Federal Cabinet approves draft – federal administration remains exempt – Bitkom President Wintergerst calls for improvements
The German federal government today adopted a draft law to implement the EU NIS2 Directive. The aim is to strengthen the cybersecurity of critical and important institutions in Germany and to regulate it uniformly at European level. In addition to implementing European requirements, the law also contains provisions on information security management in the federal administration.
With its approval, the Federal Government is responding to the European Union’s obligation to implement the NIS2 Directive, which came into force in January 2023. Germany had already missed the actual implementation deadline of October 2024. The European Commission has initiated infringement proceedings against the Federal Republic of Germany.
Bitkom: No national special paths in implementation
The president of the digital association Bitkom, Dr Ralf Wintergerst, welcomes the progress in principle, but calls for concrete improvements. ‘The NIS2 Directive can create a uniform framework for cyber security across Europe and increase resilience against cyber attacks,’ said Wintergerst. However, direct, one-to-one implementation without additional national requirements is crucial: ‘Companies need reliable and uniform conditions within the EU single market. National exceptions jeopardise planning security and lead to additional costs.’
Criticism of exemptions for the federal administration
Bitkom is particularly critical of the fact that the federal administration is exempting itself from key NIS2 requirements. According to Wintergerst, this sends the wrong signal: ‘The federal government and its authorities must set an example – especially in view of the ongoing threat posed by cyber attacks.’ Security gaps in government infrastructure are unacceptable.
Unclear responsibilities and boundaries
Bitkom sees a need for further clarification on the question of which companies will be covered by the regulations in future. Imprecise wording in the draft law means that organisations with mixed business areas remain uncertain as to whether they fall within the scope of the directive. The lack of coordination with the planned implementation of the European CER Directive on the physical security of critical facilities is also criticised.
Outlook: Legislative process in autumn
The German government plans to debate the law in the Bundestag after the summer recess. Bitkom is calling for swift parliamentary action and targeted amendments to the text of the law. ‘Time is of the essence,’ emphasises Wintergerst. ‘Germany must not fall behind again when it comes to cyber security.’
