In front of almost empty rows of seats, the Bundestag discussed the implementation of the second EU Directive on Network and Information Security (NIS 2) and cybersecurity strengthening legislation for the first time this Friday – a week before the implementation deadline. EU Directive NIS2 must be implemented into national law by 18 October. Germany will miss this deadline – it is currently believed that NIS2 will not come into effect in Germany until spring 2025.
Advertisement
Johannes Saathoff, Parliamentary State Secretary at the Ministry of the Interior, summarized the main requirements of NIS2: a defined level of security measures and reporting obligations for cybersecurity incidents. NIS2 expands the number of companies subject to government requirements for cybersecurity from the current 4,500 critical infrastructure companies to approximately 29,500 companies across 18 sectors.
Although cyber incidents caused a record loss of 267 billion euros to the economy in 2023, the problem has still not reached all boardrooms: “Cyber resilience has to come to the forefront of people’s minds.” It is therefore right that the NIS2 Directive holds corporate management accountable.
Strengthening cyber security in the federal administration?
Furthermore, the German NIS2 implementation aims to strengthen the cybersecurity of the federal administration. The Federal Office for Information Security (BSI) will be given more powers and developed into a central security authority. Furthermore, the federal and state governments should work together more closely.
Mark Heinrichmann of the CDU/CSU parliamentary group was skeptical that it would succeed. He criticized the fact that downstream federal officials remain at the lowest level of protection. The BSI should be given more powers, but the BSI’s budget was cut by 21 million euros in the 2025 budget. Her parliamentary group colleague Petra Nicolaisen criticized the federal government’s late implementation of the EU directive.
The left’s Anke Domscheit-Berg accused the traffic lights of failing when it comes to cybersecurity. There are currently 750 federal security positions vacant. Implementation of NIS2 has come too late, and the current draft of the German implementing law is limited to minimal measures. The fact that local authorities are explicitly excluded from the NIS2 requirements is not appropriate.
Discussion will now continue in committees on NIS2 implementation and the Cybersecurity Strengthening Act.
Data protection officer: Independent control over secret services is at risk
On November 5, renowned IT law and security experts will explain which companies are affected by NIS2, what exactly NIS2 and the German NIS2 Implementation Act require and which measures are to be implemented and with what deadline. Other topics include the interaction of NIS2 with established security concepts such as ISO 27001 and IT-Grundschutz, the impact of the Directive on incident response and the importance of NIS2 for suppliers and service providers. There is enough space for questions from the participants.
More information and registration here: https://nis2.heise.de
(OD)
Security Package: Ampel is for biometric surveillance and big data analysis
