KRITIS is the German regulatory category for critical infrastructure operators, defined in the
BSI-KritisV ordinance. It covers nine sectors (energy, water, food, IT and telecommunications, healthcare, finance and insurance, transport, public administration, media and culture) whenever an operator exceeds the sector-specific threshold (e.g. 500,000 supplied citizens). KRITIS operators must implement state-of-the-art security, register with the BSI, report significant incidents within hours, and provide auditable evidence every two years. NIS2 broadens this further to all essential and important entities.