8 min. read As of: 22 April 2026
The NIS2 Implementation Act has been in force since 6 December 2025, the KRITIS Umbrella Act was passed by the Bundestag on 29 January 2026, and the BSI has published a revised criteria catalogue for secure cloud computing with C5:2026. Cloud operators in Germany must now read these three frameworks together, rather than working through each one in isolation. Anyone who fails to treat the triad as a single unit will double compliance costs and build parallel structures that nobody wants to maintain.
Key Takeaways
- Three frameworks at once: The NIS2 Implementation Act (in force since 06.12.2025), the KRITIS Umbrella Act (Bundestag, 29.01.2026), and the BSI catalogue C5:2026 apply concurrently to cloud operators with KRITIS relevance (Federal Government on NIS2 implementation).
- Scaled exposure: More than 30,000 companies in Germany are newly subject to expanded security obligations. Cloud operators are often addressed on three levels simultaneously: as important or particularly important entities, as KRITIS facilities, and as processors for third parties.
- C5:2026 recalibrated: The BSI’s revised catalogue covers 168 criteria across 17 subject areas, with new requirements for container management, post-quantum cryptography, and confidential computing.
- Multi-cloud is possible, but not neutral: AWS, Microsoft Azure, and Google Cloud all hold C5 attestations, but the scope per service varies. Anyone running multiple hyperscalers must determine, for each KRITIS workload, exactly which cloud scope applies.
- The window is tight: NIS2 registration and reporting obligations are now active, and the first BSI audits based on the new frameworks are scheduled for summer 2026.
RelatedAI Inference Architecture for DACH 2026 / Reshoring in the Mittelstand
What exactly applies from when
What is KRITIS in the regulatory sense? KRITIS refers to critical infrastructures whose failure or disruption would trigger significant supply shortages or threats to public safety. The sectors include energy, water, food, IT and telecommunications, healthcare, finance and insurance, transport and traffic, as well as government and public administration. The legislature defines thresholds per sector, above which a facility qualifies as KRITIS and assumes corresponding obligations.
The NIS2 Implementation Act has significantly expanded the scope of addressees. In addition to the classic KRITIS operators, particularly important and important entities are now also subject to extended security requirements — a change that, according to analyses by the BSI and the specialist portal OpenKRITIS, affects around 30,000 companies in Germany. This is relevant for cloud operators because they often both operate their own IT infrastructure as critical infrastructure and provide services to other KRITIS entities.
The KRITIS Umbrella Act, adopted by the Bundestag on 29 January 2026, adds a physical resilience dimension to the picture. While NIS2 focuses on cybersecurity, the Umbrella Act targets protection against natural hazards, sabotage and hybrid threats. For data centre operators, this is a key signal: site security, access control and backup power supply are gaining an additional regulatory framework.
Source: BSI Federal Office for Information Security, OpenKRITIS, as of April 2026.
What is new in C5:2026
The BSI criteria catalogue C5 has been the reference framework for secure cloud computing in Germany since 2016. The revised version C5:2026 restructures the audit areas and introduces three topics that were either absent or only touched on peripherally in previous editions. First, container management: the requirements for runtime security, image scanning and network policies have been expanded and formulated more explicitly. Second, post-quantum cryptography: cloud operators must demonstrate a documented migration path for long-lived data requiring protection. Third, confidential computing: for workloads with a high protection classification, the use of hardware-backed trust zones such as Trusted Execution Environments (TEEs) is incorporated into the criteria catalogue.
For cloud operators with KRITIS relevance, C5 is no longer a voluntary attestation but a de facto industry standard. Healthcare providers have been required to hold a C5 attestation since July 2024 under the Digital Act; other regulated sectors are following suit in practice. Audits are conducted by certified public accountants who, after a successful review, confirm compliance with the criteria.
In practice, this means the following for DACH cloud teams: anyone using C5 attestations to meet customer requirements must incorporate the new 2026 topics into their own audit cycle. Anyone reviewing attestations from their suppliers should look carefully at whether the 2026 version or the older edition formed the basis. Transitional deadlines are set out in the catalogue and vary by topic.
