into three categories:
- Operators of critical facilities (KRITIS operators)
- Especially important entities
- Important entities
There are also special cases and entities of the federal administration.
Who must take action?
Your company belongs to this category as well as other affected organisations if you are an operator of "critical infrastructure" and facilities, systems or parts in the areas of industry listed below (KRITIS sectors). These facilities or systems belong to and are very important for the functions of the local community because if they did not exist or were restricted, this could lead to significant supply bottlenecks or pose major hazards to public safety. In addition to the standard threshold value of 500,000 inhabitants to be supplied, further quantitative and qualitative criteria can also be taken into consideration.
This means for your company as operator that the following security measures arise from the Act to implement the NIS-2 Directive:
• IT security
• Reporting obligation and
• Systems for attack detection KRITIS Umbrella Act (KRITIS-DachG*): Resilience
| Classification | Facilities | Threshold values |
|---|---|---|
| Operators of critical infrastructures (KRITIS) |
|
Someone who carries out critical services meet the demands of the general public. Inhabitants to be supplied: ≥ 500,000 |
Your company and other concerned organisations or facility/facilities fall into this category if it/they has/have at least 250 employees or an annual turnover of > €50 m and an annual balance sheet total of > €43 m, offer(s) goods or services and belong(s) to the following sectors listed below.
This means for your company as facility/facilities that the following security measures arise from the implementation of the NIS-2 Directive:
• IT security
• Reporting obligation
| Classification | Facilities | Threshold values |
|---|---|---|
| Facilities of major importance (companies and other organisations) |
|
Number of employees: ≥ 250 or Turnover: €50 m Balance: €43 m |
|
Number of employees: ≥ 50 or Turnover: €10 m Balance: €10 m | |
|
Without threshold values |
Important facilities are companies as well as other concerned organisations or facility/facilities that fall into the categories listed below and meet the specified thresholds.
This means for companies and facility/facilities that the following security measures arise from the implementation of the NIS-2 Directive:
• IT security
• Reporting obligation
| Classification | Facilities | Threshold values |
|---|---|---|
| Important facilities (companies and other organisations) |
|
Number of employees: ≥ 50 or Turnover: €10 m Balance: €10 m |
|
Number of employees: < 50 und Turnover: ≤ €10 m or Balance: ≤ €10 m | |
|
Without threshold values |
Technical and organisational measures
With the KRITIS Umbrella Act and the EU NIS-2 Directive, not only the already known operators of critical infrastructures are now required to take organisational and technical security measures. Rather, companies, organisations and institutions that previously gave little to no thought to cybersecurity or risk management are now coming into focus. As already mentioned at the beginning, around 30,000 companies and institutions in Germany are now subject to the provisions of the KRITIS-DachG and the NIS-2 directives.
The greater focus is therefore on systems/solutions that help companies and institutions meet the requirements of the KRITIS Umbrella Act and NIS-2 directives and enable efficient implementation of the requirements. This is exactly where the manufacturer-neutral and scalable building management system GEMOS from BKS comes in.
GEMOS building management system (PSIM)
As a building management and organization system, GEMOS is more than just a means of technically consolidating information. Rather, it is a central risk management system that consolidates central monitoring, processing and visualization of extensive security and building information from a wide variety of areas and systems.
In short: GEMOS is a manufacturer-neutral system that consolidates, visualizes and processes security information from a wide range of sectors.
Perfect organisation using modules and interfaces
GEMOS caries out manufacturer-neutral pooling and integration (messages and instructions) of various physical security and information systems (GEMOS interfaces). With more than 900 existing interfaces and GEMOS’s open architecture, a wide range of systems from many different providers can already be integrated into GEMOS.
Here are some examples:
- Fire detector and fire extinguishing systems
- Video management systems
- Intrusion detection systems
- Perimeter systems
- Escape door control systems
- Alarm receiving systems
- Transmission systems
- Communication systems
- Personal emergency signalling systems
- Voice alarm systems
- Key management systems
- Building automation systems and technical systems (e.g. IT systems) using standard protocols such as BACnet, DALI, EIB/KNX, ESPA, Modbus, OPC, SNMP
Many modules support the organisation and efficient use of GEMOS. GEMOS therefore offers solutions for almost any task.
