• Federal administration must meet the same standards as companies
• Short-term new regulation on the possible ban on critical components may slow down investment

With today’s passing of the law implementing the EU NIS-2 Directive by the Bundestag, the digital association Bitkom believes that cybersecurity in Germany will be strengthened and greater legal certainty created for companies. At the same time, the new regulations on the use of so-called critical components could have a significant impact on companies’ investment decisions and thus on digitalisation in Germany. ‘The implementation of the European NIS 2 Directive was long overdue. Cyber attacks threaten the economy, administration and society. German companies have recently suffered annual losses of 202 billion euros as a result,’ says Bitkom President Dr Ralf Wintergerst. The aim of the NIS 2 Directive is to strengthen resilience and cybersecurity in the Member States. To this end, the definition of critical infrastructure has been expanded, among other things, thereby obliging a large number of companies to take special security precautions.

Bitkom considers it extremely positive that the law that has now been passed includes downstream federal authorities within the scope of NIS 2. Particularly in sensitive areas of federal administration, security gaps can cause considerable financial damage and undermine trust in democratic institutions. ‘An effective and credible cybersecurity architecture requires the state itself to adhere to the highest security standards. It is only logical and right that federal authorities should in future be subject to the same risk management requirements as regulated companies,’ says Wintergerst.

In contrast, Bitkom believes that the new regulations on so-called critical components recently introduced into the legislative process are rather harmful. The plan now is for the Federal Ministry of the Interior, in consultation with other departments, to define critical components and, in future, to be able to prohibit their use independently. ‘Companies need reliable framework conditions; bans can have a significant impact on business activities. It is essential that those affected are consulted in advance before such important decisions are made,’ said Wintergerst. In Bitkom’s view, the definition of critical components should continue to be based on technical criteria and be determined by the Federal Network Agency and the Federal Office for Information Security (BSI).

In order to protect Germany from cyber attacks and create a holistic approach to digital security, companies should be supported by the BSI in the practical implementation of the NIS 2 requirements. In addition, the KRITIS umbrella law must now also be adapted to the NIS 2 implementation law and implemented in a timely manner.