Germany
(a) What is the NIS2 implementation status?
Although Germany has already submitted a final NIS2 implementation draft from 19 July 2024 to the EU Commission (Richtlinie – 2022/2555 – EN – EUR-Lex (europa.eu)), the finalization of the legislative process is not anticipated in the near future. Due to the dissolution of the German government and the Bundestag (lower house of parliament), the national implementation of the NIS2 Directive has come to a standstill. According to the German discontinuity principle, all draft bills that have not been passed by the old Bundestag must be reintroduced and renegotiated. This would also include the current draft of the German implementation law “NIS2UmsuCG”. It remains uncertain how the new Bundestag will address the draft following the elections on 23 February 2025.
(b) What is the envisaged NIS2 implementation timeline?
It is anticipated that the dissolution of the Bundestag will cause a delay in the legislative process, with progress expected in the latter part of 2025.
(c) What does the NIS2 mean for other national cybersecurity legislation?
Laws will be revised as NIS2 replaces NIS1, which has been implemented into multiple national laws (e.g. BSIG Act)
(d) Who will be the supervisory authority and how are they preparing the market?
- The Federal Office for Information Security (BSI) is the main authority with respect to cybersecurity in Germany. This authority should be the main contact regarding questions about preventive security measures and is primarily responsible for receiving notifications about security breaches with respect to critical infrastructures.
- Data Protection Authorities enforce all relevant data protection laws. In Germany, each federal state has a separate Data Protection Authority in addition to the Federal Commissioner for Data Protection and Freedom of Information.
- The Federal Network Agency enforces the telecommunications-related laws and is responsible for receiving notifications about security breaches with respect to telecommunications networks and services.
(e) What should you be doing/on the lookout for?
Now is the time to assess the applicability of NIS2 requirements. Relevant sectors and thresholds have been expanded under the new directive. If applicable, a gap analysis will help businesses identify the necessary action items to increase resilience, stay competitive in the market and ensure compliance.
Contact
Nils Mueller E: nilsmueller@eversheds-sutherland.com
Isabella Norbu E: isabella.norbu@eversheds-sutherland.com
© Eversheds Sutherland. All rights reserved. Eversheds Sutherland is a global provider of legal and other services operating through various separate and distinct legal entities. Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client.
Share this page