#BGBl. 2026 I Nr. 66Law Implementing EU Directive 2022/2557 and Strengthening the Resilience of Critical Facilities

This law, enacted on 11 March 2026 and published in the Federal Law Gazette (BGBl. 2026 I Nr. 66) on 16 March 2026, transposes the EU CER Directive (2022/2557) on the resilience of critical entities into German national law. It replaces and updates the existing legal framework for the protection of critical infrastructure (KRITIS), expanding coverage beyond mere cybersecurity to encompass physical, organizational, and operational resilience across a broad range of sectors. The legislation covers sectors including energy supply, telecommunications (Deutsche Telekom AG), postal and financial services (Deutsche Post AG, Deutsche Postbank AG), public information technology, electricity and gas, and foreign trade. Operators of critical facilities in these sectors face new obligations to conduct risk assessments, implement resilience measures, develop incident response plans, and report significant disruptions to competent authorities. The Federal Ministry of the Interior (Bundesministerium des Innern) leads the implementation, with coordinating roles distributed across sector-specific authorities. The law introduces a formal registration and notification regime for operators, threshold-based criteria for identifying critical entities, and penalties for non-compliance. Germany's approach aligns with the EU's shift from purely protective measures to a broader resilience-based framework, requiring critical entities to be able to prevent, absorb, adapt to, and recover from incidents — whether caused by natural hazards, accidents, terrorism, or hybrid threats.

AI-generated summary. May contain errors. Refer to official sources for legal decisions.