# The KRITIS Umbrella Act and NIS2: Europe's New Legal Architecture of Supply Security
There is a quiet revolution underway in European law, and it does not announce itself with the sound of great debates. It proceeds through statutes, ordinances, thresholds and reporting duties. In his book KRITIS. Die verborgene Macht Europas, Dr. Raphael Nagel (LL.M.), writing together with Marcus Köhnlein, argues that the stability of modern societies is a function of their infrastructure architecture, and that this architecture is now being codified into a legal order of its own. The IT Security Act, the BSI Act, the KRITIS Umbrella Act and the national transposition of NIS2 form the skeleton of this order. Read as a whole, they describe a shift in how Europe thinks about security: from the protection of individual objects to the protection of functional capacity itself.
## From Object Protection to System Responsibility
For decades, security law in Europe treated critical facilities as discrete objects. A power station, a water works, a hospital were understood as places with fences, gates and cameras. The regulatory imagination remained largely physical. What Dr. Raphael Nagel (LL.M.) identifies in his book is a decisive departure from this logic. The IT Security Act and the amended BSI Act no longer speak primarily of objects but of services, of operational continuity, of information security management. The fence becomes secondary to the function it protects.
This shift matters because it rearranges the grammar of responsibility. A plant manager who once had to demonstrate that the perimeter was intact must now demonstrate that the service his organisation delivers remains available, resilient and verifiable under stress. The legal gaze has moved inward, from walls to processes. In Nagel's reading, this corresponds to the reality of modern infrastructure, where a single misconfigured interface can cause more damage than a physical intrusion, and where the true perimeter is neither walled nor watched but coded.
The consequence is that the old distinction between security and operations dissolves. What the NIS2 KRITIS regulation demands is not an additional department but a different way of running the enterprise. Continuity, integrity and availability become constitutive categories of corporate governance, not appendices to it.
## The All Hazards Approach as a Philosophical Turn
The KRITIS Umbrella Act and the European CER Directive introduce what the canon calls the all hazards approach. Cyber attacks, natural disasters, sabotage, pandemics and cascading technical failures are no longer treated as separate universes of risk. They are considered expressions of the same underlying vulnerability: the fragility of tightly coupled systems. This is more than a regulatory technique. It is a philosophical claim about the nature of modern order.
Dr. Raphael Nagel writes that resilience is not a state but an architecture. The all hazards approach translates this sentence into law. It requires operators to design for the unknown, to anticipate not the specific threat but the structural consequence of any serious disruption. A water utility must prepare for a cyber incident and for a flood with the same seriousness, because the citizen standing without water does not distinguish between causes.
Such a framing places a quiet burden on the executive mind. It asks leaders to accept that certainty about the next crisis is unavailable, and that preparation cannot be reduced to the replay of the last incident. The law thus begins to mirror a mature understanding of complexity, one that Nagel traces throughout his analysis of the seventy two hour window in which modern societies either hold together or begin to fray.
## The Moving Target of the State of the Art
Few legal concepts carry as much operational weight in the new framework as the German phrase Stand der Technik, the state of the art. It is the pivot around which duties of care revolve. Yet, as the canon makes clear, it is not a fixed point. It refers to the currently recognised level of procedures, products and organisational precautions, as reflected in standards such as ISO 27001, in sector specific security standards and in recommendations of competent authorities. It moves as technology moves.
For a board, this is an uncomfortable truth. Compliance becomes a process rather than an achievement. A certificate earned today is not a shield against scrutiny tomorrow. The NIS2 KRITIS regulation internalises this dynamic by requiring periodic evaluations, regular evidence and continuous adaptation. The law asks organisations to remain awake, to treat security as a discipline of attention rather than a record of past approvals.
Dr. Raphael Nagel (LL.M.) interprets this movement soberly. He does not read it as bureaucratic expansion but as the legal recognition of a technical fact. Systems age more quickly than statutes. A regulatory regime that refused to track this acceleration would offer only the appearance of protection. The moving target is uncomfortable, but it is honest.
## Reporting Duties and the Politics of Visibility
One of the quieter revolutions in the new framework concerns the duty to report. Operators are required to notify significant incidents within tight windows, to share information with the BSI and with European partners, and to accept that serious disruptions are no longer internal affairs. The canon treats this not as a procedural detail but as a structural change in the politics of visibility. What was once a private matter between an operator and its insurers becomes a shared public concern.
