Germany has moved decisively to strengthen the legal protection of critical infrastructure, yet the emerging system reveals a structural imbalance between ambition and operational coherence. A federal umbrella law for physical resilience is now in force, cyber governance is advancing under the NIS2 framework but has followed a discontinuous legislative path, and foreign-investment screening continues to operate through a pre-existing regime that has been expanded but not fundamentally restructured. The resulting configuration is not characterised by absence of regulation but by uneven layering across legal domains that were not originally designed to function as a single system. The central problem is therefore no longer whether Germany possesses the necessary instruments, but whether these instruments, taken together, are capable of managing complex dependency risks across infrastructure, technology, ownership, and operational continuity before those risks materialise into systemic vulnerabilities.

The report is organised to separate clearly the distinct layers that define Germany’s current architecture. It first reconstructs the documented baseline across physical-resilience law, cyber governance, and investment screening, including their respective scopes and implementation status. It then develops an analytical reading of how these layers interact, focusing on asymmetries, threshold design, and the limits of existing instruments when applied to hybrid infrastructure and technology systems. Two industrial cases are examined as stress tests, not as isolated events but as indicators of how the system behaves under real conditions. The final sections assess the implications for corporate actors, financial markets, regulatory professionals, and sovereign decision-makers, and identify concrete signals that will determine whether Germany evolves toward an integrated model or remains structurally layered and only partially coordinated.

Subscribe to DFM