KRITIS Law: New Security Rules & Data Protection Challenges for Businesses

Germany’s new KRITIS-Dachgesetz, or “KRITIS Rooftop Law,” came into effect on March 16, 2026, fundamentally altering compliance requirements for operators of essential services and intertwining data protection with physical security measures, according to legal experts.

The law, designed to strengthen the resilience of critical infrastructure following a series of incidents highlighting vulnerabilities – including a recent power outage affecting multiple Berlin neighborhoods – mandates a comprehensive overhaul of security protocols across sectors like energy, healthcare, transportation, and finance. It implements the EU’s CER directive into German law.

Unlike previous regulations focused primarily on cybersecurity, the KRITIS-Dachgesetz extends the scope of protection to include the physical robustness of critical assets. This shift presents a significant challenge for data protection officers (DPOs), who now must assess the data privacy implications of every new physical security measure, from enhanced video surveillance to biometric access controls and employee vetting procedures.

“This fundamentally changes the work of the data protection officer,” said a lawyer specializing in KRITIS compliance, as reported by DISA. “Every new security measure…must now be checked to see if We see compatible with the General Data Protection Regulation (GDPR).”

The law applies to operators providing essential services to at least 500,000 people. These entities face the task of developing compliance frameworks that integrate personnel, facility management, and IT security departments, ensuring that new resilience measures adhere to the principles of data minimization and purpose limitation.

A technical analysis conducted on March 20, 2026, highlighted the complexities surrounding secure remote maintenance of operational (OT) and information technology (IT) systems within critical environments. Hospitals, energy providers, and railway operators frequently rely on external service providers and manufacturers for remote maintenance, creating potential vulnerabilities. DPOs must verify that these access points do not compromise sensitive operational data or employee information.

Regulators are advocating for rigorous audits of third-party vendors and robust contractual safeguards. DPOs, in collaboration with Chief Information Security Officers (CISOs), must classify external service providers based on their level of access to critical infrastructure, determining the appropriate level of protection required.

Administrative burdens are also increasing. Operators of critical infrastructure must register their activities through a joint platform managed by the Federal Office for Information Security (BSI) and the Federal Office of Civil Protection and Disaster Assistance (BBK). The initial registration window opens on July 17, 2026, and DPOs are responsible for ensuring that the transmission of operator and facility data to the authorities complies with all data protection standards.

The law also mandates comprehensive risk analyses and continuous incident monitoring. Internal surveillance systems, which inevitably process employee and user data, must balance national security obligations with fundamental rights. Non-compliance carries significant financial penalties, mirroring those outlined in the NIS-2 directive – up to €10 million or 2% of global annual turnover.

The biotechnology sector is facing heightened scrutiny. On March 12, 2026, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) issued a joint statement regarding a proposed European Biotech Act, welcoming the harmonization of clinical trials but calling for stringent safeguards for sensitive health data. This requires DPOs in the pharmaceutical and biotech industries to navigate both medical research protocols and international data protection laws, protecting the rights of study participants although facilitating cross-border data flows for medical innovation.

Experts recommend immediate gap analyses to align existing data protection practices with the new physical and sector-specific requirements. The integration of automated compliance tools and the establishment of cross-departmental task forces involving legal, IT, and physical security teams are expected to turn into standard practice in 2026.