Preparation of a Cybersecurity Legislation by the Federal Interior Ministry

As of early July 2025, Germany has not yet fully implemented the EU’s NIS-2 Directive into its national law, missing the October 17, 2024 deadline. The NIS-2 Directive, aimed at enhancing cybersecurity and resilience of critical infrastructure across the EU, has been a priority for the bloc, with 19 Member States, including Germany, failing to notify the European Commission of full transposition by the deadline.

In response, the European Commission issued a "reasoned opinion"—the second step in infringement procedures—on May 7, 2025, urging these countries, including Germany, to complete implementation or present a firm timetable within two months.

Germany’s Federal Ministry of the Interior and Homeland has been actively preparing draft bills to implement the NIS-2 Directive, indicating ongoing legislative activity. However, as of June 2025, these bills have not been fully adopted yet. Discussions suggest that the coordination of cybersecurity law (NIS-2) with physical infrastructure protection laws (KRITIS) has timing issues, indicating complexity and some decoupling in Germany’s approach to critical infrastructure protection.

The NIS-2 Directive, if fully implemented, will significantly impact businesses and institutions across Germany. The mandatory implementation of certain security measures is expected to affect around 29,000 companies, a significant increase from the current number. Sectors such as energy, transport, drinking water, food production, wastewater, and telecommunications are considered critical infrastructure, and if they were to become inoperable due to cyberattacks, it could have significant impacts on the population.

The BSI, the Federal Office for Information Security, currently oversees around 4,500 operators of critical infrastructure that must meet certain cybersecurity standards. However, many of the companies and institutions that the stricter rules will apply to still do not fully understand the requirements that will apply to them. The Federal Ministry of the Interior is pushing the implementation of these rules with urgency, with the German federal government planning to implement the EU's rules for protecting critical infrastructure and businesses from cyberattacks by early 2026.

The NIS-2 Directive includes enhanced cybersecurity requirements, such as risk management, incident notification within 24 hours, significant enforcement, and penalties. Given the critical importance of these requirements for EU cybersecurity resilience, Germany’s timely and complete implementation remains a priority. The European Commission may escalate the matter to the Court of Justice of the EU if Germany and others do not respond or fully comply soon.

References: [1] European Commission (2025). Germany yet to fully implement NIS-2 Directive. https://ec.europa.eu/commission/presscorner/detail/en/IP_25_2042 [2] European Commission (2025). Infringement Proceedings against Germany over NIS-2 Directive. https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12924-NIS-2-Directive-Infringement-Proceedings-against-Germany [3] Bundesministerium des Innern und für Heimat (2025). Draft Bills for NIS-2 Directive Implementation. https://www.bmi.bund.de/SharedDocs/Pressemitteilungen/DE/2025/06/2025-06-01-nis2-richtlinie.html [4] Bundesamt für Sicherheit in der Informationstechnik (2025). Importance of NIS-2 Directive for EU Cybersecurity Resilience. https://www.bsi.bund.de/EN/Topics/cyber/nis2/nis2_node.html

The European Commission's "reasoned opinion" on May 7, 2025, highlights the necessity for Germany to expedite the implementation of the NIS-2 Directive, a piece of technology aimed at enhancing cybersecurity and resilience, due to the deadline miss.
The upcoming full implementation of the NIS-2 Directive will instate stricter technology-related cybersecurity standards across approximately 29,000 businesses and institutions in Germany, altering their operations significantly.