A New Legal Baseline for Physical Security
The KRITIS-Dachgesetz (KRITIS-DachG), which entered into force on 17 March 2026, is Germany's transposition of the EU's Critical Entities Resilience Directive. It is the first German law to establish binding requirements for the physical protection of critical infrastructure , not just cybersecurity. The all-hazards framework it introduces covers sabotage, terrorist attacks, natural disasters, and technical failures. Where these threats can materialise through aerial means, including drones, they fall squarely within the law's scope, even though the legislation does not name UAS specifically.
Previous German critical infrastructure legislation focused almost entirely on IT security through NIS2 and the BSIG. The KRITIS-DachG closes that gap. Operators in eleven sectors — energy, transport, water, health, IT and telecommunications, finance, food, space, municipal waste, social security, and digital infrastructure — are now required to assess physical threats, document protective measures, and demonstrate implementation to the authorities.
For the first time, physical security carries the same legal weight as cybersecurity in Germany. The all-hazards framework means aerial threats cannot reasonably be excluded from a compliant risk assessment.
Drones as a Physical Security Consideration
The KRITIS-DachG does not name drones in its text. What it does require is that operators assess and address physical threats under an all-hazards approach — and drone-based threats fit that category directly. German security authorities have made the risk picture clear: the BKA's internal situational reporting recorded over 1,200 suspicious drone flights across Germany in 2025, with military sites, airports, and energy infrastructure among the most frequently affected. The regulatory framework is now aligning with a threat that has been visible for some time.
Notably, published implementation guidance for the KRITIS-DachG explicitly cites drone detection as an example of a surveillance measure operators may need to include in their resilience plans — alongside perimeter security, access controls, and video systems. This makes the connection between the law and aerial detection systems a practical one, grounded in the BBK's own guidance rather than in interpretation alone.
Drone threats relevant to KRITIS facilities
- Reconnaissance and espionage over protected sites
- Targeting of substations, towers, and control centres
- Payload delivery to restricted areas
- Disruption to inspection and maintenance operations
- Airspace intrusions during high-visibility periods
How DIDIT supports the obligation
-
DIDIT produces the documented monitoring record the law requires
-
Incident data automatically logged and ready for authority reporting
-
Camera integration provides visual verification for audit purposes
-
On-premise architecture keeps all data on German-controlled infrastructure
-
Pre-deployment simulation tools generate documented site risk assessments
Get ready for KRITIS compliance — starting with airspace security
DIDIT gives critical infrastructure operators the detection infrastructure, incident documentation, and audit-ready evidence trail they need to meet the physical security obligations of the KRITIS-DachG. We are happy to walk you through a site assessment or a compliance consultation, get in touch through our email or website.