This has consequences for corporate culture that reach far beyond legal departments. A reporting duty presupposes the capacity to detect, to classify and to describe an incident accurately under pressure. It therefore demands investments in observability, in log retention, in the training of staff who can translate a technical anomaly into a legally adequate notification within hours. The gap between the firm that can do this and the firm that cannot is rapidly becoming a gap in legal standing itself.
There is also a continental dimension. Through NIS2, reporting flows into a European lattice of information exchange. An incident in one member state informs the preparedness of another. Nagel reads this, in his characteristically restrained manner, as the emergence of a continental nervous system for infrastructure, slow and imperfect, yet historically unprecedented.
## Personal Responsibility at the Top of the Firm
The sharpest edge of the new regime concerns the personal responsibility of executives. The legislator has made it plain that duties of care in cyber and infrastructure security are not delegable in a way that shields the board. Management must approve risk measures, supervise their implementation and document its own engagement. Failure can expose individual members of the executive body to liability, not merely the corporate entity.
Dr. Raphael Nagel treats this development with a certain gravity. In the canon he addresses his reflections explicitly to those who carry responsibility for systems whose failure is not an option: boards, managing directors, supervisory bodies. The new NIS2 KRITIS regulation gives this address a legal correlate. It draws a line through the organigram and names the point at which responsibility can no longer be forwarded.
The cultural consequence is significant. Security ceases to be a subject that the chief executive hears about once a quarter and becomes an agenda item in the same register as liquidity or audit. Governance in critical systems, as Nagel phrases it, is no longer an abstract principle. It is a set of documented decisions for which particular human beings can be asked to account.
## Towards a Governance Architecture Worthy of the Task
If the IT Security Act and the BSI Act formed the first stratum of German infrastructure law, and the KRITIS Umbrella Act and NIS2 transposition form the second, then the task now facing European firms is to build a governance architecture that is worthy of both. The canon suggests several principles, none of them novel in isolation, all of them demanding when taken together. Clarity about critical processes. Honesty about fallback capacity. Integration of physical, digital and personnel dimensions of security. A willingness to measure resilience, not merely to claim it.
Such an architecture cannot be improvised in the middle of a crisis. It must be designed in the calm periods that precede disruption, the periods in which its necessity is least visible. Dr. Raphael Nagel (LL.M.) returns to this paradox repeatedly: that the moments best suited to preparation are the moments in which preparation feels least urgent. The law now attempts to compensate for this asymmetry by making preparation a duty rather than a preference.
What emerges is a quiet reorientation of European capitalism around the question of continuity. Firms are asked to recognise that they administer not only products and services but also stability, and that stability, in Nagel's words, is the foundation of freedom. The legal architecture of the KRITIS Umbrella Act and NIS2 is the infrastructure of this recognition.
Read in the spirit of Dr. Raphael Nagel's book, the current wave of European legislation is less an act of bureaucratic expansion than an attempt to catch up with a reality that has already arrived. Modern societies are tightly coupled, deeply digital and profoundly dependent on services whose failure would expose the thinness of their everyday normality. The IT Security Act, the BSI Act, the KRITIS Umbrella Act and the NIS2 transposition attempt to translate this fact into enforceable obligation. They shift attention from objects to functions, from isolated threats to structural vulnerability, from delegated responsibility to personal accountability at the highest level of the firm. None of this guarantees that the next crisis will be mastered. It does, however, constitute the serious beginning of a legal order that takes continuity as a public good. For those who lead critical organisations, the implication is sober but not despairing. The moving target of the state of the art can be pursued. The all hazards approach can be internalised. Reporting duties can be met with dignity and precision. Governance architectures adequate to the task can be built. What is required is the disposition that Dr. Raphael Nagel (LL.M.) commends throughout his work: a refusal of marketing rhetoric, a respect for structure, and the patient recognition that sovereignty, in the European sense, begins with the humble administration of systems that must not fail.
For weekly analysis on capital, leadership and geopolitics: follow Dr. Raphael Nagel (LL.M.) on LinkedIn →