The Era of “Silent Resilience” is Over: Why NIS2 and the KRITIS Umbrella Act Make Communication a Top-Level Priority

For a long time, an unwritten law applied to many Hidden Champions and market leaders in the IT, Tech, Energy, Finance, and Health sectors: quality speaks for itself, and security is only discussed when absolutely necessary.

In 2026, this restraint has become an existential risk. Due to the “double transition”—widespread digitalization and the transformation of infrastructure—our industries have merged into an inseparable, highly networked nervous system. A gateway at an IT service provider can lead to a cascading effect: if the small supplier fails, their customer—the large energy provider—stumbles as a direct result. Today, such vulnerabilities are potential leverage for a standstill in energy supply, finance, or healthcare. The associated potential economic damage quickly exceeds the billion-euro mark.

Legislators have recognized this interconnectedness and are tightening the reins: with the NIS2 Directive and the KRITIS Umbrella Act (German KRITIS-Dachgesetz), resilience becomes a hard compliance requirement—and strategic communication about it becomes a mandatory task for top management.

The Regulatory Pincer: Digital Protection Meets Physical Security

We are currently experiencing a paradigm shift. Regulation no longer addresses isolated IT problems but the overall stability of our economy:

• NIS2 (Digital Resilience): Harmonizes cybersecurity across almost all critical sectors. Those who are part of the vital chain must deliver. Reporting requirements are draconian, with the initial notification mandatory within 24 hours, and potential fines are massive.
• KRITIS Umbrella Act (Physical and Organizational Resilience): While NIS2 protects bits and bytes, the KRITIS Umbrella Act focuses specifically on protection against physical sabotage, climate impacts, and technical failure. It obliges operators to implement holistic risk management.

Liability for failures can no longer be delegated to the IT department; rather, it counts as non-transferable leadership responsibility and affects management personally. Cybersecurity and physical precaution are strategic corporate risks that must be moderated at the management and board level. This ranges from organizational negligence to fines of up to 10 million euros or 2 percent of annual turnover, and even liability with private assets for managing directors.

The Liability Trap of Silence: Communication as Risk Precaution

In this new regulatory environment, a lack of communication becomes an Achilles’ heel. Those who do not actively manage and communicate their own resilience risk twofold:

• Loss of Trust Among Partners: In a networked supply chain, customers—especially KRITIS operators—must demand proof of security. Those who do not act here will simply be phased out. KRITIS operators are legally obliged to verify whether their suppliers and service providers also meet the strict requirements.
• The Opportunity View: However, if I communicate my activities proactively and with foresight, I am not only taking precautions but also qualifying myself to my customer as a strategic partner who has risk management under control. Resilience has the potential to become a decisive selection criterion in B2B competition.
• Reputational Damage in an Emergency: If an incident occurs and the communication seems unprepared or reactive, a technical malfunction turns into a crisis of confidence in the entire management.

Three Fields of Action for the New Era of Corporate Leadership

1. Resilience as Part of Corporate Identity: Security and accessibility must become part of the brand message. Transparency about your own robustness creates trust among investors, customers, and your own workforce. In 2026, resilience is the most important capital of your reputation.
2. Integrated Crisis Communication: An emergency plan without a communication strategy is worthless. Who informs authorities, customers, and the media? Proactive communication often reduces damage more effectively than the best firewall.
3. The Human Factor: From Fear to Culture: Technology is only as strong as the people who operate it. An open culture of error and continuous awareness are the strongest firewalls. Communication turns the “human factor” from a risk into a security factor.

Precaution Begins in the Data Center – and Ends at the Microphone

Whether you are a KRITIS operator or a company classified as an “important entity”: the stability of our society depends, both physically and digitally, on the robustness of our defense lines.

For managing directors and board members, this means: Go on the offensive. Make your company’s resilience an integral part of your daily actions and your strategic communication. Those who show today that they are prepared for the unthinkable are securing the marketplace of tomorrow.