NIS-2 Directive to enhance cybersecurity across the European Union

The CRITIS umbrella act (Umbrella Act for Critical Infrastructure Protection), Germany’s national implementation of the EU RCE directive, entered into force on March 17, 2026. What European and German critical infrastructure operators now need to know and implement.

The EU RCE directive (“Resilience of Critical Entities”, also referred to as the CER directive) requires operators of critical infrastructure to systematically strengthen their resilience. Key areas of action include risk management, resilience planning, and the deployment of appropriate security solutions – such as video security systems. Dallmeier supports critical infrastructure operators in implementing these requirements with cyber-secure, state-of-the-art video security technology.

Geopolitical threat landscape: Critical infrastructure in focus
The security situation in Europe has changed significantly in recent years. Geopolitical tensions, hybrid threats and targeted acts of sabotage highlight the vulnerability of critical infrastructure. Disruptions in energy, transportation, communications or water supply can have severe economic and societal consequences.

Recent examples illustrate this trend: sabotage of energy and rail infrastructure, drone overflights of sensitive facilities, and cyberattacks targeting critical infrastructure operators and their supply chains. The EU is responding with a clear strategy: to systematically strengthen the resilience of critical infrastructure across Europe.

The challenging geopolitical situation and the new European resilience requirements clearly show that security strategies and technologies must now be approached holistically – and at management level. Only when cyber, physical and organizational security measures work together can critical infrastructure truly become resilient.”

Jürgen Seiler, Head of Business Development at Dallmeier electronic GmbH & Co.KG

European response: New regulatory frameworks NIS-2 and RCE
In recent years, the European Union has launched a series of regulatory initiatives to significantly enhance the security and resilience of critical infrastructure. In addition to the NIS-2 directive on cybersecurity, the CER directive addresses for the first time the physical resilience and physical security of critical entities and facilities.

For operators of critical facilities, this represents a paradigm shift: resilience is no longer understood solely as an IT or security issue, but as a holistic management responsibility. Cyber resilience, physical security, organizational crisis preparedness and supply chain resilience are increasingly being linked from a regulatory perspective – also taking geopolitical factors into account. This marks the first time a comprehensive European security approach has been established that considers cyber, physical and geopolitical risks together.

Diagram illustrating EU directives: "EU RCE" for critical entities' resilience across 11 sectors, and "EU NIS2" for IT and cybersecurity across 18 sectors, alongside a triangle representing physical, cyber, and geopolitical resilience.
Three dimensions of resilience, visualized in a resilience triangle, together with the corresponding European regulations

 

What is the RCE directive?
The EU RCE directive, which entered into force in January 2023, aims to systematically strengthen the resilience and physical security of critical facilities and entities across Europe. It applies to operators of critical infrastructure in defined sectors whose (critical) services are indispensable for the functioning of society and the economy (essential for public security and security of supply).

SECTORS:
Energy, transport and traffic, financial services, healthcare, drinking water and wastewater, digital infrastructure (ICT), food, space and public administration.

OBLIGATIONS:
Operators of critical facilities and entities must assess risks, implement resilience measures and prepare their organizations for disruptions, crises and outages.

RISKS AND THREATS:
The focus is in particular on physical threats such as sabotage, espionage, terrorism, natural disasters, geopolitical conflicts or hybrid attacks, where physical attacks are often combined with cyberattacks.

The CRITIS umbrella act in Germany – in force since March 17, 2026
EU member states are required to transpose the RCE directive into national law. The original deadline for national implementation was October 2024, which many countries did not meet. A good source on the status of national RCE implementations (as of March 2026) can be foundonline.
In Germany, the RCE directive is implemented through the so-called CRITIS umbrella act, which entered into force on March 17, 2026. For the first time, this act establishes a nationwide, cross-sector regulatory framework for the physical resilience of critical infrastructure.

The CRITIS umbrella act applies to operators in the core RCE sectors of energy, transport and traffic, financial services, healthcare, drinking water and wastewater, digital infrastructure (ICT), food, space and public administration. Additional sectors in Germany include municipal waste management as well as social security services and basic income support for jobseekers.

Critical thresholds and critical services
The specific addressees of the CRITIS umbrella act are operators of critical infrastructure in the sectors mentioned above whose (critical) services are indispensable for the functioning of society and the economy. The facility or critical asset must be essential to the overall supply in Germany and serve more than 500,000 people (coverage level | standard threshold). The exact asset categories and thresholds are defined in the existing CRITIS ordinance or in a new or amended statutory ordinance to be issued at a later date.

PS: Under certain conditions, the federal states may in future be able to designate critical operators or assets below the standard thresholds. In addition, there is ongoing political discussion about lowering the threshold from 500,000 to 150,000 people served.

Specific requirements: Risk analysis and resilience plan
In addition to identification, registration with the supervisory authority BBK and new reporting obligations for significant incidents, the act primarily requires operators to implement resilience measures based on a completed risk analysis.

