Physical security according to KRITIS umbrella act and NIS2: What security managers should implement now

With the KRITIS umbrella act and NIS2, physical security is no longer a matter of discretion for many companies.

Security managers who want to commission a physical penetration test often face the same internal questions: What exactly happens during such a test? How is it legally secured? Who needs to be involved? And what arguments can be used to justify the budget to management or the supervisory board?

This article answers these questions in such concrete terms that you can use the answers directly in your organization.

What do the KRITIS umbrella act and NIS2 mean in concrete terms for the physical security of companies?

The KRITIS umbrella act, which was passed by the German Bundestag on January 29, 2026, is the national implementation of the EU CER Directive. For the first time, it stipulates across all sectors that operators of critical facilities must not only introduce physical security measures, but also prove their effectiveness.



Specifically, operators must register with the Federal Office for Civil Protection and Disaster Assistance (BBK) by July 17, 2026. Nine months after registration, an initial physical risk analysis is due, followed by subsequent analyses every four years (Section 12 KRITISDachG). The implementation of the resulting resilience measures must be demonstrated to the BBK every two years. Violations are punishable by fines in the millions, and personal liability of management is expressly provided for.



At the same time, NIS2, implemented in the German NIS2 Implementation Act of December 6, 2025, requires around 30,000 companies to take appropriate technical and organizational measures, including explicit physical protection measures.

For security managers, this means that both sets of regulations not only require measures to be in place, but also that their effectiveness can be proven.

A physical penetration test provides precisely this proof under real conditions, as a basis for risk analysis and as documentation for the authorities.

What happens during a physical penetration test?

A physical penetration test checks whether your protective measures hold up when someone deliberately challenges them. The question is not whether they are in place, but whether they work under real conditions.



At 10 of the 12 locations that RH Security has tested in recent months, the answer was no. All of them had fences, cameras, and an external security service. During a regular inspection, they would probably have been given the green light. They failed the test.



An inspection checks whether protective measures are in place. A penetration test checks whether they hold up.

1. Preperation

Before we enter a site, a kick-off meeting takes place, usually with the security officer and management. The scope of the test and the framework conditions are specified in writing: Which locations will be tested, in which time periods, and with which methods are permitted? Are there areas that must be excluded for operational reasons? Who is privy to the information, and who is not? In addition, we determine how to escalate in the event of an unforeseen situation and who must be available internally.

2. Implementation

What we almost always see during implementation: Structural defects in fences or access points and process gaps in ongoing operations occur together. Addressing only one issue will not completely solve the problem.

In many cases, a supposed service technician with the right equipment and a plausible story can get through without any problems. We make targeted use of peak times and shift changes because controls often break down under pressure. We check whether tailgating, i.e., unauthorized persons slipping in behind an authorized person, is detected and addressed. And we check whether camera surveillance during ongoing operations actually captures what it was set up to capture.

Everything is documented: photos, timestamps, observations, and a precise description of the methods used.

3. Evaluation

Upon completion, you will receive a written report tailored to your location. It contains prioritized vulnerabilities, assessed according to probability of occurrence and potential damage, as well as specific recommendations for action, sorted by immediately implementable points and medium-term investments. The report is structured in such a way that it can be passed on to management, the supervisory board, and external auditors.

Typical vulnerabilities in fences, gates, access control, and control centers

ased on our experience, the most common vulnerabilities can be divided into four areas.

Fences and perimeters

In almost 70% of the standard fences we inspected, the installation was faulty and screws were accessible from the outside. In just as many cases, there was visible damage, vegetation growth that could be used to climb over the fence, or open spaces at transitions to neighboring properties. Not a single location had a functioning anti-climb protection system.



In addition, there is one point that is systematically underestimated: a fence without privacy protection gives potential attackers time. Anyone who can look at a site undisturbed from the outside can study routines, record vehicle movements, and choose the optimal time. The actual attack then begins when it is already well prepared.

Gates and access roads

Gates usually fail not technically, but procedurally. Overworked gatekeepers who simultaneously handle visitors, answer phone lines, and wave delivery vehicles through. Suppliers who are not checked or only superficially checked. General visitor passes that do not restrict the area of stay.

The pattern behind this is almost always the same: control works when there is sufficient capacity. Under load, the process breaks down.