What Multi-Cloud Means in This Context
All three hyperscalers — AWS, Microsoft Azure, and Google Cloud — hold C5 attestations for key services, though not across the board. Each provider defines, on a per-service and per-region basis, which certifications apply and which do not. For a KRITIS workload distributed across multiple hyperscalers, comparing scopes is anything but a formality.
A concrete example. Anyone operating a patient management system in Germany needs a C5 attestation for the entire chain. If the database and application run on AWS Frankfurt, the analytics layer on Azure Germany West Central, and certain backup volumes flow through Google Cloud Europe-West3, attestations must be in place for each individual service. If one is missing, the entire workload falls out of C5 compliance until the provider closes the gap or the subsystem is migrated elsewhere.
At the same time, the KRITIS Umbrella Act applies at the site level. An organization running its primary production environment in a Frankfurt data center with a known site classification, and disaster recovery in Ireland, must include the DR site in its resilience assessment — even if it is not the primary environment. The combination of NIS2 obligations (cybersecurity), the KRITIS Umbrella Act (physical resilience), and C5 criteria (cloud-specific auditing) produces a matrix that must be worked out individually for each KRITIS workload.
Comparison of the Three Regulatory Frameworks
| Dimension | NIS2 Implementation Act | KRITIS Umbrella Act | BSI C5:2026 |
|---|---|---|---|
| Status | In force since 06.12.2025 | Bundestag 29.01.2026 | Published 2026 |
| Focus | Cybersecurity obligations | Physical resilience | Cloud criteria catalogue |
| Addressees | KRITIS, important and particularly important entities | Operators of critical facilities | Cloud providers and users |
| Audit/Proof Format | Reporting obligation, BSI audit | Resilience verification | Auditor attestation |
| 2026 Update | Expanded scope of addressees | Site resilience focus | Containers, PQC, Confidential Computing |
Sources: BSI, BMI, official legislative texts from the Bundestag and Bundesrat, OpenKRITIS analyses, as of April 2026.
The Pragmatic Implementation Plan
For cloud operators with KRITIS relevance, a five-step plan has proven effective in practice — one that treats the three regulatory frameworks as interconnected workstreams. Step one: inventory. Which workloads run where, what classification do they carry, which vendors are involved. Without this inventory, every subsequent step is flying blind.
Step two: classification of scope. Does the organization fall under NIS2 as a KRITIS entity, an important facility, or a particularly important one — and where does the KRITIS-Dachgesetz apply on top of that? The classification determines the depth of obligations, the reporting cadence, and the registration requirements.
Step three: the vendor matrix. Which cloud service holds which C5 attestation, in which version, covering which scope. In practice, most projects end up managing this in a spreadsheet that needs updating with every new service launch. Specialized GRC tools take this task off the table — but they come at a cost.
Step four: policy harmonization. Internal guidelines for access control, incident response, data classification, and backup must be aligned against the requirements of all three frameworks. Many organizations carry historically grown policies that address multiple topics in parallel while being inconsistent at the edges. A harmonization sprint resolves this and saves considerable debate time in later audits.
Step five: audit cadence. Organizations using C5 attestations plan their review cycle with their auditor. Those running NIS2 reporting align the cadence with BSI. Those fulfilling KRITIS-Dachgesetz obligations schedule resilience exercises. Managing three cycles in parallel within a single annual plan is logistically demanding — but entirely workable when a GRC team owns the calendar.
What regularly goes wrong in practice
Two mistakes repeat themselves in consulting engagements. The first is parallel organisation. One team handles NIS2, another C5, a third the KRITIS umbrella act. Nobody sees the overlaps. The result: asset lists maintained in triplicate, contradictory incident processes, and an unnecessarily high compliance bill. Organisations that plan all three topics together from the outset save between 20 and 40 percent of the effort, according to internal analyses by major data centre operators.
