Go to homepage
Table of contents

KRITIS umbrella act & IT Security Act 3.0

What companies need to consider now With the KRITIS umbrella act and the IT Security Act 3.0, legislators are significantly tightening the requirements for security, stability, and resilience of digital infrastructures. Even if not every company is formally classified as a KRITIS operator, many organizations are directly or indirectly affected—especially through IT dependencies, supply chains, and business-critical digital processes. Translated with DeepL.com (free version)

Published: 17.02.2026 Reading time: ~6 min
Ein moderner, hochgesicherter Rechenzentrums-Korridor mit leuchtendem "KRITIS"-Logo symbolisiert kritische IT-Infrastruktur in Deutschland.

For many companies, the question is therefore not so much whether, but how they need to deal with the new requirements. This article categorises the KRITIS umbrella law, highlights the key obligations and explains why cloud infrastructure plays a crucial role in this.

What does the KRITIS umbrella law regulate?

The KRITIS Umbrella Act implements the European CER Directive and expands the previous focus on traditional IT security. In future, the focus will be on the resilience of critical and business-relevant systems - i.e. the ability to remain capable of acting even in the event of disruptions, attacks or crises.

What is new above all is the holistic approach of the law. It no longer just looks at individual technical protective measures, but at the interplay between cyber security and physical security:

  • Cyber security and physical security
  • Technology and organisation
  • Prevention as well as crisis and emergency management

For companies, this means that security measures can no longer be viewed in isolation. They become part of an overarching operational, risk and infrastructure strategy.

The KRITIS umbrella law makes it clear that resilience is no longer an IT detail, but a management task. Today, companies must be able to prove that their systems are not only secure, but also continue to run stably under stress - technically, organisationally and operationally.

Sascha Vorderstemann,
CEO at elio GmbH

Porträt von Sascha Vorderstemann, elio GmbH

Which companies are affected?

Companies that are not classically classified as KRITIS should also take the law seriously. It is particularly relevant for organisations that

  • provide IT or cloud services for KRITIS-related industries
  • operate business-critical platforms or digital core processes
  • fall under NIS2, ISO 27001 or comparable regulations
  • have high requirements in terms of availability, data protection and operational security

Cloud, hosting and platform providers in particular are taking on greater responsibility. This is because they make a significant contribution to how resilient their customers' systems actually are.

Key requirements for companies

Risk and resilience management

A central component of the KRITIS umbrella law is the mandatory, structured risk analysis. Companies must assess risks not only technically, but also organisationally.

Typical questions are:

  • Which systems are critical to business operations?
  • What would be the impact of a failure or a targeted attack?
  • How quickly can systems be restored (RTO/RPO)?

A documented resilience and emergency concept thus becomes an integral part of modern IT governance.

Technical and organisational protective measures (TOM)

The law also requires verifiable measures to secure IT systems and data. These include, among other things

  • Identity and access controls (IAM, MFA, Zero Trust)
  • Network and client separation
  • Monitoring, logging and attack detection
  • Hardening of cloud and container infrastructures
  • Clearly defined responsibilities and documented processes

In cloud environments in particular, it is clear that it is not the individual tool that determines security, but the architecture and operation.

Reporting and verification obligations

In future, security incidents must be recognised, evaluated and reported in a structured manner. At the same time, the requirements for

  • traceable documentation
  • Audit and reporting capability
  • Clear escalation and communication processes

Companies without established operating and monitoring concepts quickly come under pressure to act.

Why cloud infrastructure is now a compliance issue

With the tightening of regulatory requirements, cloud infrastructure is no longer just seen as a technical foundation. It is becoming the central driver for compliance, security and operational stability.

Today, modern infrastructures must not only function, but must also be demonstrably compliant, fail-safe and auditable. Many compliance requirements - such as availability, accountability or logging - cannot be "set up" retrospectively. They must be technically anchored in the platform.

Professional cloud architectures provide key prerequisites for this:

  • Highly available setups with automated load balancing
  • Audit-proof logging, monitoring and incident management
  • Transparent access controls and clearly defined responsibilities

This means that compliance is not only planned, but can also be proven during operation.

Kubernetes: resilience through orchestrated operation

Container orchestration with Kubernetes is now the industry standard for dynamic application landscapes. But Kubernetes is far more than just a deployment tool. When operated correctly, it forms a foundation for resilient, traceable and scalable IT operations.

The key benefits include

  • automatic scaling and self-healing in the event of failures
  • Declarative configurations that make infrastructure statuses transparent
  • Clear segmentation of workloads for better security control

A professionally managed Kubernetes operation thus creates a resilient basis for implementing regulatory requirements such as reporting, verification and resilience obligations in a structured manner.

Modern platforms such as Kubernetes show that resilience can be planned - provided that operation, security and governance are considered together from the outset. This is precisely where it is decided whether regulation becomes a burden or a competitive advantage.

Simon Neuberger,
CTO at elio GmbH

Porträt von Simon Neuberger, elio GmbH

Sovereign OpenStack hosting in Germany

Another key aspect of regulatory requirements is data sovereignty. Cloud hosting in data centres of German companies plays a decisive role here.

The advantages include

  • Data storage in the German and European legal area
  • Physical locations that facilitate regulatory audits
  • Clear legal responsibilities

OpenStack as an open source cloud platform also offers transparency and flexibility. Private, hybrid or multi-cloud strategies can be implemented in a managed OpenStack environment - without vendor lock-in and with a high level of technical traceability. This makes hosting not only efficient, but also legally resilient.