As a result, operators of critical facilities face new requirements in terms of risk management, security measures and organizational resilience structures. A key element of the new regulation is the systematic risk analysis.

Operators of critical entities must identify and assess threats and vulnerabilities in a structured manner. These include, for example:

  • unauthorized access to critical areas
  • sabotage of facilities
  • attacks on infrastructure components
  • natural events or environmental risks 

The results of this risk analysis form the basis for the development of a resilience plan.

Key provision of the CRITIS umbrella act for physical protection measures and resilience planning:

§ 13 “Resilience obligations of operators of critical facilities; resilience plan”

(1) (2) Operators of critical facilities are required to …

  • implement proportionate technical, security-related and organizational measures
  • “in accordance with the state of the art

to ensure their resilience, in order to …

… guarantee adequate physical protection of sites and critical facilities…

(3) Measures to achieve these objectives may include:

a) structural, technical and organizational protection measures (physical site protection), such as site demarcation and impact-resistant façade elements,
b) tools and procedures for monitoring the surroundings,
c) the use of detection systems

Operators of critical entities are therefore required under §13, among other things, to implement measures to ensure adequate physical protection of their infrastructure.

These include in particular:

  • protection of site boundaries (perimeter protection)
  • monitoring of the surroundings of critical facilities
  • detection systems for the early identification of security incidents
  • verification systems for the assessment and clarification of security incidents

Video security technology as a key component of physical security and resilience
Video surveillance systems play a central role in protecting critical infrastructure. Through optical detection and verification, they serve not only traditional security monitoring purposes, but also prevention, situational awareness and rapid response to security-related incidents.

Intelligent video systems can, for example, detect unauthorized access, monitor security-critical areas, identify sabotage attempts, respond automatically to events and alarms, and support response forces in assessing situations.

Modern video security systems enable, among other things:

  • monitoring of perimeter and site boundaries
  • detection of unauthorized access
  • verification and documentation of security-related incidents
  • provision of situational awareness for security control centers

Particularly in large-scale critical facilities with long observation distances and extensive areas to be monitored – such as energy infrastructure or transport hubs like airports – suitable video surveillance systems are a key component of physical security concepts.
 

Three security cameras are mounted on a concrete pole, overlooking a modern building with large glass windows and a blue sky in the background.

PS: Beyond security processes, smart video management systems and AI-based video analytics can also help to significantly improve the efficiency of operational workflows and processes through data generation and analysis. One example is the reduction of waiting times at airports.

3D security planning as part of resilience planning
A key foundation for effective resilience measures is precise security planning. Modern video surveillance projects are therefore often developed at the planning stage using 3D simulations and digital site models.

Such 3D planning enables operators of critical facilities to identify security risks at an early stage and strategically plan appropriate measures. Camera positions, fields of view, critical areas and potential attack vectors can be simulated in a realistic manner. In addition, 3D planning is often a key success factor in addressing justified or unjustified data protection concerns raised by relevant data protection stakeholders.

This type of 3D security planning helps operators to systematically derive security measures from the risk analysis and to document and visualize them in the required resilience plan.

Two people are sitting closely together, viewing a laptop screen displaying a monitoring interface with images of a transportation area, featuring buses and vehicles. The logo "PLAN" is visible at the bottom.
A 3D security planning approach (e.g. the Dallmeier PlanD tool) can make a significant contribution to the development of a resilience plan in accordance with Section 13 of the CRITIS umbrella act.

Conclusion: Physical resilience becomes a management responsibility with liability implications 
With the RCE directive and its national implementation across EU member states – in Germany, for example, through the CRITIS umbrella act – the physical security of critical infrastructure is becoming a central management responsibility.

Operators and their executive management will be required to systematically assess risks, develop resilience plans and implement appropriate technical protection measures.

The combination of risk analysis, organizational resilience planning and modern security technology forms the foundation for a sustainable and resilient security strategy.

According to §20 of the German CRITIS umbrella act, responsibility for the implementation and continuous monitoring of security and resilience measures lies explicitly with executive management. They are therefore not only required to comply with regulatory requirements, but may also be held personally liable in the event of breaches of duty if they cannot demonstrate that appropriate organizational measures have been taken to ensure implementation and oversight vis-à-vis the supervisory authority.

Our personalized offering
With cyber-secure video security technology “Made in Germany”, in accordance with the state of the art, with IT security features at product level and our own ISO 27001-certified, regularly audited security processes, Dallmeier supports customers affected by and subject to NIS-2 and RCE regulations in meeting their security requirements under European legislation.

If you would like to learn more about how we as a manufacturer of video surveillance solutions can actively support your NIS-2 and RCE strategy – from resilient and cybersecure systems to compliance services – please feel free to contact us. Our experts are ready to work with you to develop a NIS-2- and RCE-compliant solution.

 Are you planning a video surveillance project and unsure how to take RCE, the CRITIS umbrella act and/or NIS-2 into account?
Secure your slot for a free 30-minute 1:1 talk (online) with our CRITIS expert Jürgen Seiler – well-founded and practical.

 Further information and links:

About the Author: