Compliance
KRITIS-Dachgesetz Compliance for the Accountable Agentic SOC
Germany’s Critical Infrastructure Resilience Act enforces physical and cyber resilience for operators of critical facilities across ten sectors. Morpheus delivers BSI-grade investigation, 24-hour reporting, and one unified audit trail mapped to both BSIG and the Dachgesetz.
17 March 2026
Dachgesetz in force
24 hours
Incident reporting window to BSI
10 sectors
In scope under the Dachgesetz
~30,000
German entities under combined NIS2 + Dachgesetz scope
What the KRITIS-Dachgesetz Requires
The first comprehensive physical resilience law for Germany’s critical infrastructure, paired with the cyber obligations operators already carry under the BSIG.
The KRITIS-Dachgesetz, Germany’s Critical Infrastructure Resilience Act, entered into force on 17 March 2026. It implements the EU Critical Entities Resilience Directive (CER, 2022/2557) and sets binding physical resilience requirements for operators of critical facilities across ten sectors.
The law works in tandem with the German NIS2 Implementation Act (NIS2UmsG), which entered into force on 6 December 2025 and expanded the cyber-resilience scope from roughly 4,500 to 30,000 regulated entities. Operators of critical facilities under the Dachgesetz are automatically “particularly important entities” under the revised BSIG, which carries the most stringent cybersecurity obligations the law defines.
Affected operators must register with both the BSI (cyber resilience) and the BBK (physical protection) by 17 July 2026. They must implement appropriate technical and organizational measures, name accountable management, and report significant incidents within 24 hours on the BSI’s Reporting and Information Portal (MIP).
Who Must Comply
Ten sectors fall under the Dachgesetz. Two tiers of obligation distinguish operators of critical facilities from other important entities.
The ten sectors in scope
The Dachgesetz extends the long-standing KRITIS sector list and brings two new categories into scope for the first time.
- Energy: electricity, gas, district heating, oil
- Transport: rail, road, aviation, maritime, urban logistics
- Healthcare: hospitals above the inpatient-case threshold, pharmaceutical manufacturers, blood and tissue institutions
- Drinking water and wastewater operators
- Finance: banks, payment processors, securities trading venues
- Food production and distribution
- IT and telecommunications: data centers, DNS providers, cloud services, electronic communications networks
- Space: ground-based infrastructure for satellite communication and Earth observation
- Waste disposal: municipal and industrial (new under the Dachgesetz)
- Public administration: federal authorities and central digital service operators (new under the Dachgesetz)
Two tiers of obligation. An operator of a critical facility, defined by sector and capacity threshold, sits in the highest tier under both the Dachgesetz and the BSIG. Other important entities carry NIS2 cyber obligations but not the physical resilience requirements of the Dachgesetz.
Where Most German SOCs Fail KRITIS Reporting
The 24-hour BSI MIP window is unforgiving. Three failure modes recur in German SOCs running on legacy SOAR.
Section 32 of the revised BSIG requires an initial significant-incident notification within 24 hours of awareness, an interim assessment within 72 hours, and a final report within one month. Each deliverable must include investigation depth that a Tier-1 analyst routinely cannot produce in time.
Three reporting failure modes
- Alert volume swamps the reporting clock. A regional Energieversorger SOC sees 8,000 to 14,000 daily alerts. Triaging them deeply enough to know whether 24-hour BSI notification applies is a workload most teams cannot complete inside the window.
- Static SOAR playbooks miss novel attack chains. Legacy playbooks branch on predefined IOCs. A supply-chain compromise that crosses identity, OT telemetry, and a managed cloud service breaks the playbook tree and forces manual escalation past the 24-hour mark.
- Disjointed audit trails leave gaps under audit. BSI auditors expect one coherent narrative per incident: what the operator detected, when, how it was confirmed, what was contained. SOCs running siloed SIEM, EDR, and SOAR consoles produce three trails that do not reconcile.
How Morpheus Delivers KRITIS-Grade Investigation
Autonomous L2+ investigation on every alert, produced inside the 24-hour BSI window.
Morpheus AI runs autonomous investigation on every alert, correlating signals across tools, validating IOCs, and reconstructing attack timelines. Attack Path Discovery, D3’s investigation engine, traces incidents East-West across identities, endpoints, cloud, and email infrastructure and North-South through 90 days of telemetry. Up to 95% of alerts close at L2+ depth in under 2 minutes.
For German operators, that closure depth maps directly to BSI reporting. The investigation produces a structured timeline, IOC validation chain, affected-asset list, MITRE ATT&CK mapping, and recommended containment, all inside a single audit trail. When a Tier-2 analyst reviews an incident for MIP submission, they read a finished investigation, not a stack of partial alerts.
up to 95%
Alerts triaged at L2+ in under 2 minutes
99%+
Customer-reported alert reduction
80%
MTTR improvement
800+
Bidirectional integrations.
One Audit Trail. Two Reporting Obligations.
The Dachgesetz and the BSIG impose overlapping but distinct reporting duties. Morpheus produces one investigation that addresses both.
Physical incidents under the Dachgesetz go to the BBK. Cyber incidents under the BSIG go to the BSI MIP. Many real incidents hit both at once. A coordinated attack on an Umspannwerk, a ransomware event on a hospital’s clinical systems, a sabotage attempt on a Wasserwerk control loop: each triggers parallel notifications in the same operational hour.
Morpheus produces one investigation per incident. Sector-specific Agentic Tasks format the structured submission for each regulator’s template without rerunning the investigation, so the timeline, evidence chain, and MITRE mapping reconcile across both reports.
GRC-Native by Design
One purpose-built Cybersecurity Triage Reasoning Graph runs the investigation. Sector-specific Agentic Tasks format the output for each German regulator’s submission template. The audit trail does not fork.
EU Data Residency and the Canadian-Vendor Question
Where Morpheus runs, who the controller is, and how procurement teams in Bonn, Frankfurt, and München usually evaluate the deployment.
Morpheus is built and operated by D3 Security, a Canadian company. The platform is deployed on Azure regions including Ireland for EU data residency. For KRITIS operators concerned about cross-border data flow, that placement keeps customer telemetry, investigation artifacts, and audit trails inside the EU.
D3 ships under predictable, subscription-based pricing, designed to minimize per-alert charges and token meters — the procurement shape most German operators prefer over consumption-metered SaaS.
faqs
Frequently Asked Questions
Common questions about KRITIS-Dachgesetz scope, BSI reporting, and how Morpheus delivers under both BSIG and Dachgesetz duties.
When did the KRITIS-Dachgesetz come into force?
The Bundestag passed the Dachgesetz on 29 January 2026. The Bundesrat approved it on 6 March 2026. The law entered into force on 17 March 2026. Affected operators must register with the BSI and the BBK by 17 July 2026, or within three months of first qualifying as a critical facility.
Is the KRITIS-Dachgesetz the same as NIS2 implementation?
No. The Dachgesetz implements the EU CER Directive (Critical Entities Resilience) and governs physical security and operational resilience. The German NIS2 Implementation Act (NIS2UmsG), in force since 6 December 2025, implements the EU NIS2 Directive and governs cybersecurity. Operators of critical facilities are typically subject to both laws and report through both the BBK and the BSI MIP.
Which sectors are covered?
Ten sectors: energy, transport, healthcare, drinking water, finance, food, IT and telecommunications, space, waste management, and public administration. The first nine were already in scope under the prior KRITIS regime. Municipal waste disposal and public administration are new under the Dachgesetz.
What is the incident reporting deadline?
For cyber incidents under the BSIG, the operator must submit an initial significant-incident notification to the BSI MIP within 24 hours of awareness, an interim assessment within 72 hours, and a final report within one month. The Dachgesetz adds a parallel notification path to the BBK for physical incidents on a comparable timeline.
How does Morpheus help meet the 24-hour BSI reporting window?
Morpheus closes up to 95% of alerts at L2+ depth in under 2 minutes. Each closed investigation includes the timeline, IOC validation, affected-asset list, MITRE ATT&CK mapping, and recommended response actions that BSI auditors expect in the MIP submission. Analysts review a finished investigation instead of assembling one under time pressure.
Where is Morpheus deployed for EU customers?
Morpheus runs on Azure regions including Ireland for EU data residency. Customer telemetry, investigation artifacts, and audit trails remain in EU jurisdiction. D3 Security, the platform vendor, is a Canadian company. The deployment model and contractual controller arrangement support GDPR-grade DPA terms.
What if an incident triggers both BSIG and Dachgesetz reporting?
Morpheus produces one investigation per incident. Sector-specific Agentic Tasks format the structured output for each regulator’s submission template, the BSI MIP for cyber and the BBK for physical, from the same underlying audit trail. The evidence chain and timeline reconcile across both reports.
Does Morpheus support BSI Schwachstellenmanagement and IT-Sicherheitskatalog requirements?
Yes. Morpheus integrates with 800+ third-party tools across the security and OT stacks German operators rely on. Vulnerability findings from the Schwachstellenmanagementsystem are triaged through the same Attack Path Discovery engine that handles alerts, and the same audit trail captures the result. One investigation per finding replaces a static CVSS score, included in the platform subscription with no separate metering.
Can a regional MSSP serve multiple KRITIS operators on one Morpheus tenant?
Yes. Morpheus supports multi-tenant operations with tenant-isolated audit trails. Each operator’s investigation history, MIP submissions, and BBK notifications remain segregated. This is how regional MSSPs serving multiple Energieversorger, Stadtwerke, or hospital networks operate under combined NIS2 and Dachgesetz scope.
Ready your SOC for the KRITIS-Dachgesetz.
Walk through your sector-specific obligations and see how Morpheus delivers investigation-grade evidence inside the 24-hour BSI window.