Access control

Cards being passed between colleagues. Doors that don’t lock and are not reported by anyone. Tailgating, which is prohibited but never addressed because the situation is socially awkward. Authorization profiles that have never been cleaned up and continue to allow access to former employees or service providers. In many cases, the problem lies less with the technology used than with the processes surrounding it.

Control centrs and control rooms

In many companies, the control center is not secured separately. It is located in an area designed for general office operations, not for security-critical infrastructure. Shared IT and control system infrastructure without additional physical separation, no dedicated airlock. In one of our tests, we stood unchallenged within sight of the control center after 17 minutes, wearing a high-visibility vest and carrying a clipboard.

Legal framework before the first day of testing

The question of the legal framework is usually raised at the very beginning of internal discussions, and it is a legitimate one.

A physical penetration test is a simulated attack on your own property, expressly commissioned and approved by you. The legal basis is the commissioning and service contract, which regulates the scope of the test, permitted methods, liability issues, and confidentiality.

The following points must be regulated in the contract:

1. Scope and limits of the test

Which locations, building areas, and time periods are included? What is explicitly excluded? No escalation against your own personnel, no endangerment of persons or facilities, no damage to property.

2. Group of people in the know

As a rule: management, security officer, legal department. The security service is typically not aware of this, as it is part of the test. This point must be clearly communicated internally in advance so that no liability issues remain unresolved in the event of an incident.

3. Emergency protocol

What happens if a test employee is apprehended by your own security personnel? A clear chain of command is required, with an internally accessible contact person who can confirm the test as such at any time.

4. Liability

Who is liable for any damage caused during the test? This must be contractually agreed before the test begins.

With a clearly drafted contract, the test is legally secure.

How often should a physical penetration test be performed?

The KRITIS umbrella act provides reliable legal guidance for the first time: physical risk analysis at least every four years (Section 12 KRITISDachG), obligation to provide evidence to the BBK every two years. A physical penetration test is a useful preparatory tool because it provides the basis on which the risk analysis is built.



Regardless of the legal cycle, an event-driven test is advisable: after structural changes at the site, after personnel changes in the security service or at the service provider, after a security incident, even if it turned out to be minor, and if the threat situation for your own sector has noticeably worsened.

Justify the budget to management and the supervisory board

In management meetings, simply pointing out physical security gaps is rarely enough. Concrete arguments formulated in the language of the decision-makers are helpful.

Four arguments for the management meeting

1. Legal obligation and personal liability

The KRITIS umbrella act obliges operators of critical facilities to demonstrably implement appropriate physical protective measures. Violations are punishable by fines in the millions, and the personal liability of management is expressly provided for in the act. A documented penetration test proves that this obligation has been fulfilled not only on paper, but also under real conditions.

2. Costs of a real incident

A physical attack on a KRITIS site has consequences far beyond the immediate damage: business interruption, reputational damage, regulatory investigations, insurance issues. Compare this conservative damage estimate with the test budget. In almost every case, the calculation is clear.

3. Prioritization instead of a scattergun approach

Without testing, either too much is invested in the wrong areas or too little, without knowing it. The report provides a prioritized list of measures that can be used directly as a basis for investment.

4. Relief for management

After an incident, the first question is: What did the company do to protect itself? A documented penetration test with measures derived from it provides a clear answer. The absence of such evidence is also a statement.

Recommendation for management meetings

One to two pages are usually sufficient for a supervisory board meeting or management meeting. The core: regulatory starting point, conservative damage estimate, test budget comparison, clear recommendation with timetable.

Why a one-time test is not enough

A test is a snapshot. 

It shows where the gaps are on the day of the test. However, for the findings to have a lasting effect, they must be integrated into everyday life:

Immediate measures

Some points can be implemented immediately: correct fence installation, introduce checklists at the gate area, clean up authorization profiles. These measures cost little and close the most critical gaps.

Training and briefing

Most vulnerabilities arise from behavioral routines. Security personnel who do not address tailgating because it is socially awkward. Employees who hold doors open without thinking about it. Such patterns cannot be remedied by technology alone.

Ongoing quality assurance

Unannounced spot checks between major tests maintain standards. This is the function that an external partner takes on as an independent second authority alongside the security service, not as a replacement, but as a supplement.

The two locations that passed our tests had exactly that: a security concept that does not end with a one-time test.

If you would like to plan the next step, I would be glad to speak with you personally. Together, we will look at your specific situation and develop the most sensible next step.