The second mistake involves supplier dependencies. A cloud operator whose attestation is built on a hyperscaler service that itself relies on a preliminary attestation will find itself without current confirmation the moment the hyperscaler changes the service scope. Such changes occur more frequently than companies expect, because cloud catalogues grow dynamically. A contractual change-notification right with suppliers has therefore become standard practice — though it has not yet been adopted everywhere.
A third question is routinely underestimated: which internal KPIs actually demonstrate compliance. Process compliance without metrics simply becomes an audit topic in the next cycle. Organisations that track incident response times, the interval between patch availability and deployment, attestation coverage per workload, and the number of open findings within a shared dashboard structure can speak credibly to supervisory boards and the BSI. Without those figures, compliance remains purely narrative.
A fourth gap shows up in the documentation of reporting chains. NIS2 requires an early warning within 24 hours, a full notification within 72 hours, and a final report within one month. The KRITIS umbrella act adds reporting paths for physical events. Organisations that have not drilled their escalation routes will lose hours to coordination in a real incident — hours they need for analysis and containment. A semi-annual tabletop exercise involving legal and communications teams is therefore a fixed component of a mature compliance organisation, not an optional extra.
A fifth aspect concerns the interface with insurers. Cyber policy terms have tightened noticeably over the past 18 months. During policy negotiations and audit interviews, insurers now ask for the C5 attestation version, the NIS2 classification, and documented incident response times. Organisations that cannot produce these documents readily risk premium surcharges or reduced coverage in the event of a claim.
Conclusion
The NIS2 Implementation Act, the KRITIS umbrella act, and BSI C5:2026 are not a checklist to tick off — they form an integrated regulatory framework for cloud operators with KRITIS relevance. Treating all three as a single unit reduces both effort and risk simultaneously. Running them separately builds parallel structures that collapse under audit scrutiny. The implementation timeline through autumn is tight but achievable, provided that inventory assessment, supplier matrix, and policy harmonisation begin now. The gap between a well-prepared and a poorly prepared cloud operator will become visible in Q4 2026, when the first complete audit cycles run.
Frequently Asked Questions
Does every cloud startup now need to implement the compliance triad?
No. The thresholds defined by the NIS2 implementation and the KRITIS regulation limit the scope of affected entities by size, sector, and specific criteria. Smaller providers with no KRITIS relevance continue to be subject only to general IT security obligations under the GDPR and telecommunications law. The triad becomes relevant once an organisation qualifies as an important entity, an essential entity, or a KRITIS facility.
Which sectors are most heavily affected?
Healthcare, financial services, energy, transport, and public administration sit at the centre of the expanded obligations. Cloud operators delivering services to these sectors often fall indirectly within scope, because their customers demand attestations and evidence that the operator can only provide by implementing the triad itself.
Does a hyperscaler’s C5 attestation cover your own compliance?
No. A hyperscaler’s C5 attestation covers the underlying infrastructure — not your own application, your data classification, or your processes. Cloud operators typically need a combined attestation that brings together their own services and the cloud components they rely on.
How does the KRITIS umbrella law relate to NIS2?
NIS2 addresses cybersecurity; the umbrella law addresses physical resilience. In practice, incident management, risk analysis, and reporting obligations overlap significantly. Building a single process that satisfies both frameworks simultaneously eliminates duplicate effort and reduces the risk of contradictory incident reports.
What does post-quantum cryptography mean in the C5 context?
C5:2026 requires a documented migration path for long-lived sensitive data. That does not mean every algorithm currently in use must be replaced immediately. It means cloud operators must present a plan showing how they intend to migrate to NIST-approved quantum-resistant algorithms, which data is prioritised, and what transition timelines apply.
Editor’s Reading Picks
More from the MBF Media Network
- The Vercel Breach as an OAuth Supply Chain Case on SecurityToday
- GenAI Production Rollout Checklist for CIOs on Digital Chiefs
- EU Digital Omnibus in Trilogue on MyBusinessFuture
Image source: Pexels / Brett Sayles (px:5480781)