Security Incident Management with GEMOS
With GEMOS, all security information and events—such as faults, alarms, and other statuses—of all integrated physical security and information systems (GEMOS interfaces) are monitored, detected, and presented in a transparent and clearly structured manner. Thanks to central management, GEMOS enables you to respond directly to security incidents at any time. The decisive advantage of GEMOS is that the system integrates the various systems from different manufacturers under a single central interface, allowing for centralized organization of measures across all manufacturers. Here are some examples of different systems that GEMOS can map—and also consolidate:
With the analysis functions of these systems, security incidents can be detected immediately via live images. For automatic or operator-controlled monitoring, GEMOS can instantly trigger the pan-tilt-zoom (PTZ) control of alarm cameras, activate live images from perimeter cameras, start recordings, and thus create archive images. In response to detected incidents, intervention forces can also be specifically deployed via the communication systems. Furthermore, GEMOS enables the linking of alarms, faults, or information messages from other physical security and information systems with the corresponding alarm image activations.
These systems prevent unauthorized access as well as physical security breaches and simultaneously detect such events as they occur. By connecting video surveillance cameras and integrating them into GEMOS, monitoring and responsiveness to security incidents are significantly enhanced. This also includes the visual representation of arming and disarming of areas and sub-areas in the site plan, especially in the event of an alarm. In addition, documented monitoring of the activation and deactivation of sensors and detectors is enabled.
These systems detect fire damage at an early stage, prevent its spread, and thus minimize potential damage. By integrating them into GEMOS, targeted intervention measures, the alerting of emergency services, the automatic provision of fire brigade route cards, and, if necessary, the control of key management systems are optimally coordinated to enable an efficient response to security incidents. In addition, time-controlled and manual execution of switching operations can be enabled, including the specification of necessity and verification by the operator.
The transmission of messages such as alarm, tamper, hold-up, fault, arming and disarming, as well as maintenance and information messages from external devices and their hazard detection systems via communication networks forms a central aspect for alarm receiving systems. With GEMOS, the triggering objects can be visually displayed in the site plan and specifically controlled through predefined intervention measures. Time-dependent and category-based actions are possible, ensuring a rapid and effective response to security incidents.
In addition to the physical protection of critical infrastructures, the protection and safety of personnel are essential components of the NIS-2 Directive, particularly with regard to physical and security-related threats. The monitoring of automatic emergency call activations via motion or position sensors, as well as manual emergency call activations via hold-up buttons or mobile alarm devices, enables rapid detection of security incidents. In combination with GEMOS, localization functions for display in the site plan and targeted responses for intervention can be implemented effectively.
The statuses of these systems and installations, such as temperature, pressure, rotational speed, velocity, fill level, meter reading, as well as damper and valve positions, are monitored in GEMOS. This information can be categorized, for example, as alarm, pre-alarm, fault, maintenance, or information messages. By visualizing these as digital or analog values in the site plan, and by defining multiple threshold ranges including their graphical representation, GEMOS enables precise detection and monitoring, allowing timely responses to critical events.
Control access
Physical barriers such as fences, barriers, and security interlocks prevent unauthorized access, but what about control at the building entrance and within internal areas? This is where an access control system like BKS’s own GEMOS access takes over the monitoring and management within critical infrastructures. This system enables:
- Restriction to authorized personnel by defining area and time zones, mapping access rights, and using security badges.
- With “dynamic rights,” further typical functions of an access control system can be implemented, including bag checks, anti-passback, area change control, attendance accounting, multi-person presence control, and time lockout after multiple failed attempts with two-factor authentication 2 .
- Integration into GEMOS and linking with video surveillance cameras as well as the ability to activate lockdown scenarios significantly increases responsiveness in security incidents 2 .
- Direct control of security interlocks, personnel separation systems, revolving and carousel doors, and access gates is enabled .
Whitepaper KRITIS
Is your company affected by KRITIS and NIS-2? If so, what impact does that have on your company? What measures do you need to take?
Our white paper on KRITIS provides you with an initial assessment and the fundamentals for evaluation.
Fill out the form and you will automatically receive the white paper by email.