Countdown to KRITIS: Your Six-Step Access Checklist

What Is the KRITIS Umbrella Act?

The German KRITIS Umbrella Act, signed into draft law on November 6, is a response to two major European Union directives—NIS2 (Network and Information Security Directive, 2022/2555) and CER (Critical Entities Resilience Directive, 2022/2557). KRITIS impacts German operators of critical infrastructure (Kritische Infrastrukturen), defined as organizations or facilities whose disruption or failure would result in significant consequences for public safety, supply chain security or other essential societal functions.

By merging the NIS2 and CER directives into German law, KRITIS creates a holistic framework that addresses both cybersecurity and physical resilience. The act brings Germany into compliance with the EU's NIS2 and CER directives, which entered into force on January 16, 2023. EU member states are required to transpose these directives into national law; most member states are in the process of doing so now. Similar laws and regulatory frameworks for the protection of critical infrastructure have been passed in other parts of the world in recent years, including the United States, United Kingdom, India, Japan, China and South Korea. This wave of global regulatory action reflects an awareness of the vulnerability of infrastructure such as transportation, energy and medical systems in the face of rising threats from terrorism, natural disasters and cyberattacks.

Six Steps for KRITIS Compliance in Physical and Digital Access Control 

Physical and digital access control are cornerstones of the KRITIS Umbrella Act and similar global legislation. Access control systems protect both tangible assets (like buildings and equipment) and intangible ones (like networks and sensitive data) by restricting and monitoring who can access them. Effective access control ensures that only authorized personnel can interact with critical assets and sensitive data, reducing the risk of sabotage, theft, cyberattacks and operational disruptions. Here's how organizations can prepare their access systems for compliance with KRITIS and similar legislation.  

  1. Move to Passwordless Login with Strong, Phishing-Resistant MFA 

    Password-based systems are vulnerable to phishing and other cyberattacks. Transitioning to passwordless login with strong, phishing-resistant multi-factor authentication (MFA) enhances digital access security. This step aligns with NIS2 compliance requirements, addressing key cybersecurity risks while ensuring smooth, secure authentication for authorized personnel. The simplest way to implement passwordless, phishing-resistant MFA for digital applications is by using a radio-frequency identification (RFID) card or token with a user PIN or a near-field communication (NFC) mobile credential on the smartphone with a PIN or built-in biometrics. The same RFID/NFC credential can also be used for physical access.  

  2. Use Strong Encryption for Access Applications 

    To protect sensitive data in access systems, organizations must implement robust encryption protocols, such as AES-256 or advanced Elliptic Curve Cryptography (ECC), for all communications between devices and stored credentials. Strong encryption safeguards against unauthorized interception or tampering, ensuring compliance with both cybersecurity and physical security regulations. That includes encrypting communication between the RFID reader and the user card or smartphone and between the reader and backend systems for access management.  

  3. Modernize Physical Access Control (PAC) 

    Robust physical access control (PAC) systems are needed to safeguard critical infrastructure facilities from unauthorized entry, sabotage and physical threats that could disrupt essential services. Compliance may require upgrades to physical and hardware systems such as reinforced locks, anti-tampering for RFID readers and other security elements, secure entry barriers, and anti-tailgating measures such as turnstiles or mantraps. Organizations may want to implement a zoning strategy, where areas are segmented based on security levels, to limit the exposure of critical areas to unauthorized personnel. In secure areas, MFA methods such as PIN codes or biometric verification can be combined with the RFID/NFC access credential to prevent unauthorized access using a stolen card or smartphone.  

  4. Unify Physical and Digital Access 

    The KRITIS Umbrella Act takes a unified approach to physical security and cybersecurity. That's because physical and digital security are inevitably intertwined; cyberattacks can be used to sabotage physical systems or manipulate access systems to enable unauthorized entry, while a physical breach in a server room or other sensitive location may lead to a digital breach. Unified access systems that combine physical and digital access controls provide seamless management and monitoring of all entry points—both virtual and physical. In a unified system, the same user credential (card, token or mobile credential) can be used to unlock access to both physical assets (doors, turnstiles, elevators, equipment, etc.) and digital assets (e.g., through single sign-on (SSO) systems for files, applications and business systems.) In addition to increasing user convenience and simplifying access system management, unified systems enhance security by enabling better behavior monitoring and anomaly detection. 

  5. Implement Real-Time Tracking, Logging and Behavior Monitoring 

    Real-time tracking and behavior monitoring, often supported by AI-driven access management tools, enable organizations to detect anomalies or potential threats proactively. Comprehensive logging of access events ensures accountability and facilitates post-incident analysis. AI-driven analytics can be used to identify suspicious behavior or potential breaches, such as repeated failed entry attempts or location anomalies, and trigger real-time alerts or automated lockdowns for immediate response.  

  6. Establish Incident Response and Reporting Protocols 

    Regulations under KRITIS emphasize the importance of swift and effective incident response. Organizations should develop and maintain protocols for identifying, reporting and mitigating access-related security incidents. Organizations should also perform routine audits and penetration testing of access control systems to identify and mitigate potential weaknesses. This ensures the system remains robust and compliant with evolving standards and regulations, including KRITIS in Germany and similar laws across the EU and globally.

Need Help with KRITIS Compliance in Access Control?

Access control is not only a regulatory requirement but also a strategic investment in resilience, safeguarding essential services from cyberattacks, sabotage and operational disruptions. ELATEC, together with our partners, supports organizations in charge of critical infrastructure in Germany and around the world by helping them strengthen physical and digital access systems to address emerging regulations such as KRITIS. 

RFID and mobile credentials are at the heart of robust, secure and KRITIS-compliant physical and digital access systems. Our TWN4 MultiTech readers have the perfect combination of high-quality hardware (made in Germany and the U.S.) and powerful, customizable software for a future-proof solution.  

Your authentication update Subscribe to the ELATEC newsletter

THE ELATEC NEWSLETTER Your authentication update

As a frequent reader, you will always be up to date with the latest information on the topic of authentication, know the current trends and receive valuable tips. By signing up to our newsletter, we will make sure you won't miss any new blog articles ever again. And on top, you get even more exciting news on our products, events and industry trends.

Get in touch with us