InfoGuard Cyber Security and Cyber Defence Blog

NIS2, CRA, KRITIS and March 6: What counts now is demonstrable implementation!

Written by Michael Fossati | 02 Mar 2026

NIS2, CRA and the KRITIS Umbrella Act work on different levels, but pursue a common goal: demonstrable resilience. Their effect is permanent. They do not require one-off implementation, but rather continuous further development of governance, technology and processes. A structured approach reduces both cyber and regulatory risks.

NIS2, CRA & KRITIS: Who is affected?

NIS2: Companies in 18 sectors

  • Size: From 50 employees or EUR 10 million turnover/balance sheet total (from affiliated or partner companies; in sectors such as energy, transport, health, digital infrastructure, production, waste management).

  • Exceptions: Smaller companies may also be affected if they are classified as "particularly important".

  • Foreign companies: Are considered affected if they provide services in Germany and meet the criteria.

CRA: Manufacturers of digital products

  • Affected: Manufacturers, importers and distributors of hardware/software with internet/network connectivity that are marketed in the EU.

KRITIS Umbrella Act and CER Directive (Critical Entities Resilience)

  • Affected: Operators of critical infrastructures (e.g. energy, water, transportation).

NIS2, CRA & KRITIS: What needs to be done?

NIS2: 5 core requirements

  1. Obligation to register with the BSI: All affected companies must register on the BSI portal by March 6, 2026 (two-stage: "My company account" + BSI portal)
  2. Risk management: Implementation of 10 core measures (Section 30 BSIG-new), e.g.:
    ▪️Incident Response
    ▪️Supply Chain Security
    ▪️Multi factor authentication
    ▪️Regelmässige Training for employees
  3. Reporting obligations: Report significant security incidents to the BSI within 24 hours.
  4. Documentation: Proof of implementation (e.g. for audits).
  5. Personal liability: Managing directors are liable for breaches (Section 38 BSIG).

CRA: Obligations for manufacturers

  • Vulnerability reporting: From September 2026 via EU platform.
  • Product compliance: New products placed on the market must meet all CRA requirements from December 2027

KRITIS Umbrella Act and CER directive

  • Physical resilience: Protection against sabotage, terror, natural disasters.
  • Risk analyses: National authorities identify critical facilities by July 2026

Regulatory timeline:Key deadlines at a glance

Key deadlines for NIS2, CRA and KRITIS Umbrella Act:

Regulation Deadline Responsible parties

NIS2ImplementationActin force

since December 6, 2025

BSI/Federal Government

NIS2 registration, 3 months after entry into force

until March 6, 2026

Affected companies

BSI portalactivated

January 2026

BSI

CRA reporting obligation (vulnerabilities)

from September 2026

BSI

CER risk analyses

until July 17, 2026

Member states/BSI

KRITIS Umbrella Act in force

January 29, 2026

Federal government

 

Implement NIS2, CRA & KRITIS: Four measures

  1. Impact assessment (immediately)

    ▪️Tool: Use the BSI NIS2 check to check whether the company is affected.

    ▪️Sektoren: Clarify whether the company is active in one of the 18 regulated sectors.

     

  2. Registration with the BSI (until March 6, 2026)

    ▪️Schritt 1: Create an account at "My Business Account" (MUK).

    ▪️ Step 2: Register in the BSI portal (ELSTER certificate + password) by March 6, 2026.

  3. Implementation of the security measures

    ▪️NIS2: Risk management, technical protection measures, training.

    ▪️CRA: Establish vulnerability processes, prepare product compliance.

    ▪️KRITIS: Create physical security concepts, carry out risk analyses.

  4. Establish reporting system

    ▪️NIS2: 24-hour reporting process for security incidents (BSI portal).

    ▪️CRA: Prepare for vulnerability reports from September 2026.

NIS2, CRA & KRITIS: Four concrete recommendations for action for companies

  1. Act now: Conduct NIS2 impact assessment and complete registration by March 6, 2026.

  2. Prioritize risk management: implement 10 core measures, prepare documentation.

  3. Establish reporting processes: 24-hour reporting for incidents, CRA vulnerability reports from September 2026.

  4. Conduct training courses: Raise awareness among management and employees.

Foreign companies: Check whether NIS2/CRA obligations apply due to services in Germany.

NIS2, CRA & KRITIS: Our conclusion

NIS2, CRA and the KRITIS Umbrella Act do not require a short-term reaction, but rather strategic anchoring. Those who consistently dovetail regulatory requirements with their own security strategy not only strengthen compliance, but also the resilience of the entire organization.

Our experience from numerous implementation projects shows that the decisive factor is a structured approach that combines regulatory requirements with existing processes, governance structures and technical measures. This is because sustainable solutions are created when regulatory, organizational and technical aspects are considered and implemented holistically.

 

Caption: Image generated with AI
View full post