Germany
(a) What is the NIS2 implementation status?
Germany has just submitted its final NIS2 implementation draft from 19 July 2024 to the EU Commission (Richtlinie - 2022/2555 - EN - EUR-Lex (europa.eu)). The finalization is still not expected this year, however. On 27 September 2023, the BMI published a new discussion paper on the draft implementation law. This was followed by a “workshop discussion” in October, where the BMI invited business and association representatives. Following this, a second draft bill will be published and then a second round of departmental coordination will then be carried out. This will be followed by the official consultation with the federal states and associations before a coordinated government draft goes to parliament (the Bundestag). However, due to its relevance for the European single market, the draft must also be noted by the EU Commission.
(b) What is the envisaged NIS2 implementation timeline?
The German implementation law “NIS2UmsuCG”, is expected to be announced in March 2024. The aim is to start the German legislative process by summer 2024 and to adopt the “NIS2UmsuCG” by 2025 at the latest. The NIS2UmsuCG is an amendment act that changes existing German laws. The draft provides for a complete revision and expansion of the Act on the Federal Office for Information Security (BSIG).
(c) What does the NIS2 mean for other national cybersecurity legislation?
Laws will be revised as NIS2 replaces NIS1, which has been implemented into multiple national laws (e.g. BSIG Act)
(d) Who will be the supervisory authority and how are they preparing the market?
- The Federal Office for Information Security (BSI) is the main authority with respect to cybersecurity in Germany. This authority should be the main contact regarding questions about preventive security measures and is primarily responsible for receiving notifications about security breaches with respect to critical infrastructures.
- Data Protection Authorities enforce all relevant data protection laws. In Germany, each federal state has a separate Data Protection Authority in addition to the Federal Commissioner for Data Protection and Freedom of Information.
- The Federal Network Agency enforces the telecommunications-related laws and is responsible for receiving notifications about security breaches with respect to telecommunications networks and services.
(e) What should you be doing/on the lookout for?
Now is the time to assess the applicability of NIS2 requirements. Relevant sectors and thresholds have been expanded under the new directive. If applicable, a gap analysis will help businesses identify the necessary action items to increase resilience, stay competitive in the market and ensure compliance.
Contact
Nils Mueller E: nilsmueller@eversheds-sutherland.com
Isabella Norbu E: isabella.norbu@eversheds-sutherland.com
© Eversheds Sutherland. All rights reserved. Eversheds Sutherland is a global provider of legal and other services operating through various separate and distinct legal entities. Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client.
Share this page