Germany’s cybersecurity situation is tense: the Federal Republic is vulnerable in the digital space, particularly due to poorly protected areas of attack (https://bsi.bund.de/lagebericht). The law implementing the European NIS 2 Directive, which was passed today in the German Parliament, comprehensively modernises national IT security law: The directive increases the cybersecurity requirements for certain companies and the federal administration. The Federal Office for Information Security (BSI) plays a key role in both areas. It will become the supervisory authority for companies affected by the directive; and, in its function as Chief Information Security Officer (CISO), it will also be the central point of contact for cyber security in the federal administration.

The NIS 2 Implementation Act includes an amendment to the BSI Act (BSIG), which previously covered approximately 4,500 institutions in the economic area: operators of critical infrastructures, providers of digital services and companies of particular public interest. With the entry into force of the NIS 2 Act, this radius will be expanded to include the categories ‘important institutions’ and ‘particularly important institutions’, meaning that the BSI will in future supervise around 29,500 institutions that are subject to new legal obligations in the area of IT security: Affected companies must register with the BSI, report significant security incidents and implement technical and organisational risk management measures.

The law requires federal administration institutions to meet minimum information security requirements, which are derived from the BSI’s IT Baseline Protection Compendium and minimum standards for information technology security in the federal government, among other sources. The tense situation in cyberspace must also be countered by a robust IT governance structure in the federal administration that spans all departments, authorities and institutions and serves the goal of jointly organising and continuously improving IT security. In future, the BSI will coordinate these activities in its role as the federal CISO.

BSI President Claudia Plattner: “With this law, Germany has reached an important milestone on the way to becoming a resilient cyber nation, because it allows us to protect a crucial part of our digital attack surface much better than before. I would like to express my sincere thanks to the Federal Minister of the Interior and all members of the Federal Government and the German Bundestag who made this possible. I would also like to thank the Federal Minister for Digital Affairs for his support – we are very much looking forward to intensifying our cooperation. It is extremely beneficial that the mandate, expertise and resources for the operational implementation of cyber security within the federal administration can now be pooled in one place and used in a stringent manner. We are happy to take on this task, but we are also more than aware of its magnitude. We will therefore work closely with the government departments to significantly strengthen the urgently needed resilience of the federal administration, constructively support the federal government’s digitalisation projects and ensure not only the necessary expertise, but also neutrality, cost-efficiency and continuity. We are already doing a great deal for the companies covered by the NIS 2 regulation, offering a wide range of advice and support services. We will expand these services again when the law comes into force.”

The BSI will provide affected companies with a starter pack containing clear information on how to successfully implement the obligations arising from the NIS 2 Directive. Once the law comes into force, the BSI will also offer virtual kick-off seminars in which companies will receive step-by-step instructions for impact assessments and registration and reporting processes, among other things.