Managed services: Operation as a compliance enabler

It is not just the infrastructure that is decisive for compliance with regulatory requirements, but also its ongoing operation. This includes

  • continuous monitoring
  • Centralised logging and alerting
  • Regular patch and vulnerability management
  • Operation in accordance with ISO 27001 and regulatory standards

Managed services ensure that these tasks are implemented in a permanent, documented and auditable manner. This creates clear responsibility between operator and customer - and an infrastructure that can also withstand audits.

Icon symbolisch für Vorteil: Bestehend aus einem blauen Kreis mit einem dunkelblauen Checkhaken

What companies should do now

A structured approach is recommended in order to remain capable of acting:

  1. Carry out an as-is analysis of security, resilience and compliance
  2. Prioritise critical systems
  3. Realistically evaluate cloud and operating models
  4. Think about the KRITIS umbrella law, NIS2 and ISO 27001 together
  5. Rely on professional, auditable operating models

Conclusion: Resilience is becoming a competitive factor

The KRITIS umbrella law is more than just a regulatory obligation. It marks a fundamental shift towards robust, secure and sustainable IT infrastructures.

Companies that invest in professionally operated cloud and security architectures now not only create regulatory security, but also greater availability and trust among customers, partners and supervisory authorities.

Anyone wishing to delve deeper into the interplay between cloud infrastructure, managed security and compliance requirements will find practical approaches not only at elio.

👉 Further information on secure, compliantly operated cloud environments can be found on the website of our partner main cloud solutions.

Further suitable content
Skip product gallery
Ein moderner, hochgesicherter Rechenzentrums-Korridor mit leuchtendem "KRITIS"-Logo symbolisiert kritische IT-Infrastruktur in Deutschland.
17 Feb 2026
KRITIS umbrella act & IT Security Act 3.0
What companies need to consider now With the KRITIS umbrella act and the IT Security Act 3.0, legislators are significantly tightening the requirements for security, stability, and resilience of digital infrastructures. Even if not every company is formally classified as a KRITIS operator, many organizations are directly or indirectly affected—especially through IT dependencies, supply chains, and business-critical digital processes. Translated with DeepL.com (free version)
Silhouetten von Geschäftsleuten beim Networking-Meeting bei Sonnenuntergang im modernen Büro mit Agentenic Commerce ACA Alliance Logo – Business Event Networking.
26 Jan 2026
Setting standards together: elio joins the Agentic Commerce Alliance
Agentic commerce marks the next evolutionary step in digital commerce. By joining the Agentic Commerce Alliance, elio is now actively committed to open standards, interoperable systems, and AI agents that not only think but also act.
EC-Kartengerät über dem eine Roboterhand schwebt und eine Zahlung tätigen will: Symbolisch für Agentic Commerce
14 Jan 2026
Agentic commerce explained: Why AI is fundamentally changing commerce
Agentic commerce shifts purchasing decisions from people to machines. Anyone who is not machine-readable, structured and connectable today will be overlooked in automated purchasing processes. This article shows what this means for eCommerce, B2B companies and the future of shops.
Aufgeklappter Laptop, der eine Bestellung in einem Online-Shop zeigt mit zwei Buttons: Jetzt kaufen (grün) und Kauf widerrufen (rot)
13 Jan 2026
Cancellation button becomes mandatory: What online shops need to know and implement by June 2026
The cancel button is coming: From June 19, 2026, online shops in Germany must enable their customers to cancel purchases digitally with a single click. What sounds like a minor feature has major legal, technical, and UX implications. This article explains what this really means, where the pitfalls lie, and why shop operators should take action now.
Symbolbild für E-Commerce Trends
4 Dec 2025
eCommerce trends for 2026: What shoppers really expect
The eCommerce trends for 2026 are not about new buzzwords, but rather about changing shopping behavior. Today's shoppers make decisions everywhere: in their feed, in search results, in chat, in stores. And they expect each of these experiences to be consistent. This article highlights the trends that will really matter in 2026 – from the perspective of the people who ultimately make the purchases.
e-commerce-peak-season
18 Nov 2025
Succeed through the peak season with elio Consulting Services
The countdown to the busiest e-commerce period of the year is on: Black Friday, Cyber Week, and the Christmas shopping season are just around the corner, bringing with them weeks in which stores not only achieve record sales but also reach their technical limits. Many retailers invest in campaigns, discounts, and new designs, but forget one crucial factor: the technical resilience of their store. If your site buckles under pressure, the potential of an entire season is at risk. This is exactly where professional performance optimizations such as those offered by elio Consulting Services come in.
shopware-update-flatrate
14 Nov 2025
Shopware Update Flatrate
Regular Shopware updates protect your online store from downtime, security vulnerabilities, and costly errors. The Shopware Update Flat Rate from elio ensures that your store remains stable and up to date at all times with predictable costs and expert support. Avoid risks and stay flexible!
Frame-65
13 Nov 2025
Agentic Commerce meets Shopware: How digital sales rooms are making sales smarter
Agentic Commerce explains: Learn how AI-driven agents are changing online retail, what role digital sales rooms play in this, and how guided and self-guided sessions are setting new standards in digital sales.
shopware-gartner-magic-quadrant
11 Nov 2025
Shopware in the Gartner Magic Quadrant
Shopware has been named a Visionary in the Gartner Magic Quadrant 2025. The digital commerce market is growing rapidly, driven by AI, innovation, and measurable business value. elio shows why Shopware, with its openness, scalability, and strong partner network, is perfectly suited to the digital future of small and medium-sized businesses.
E-Commerce Development
Volker Riedel

Head of Marketing