Management’s Critical Role: Personal Liability Under Germany’s KRITIS Umbrella Act

In our last blog post, we outlined how Germany’s new KRITIS Umbrella Act (KRITIS-Dachgesetz or KRITISDachG) introduces far-reaching obligations for companies operating critical infrastructure, aiming to strengthen their “physical” resilience, particularly against threats, vulnerabilities, and criminal offences (Is your company critical? Prepare for Germany’s new KRITIS Umbrella Act!). The legislation establishes a clear set of duties that affected companies must fulfil. However, the KRITIS Umbrella Act is not merely a compliance framework. Its significance lies also in the explicit personal accountability it creates, placing management bodies directly in the line of responsibility. 

It therefore is imperative for management bodies to take the KRITIS Umbrella Act seriously. By strategically implementing these requirements from the outset, executives can proactively shape resilience and take responsibility, rather than being caught off guard by an incident and facing personal liability. In the following sections, this blog post will outline the specific liability provisions, explain their interactions with existing general management liability regulations, and demonstrate how this legislation can be understood not merely as a risk, but as a strategic opportunity.

Understanding Management’s Obligation under Section 20 (1) KRITIS Umbrella Act

According to Section 20 (1) of the KRITIS Umbrella Act, the management bodies of critical facility operators  are obligated to implement the relevant resilience measures and to ensure their implementation through suitable organisational measures. 

The “Who”: Management’s Core Responsibility

• Although the wording of the provision, especially the term “implement”, may initially suggest direct technical execution, the legislative rationale clarifies the precise scope of the duties of management bodies. For management bodies, “implementing” primarily involves formally approving the resilience measures and then continuously monitoring their proper execution.
• In practice, management bodies cannot – and are not expected to – handle every technical detail themselves. Delegating tasks to employees or engaging of external service providers (e.g., IT security experts or facility management for physical security) is not only permitted, but often necessary. However, the legislative rationale for Section 20 (1) of the KRITIS Umbrella Act states unequivocally: “Even with the involvement of auxiliary personnel, the management body remains ultimately responsible.” This means that although operational tasks can be delegated, the management body retains the ultimate, non-transferable responsibility. A mere “transfer” of accountability is not possible. Instead, this principle imposes specific duties on management bodies regarding the use of auxiliary personnel: they must be carefully selected, properly instructed, and regularly monitored. While the management body remains accountable for ensuring the overall implementation and monitoring, if they have diligently fulfilled these oversight duties, they would generally not be held liable for independent “excesses” or specific failures by auxiliary personnel that occur despite their diligent oversight. The key lies in actively and conscientiously managing and overseeing all delegated tasks.

The "What": Defining the Resilience Measures (Section 13 KRITIS Umbrella Act)

The “content” of these resilience measures, which management bodies must approve and oversee, is outlined in Section 13 of the KRITIS Umbrella Act. According to Section 13 (1) of the KRITIS Umbrella Act, operators must implement measures designed to achieve four key resilience objectives:

• Preventing incidents: Proactively avoiding disruptions.
• Ensuring adequate physical protection: Safeguarding critical facilities.
• Responding to and mitigating impact: Handling incidents effectively to limit damage.
• Guaranteeing rapid restoration: Bringing critical services back quickly after disruption.

The KRITIS Umbrella Act further stipulates that these measures must be “appropriate and proportionate” technical, security-related, and organisational measures that comply with the “state of the art”. Crucially, the selection and design of these measures must be based on the operator’s own risk analysis and assessment, which, in turn, builds upon the national risk assessments provided by the authorities. These requirements are put into practice through a comprehensive resilience plan, which must document the chosen measures and the underlying risk-based considerations. 

Understanding Management’s Liability under Section 20 (2) KRITIS Umbrella Act

According to Section 20 (2) of the KRITIS Umbrella Act, internal liability is at stake if duties according to paragraph 1 are violated: Members of the management bodies who violate their duties under Section 20 (1) of the KRITIS Umbrella Act are liable to their entities for culpably caused damage according to the rules of company law applicable to the entity’s legal form. Liability arising directly from Section 20 (2) of the KRITIS Umbrella Act shall only apply if the company law provisions applicable to the entity do not contain any corresponding liability provisions as described in sentence 1.

• Reference to Company Law: The first sentence of Section 20 (2) of the KRITIS Umbrella Act constitutes a reference to a legal basis (Rechtsgrundverweis) in existing company law. Thus, for entities subject to German law, the primary basis for the internal liability of members of the management body is found for example in Section 93 (2) of the German Stock Corporation Act (AktG) for executive boards and Section 43 (2) of the German Limited Liability Companies Act (GmbHG) for managing directors. For liability to arise, the conditions of these respective company law liability norms must be met. Typically, this requires that damage has been culpably caused to the company, and that this damage is adequately causally based on conduct by the member of the management body that is in breach of duty.
• A key concept in corporate liability law is the Business Judgment Rule. According to this rule, a member of the management body is generally not liable for reasonable decisions made based on appropriate information and in the best interest of the company.
• However, this liability privilege applies only within the limits of the so-called “duty of legality” (Legalitätspflicht), which requires compliance with the legal system. The more legal requirements members of the management body must comply with and implement – as is the case with the KRITIS Umbrella Act – the more their duty of legality expands, and the more their entrepreneurial freedom of action is restricted. For more details on the Business Judgment Rule, please refer to our dedicated blog post “Business Judgement Rule Decisions – A How-To Guide”.
• The “Catch-All Provision”: For legal forms where company law provisions do not provide such an internal liability rule as described in sentence 1, Section 20 (2) sentence 2 of the KRITIS Umbrella Act serves as a backup legal basis for liability. This “catch-all provision” is intended to ensure that management bodies can be held personally liable for breaches of duty regardless of the specific legal form of the entity, thereby closing any potential liability gaps.
• Scope of Damages: Once liability is established in principle, a critical question arises: Which specific damage positions are covered? Specifically, can the company seek regress from members of the management body for administrative fines imposed due to violations of the KRITIS Umbrella Act?
• Management body’s liability may arise if the company incurs damages due to culpable misconduct by a member of the management body. Section 24 (1) of the KRITIS Umbrella Act provides for significant fines if, for example, a critical facility is not registered, or if the registration is incorrect, incomplete, not in the prescribed manner, or not in a timely fashion. Fines may also be imposed if the company fails to demonstrate its resilience obligations when requested by the authorities. Depending on the violation, Section 24 (2) of the KRITIS Umbrella Act provides for fines of up to EUR 500,000.
• The question whether fines incurred by the company can be recouped from a member of the management body internally has not yet been definitively decided by the highest German courts. Following a referral from the German Federal Court of Justice (Bundesgerichtshof) in an antitrust case, the European Court of Justice (ECJ) is currently addressing whether antitrust-related fines imposed can be passed on from the company to the member of the management body or whether such recourse is prohibited. Those in favour of recourse argue that it is not explicitly prohibited by law. Conversely, arguments against recourse emphasise that the sanction is intended to affect the company as such and its assets, and that passing it on to a member of the management body would render the sanction ineffective. Ultimately, even after the ECJ’s decision, it will remain unclear whether its findings concerning antitrust fines would be directly transferable to fines under the KRITIS Umbrella Act, leaving a significant point of legal uncertainty. Therefore, from a risk-management perspective, it is prudent to proceed on the basis that recourse for fines may be asserted against members of management bodies and to factor this into governance, compliance and insurance planning.

Implications for D&O Insurers

Given the potential for significant damages, the explicit personal liability of the member of the management body represents a critical new dimension of risk that must be considered alongside the potential tort-based liability toward third parties. This elevated liability is not only a crucial concern for the management bodies themselves, but also directly impacts D&O (Directors and Officers) insurers.

The increased exposure means that D&O policies must be meticulously reviewed and potentially adjusted. Insurers will need to carefully consider the expanded scope of duties and the potential for claims for damages resulting from failures to comply with Section 20 (1) KRITS Umbrella Act. Companies and their management bodies therefore need to precisely examine existing insurance conditions and a proactively discuss them with their D&O providers to ensure they have adequate coverage for the new risks introduced by the KRITIS Umbrella Act. This crucial interplay between the new legal obligations and D&O insurance will be the dedicated subject of our next blog post.

Conclusion and Call to Action

At first glance, the obligations and potential liabilities introduced by the KRITIS Umbrella Act may appear daunting. However, it is crucial to recognise that this legislative framework is not an end in itself, but a powerful instrument designed to strengthen companies’ resilience and, in doing so, safeguard their long-term operational capability and economic viability. Recent attacks on critical infrastructures have repeatedly demonstrated how quickly businesses can be paralysed, and customers frustrated, by disruptions.

Therefore, viewing the implementation of these duties not merely as a compliance exercise, but as an impetus to strengthen your company against a wide array of hazards, is key. By proactively embracing these requirements, you not only enhance your operational robustness, but also automatically mitigate the personal liability risks for your management body.

Ultimately, this is about transforming a perceived threat into a strategic advantage. Freshfields stands ready to support you in assessing your KRITIS exposure, designing governance and documentation that withstand regulatory scrutiny, and embedding resilience into your organisation’s risk and compliance framework – ensuring that you can harness the KRITIS Umbrella Act to build a more resilient and future-proof business.