Government prepares to enact Cybersecurity Legislation through Ministry of Internal Affairs - Preparing New Cybersecurity Legislature by the Federal Interior Department
In a bid to strengthen its national cybersecurity framework, Germany is actively working to implement the European Union's NIS-2 Directive. The deadline for integrating the directive into national law expired on October 17, 2024, but, like 18 other EU Member States, Germany did not fully transpose the directive by this date.
The NIS-2 Directive aims to provide enhanced cybersecurity for companies and institutions in critical sectors such as energy, transport, drinking water, food production, wastewater, and telecommunications. An estimated 29,000 companies will be affected by the obligation to implement certain security measures to ward off and manage cyberattacks, significantly more than before.
The directive is crucial as these large companies in the aforementioned sectors are considered critical infrastructure. If they were to become non-operational due to cyberattacks, it could have significant effects on the population.
The Federal Ministry of the Interior is currently pushing the issue of cybersecurity forward, with Claudia Plattner, president of the BSI, expressing the need for speed due to the missed deadline in the last legislative period. The BSI has an online "NIS-2-affectedness test" that has been used more than 200,000 times, and it advises around 4,500 operators of critical infrastructure who must meet certain standards in terms of cybersecurity.
While specific details about the internal German draft or legislative steps are not explicitly provided, it is clear that Germany is actively working to upgrade its national cybersecurity framework through amendments to existing laws and processes to meet the NIS-2 requirements. These include stronger risk management, incident reporting, and enforcement mechanisms.
The European Commission issued a reasoned opinion against Germany on May 7, 2025, giving it a two-month period to complete the transposition or face potential legal action at the EU Court of Justice. By early July 2025, Germany had only a few days left to comply or provide a firm timetable to the Commission, indicating that the deadline of July 2, 2025, for full implementation was imminent and the preparation was still underway but delayed.
Claudia Plattner, president of the BSI, hopes that the law will come into force by early 2026, with the federal government aiming to enshrine the European Union's rules for protecting critical infrastructure and companies from cyberattacks in law by early 2026. The law aims to protect critical infrastructure and companies from cyberattacks, including extortionists and sabotage.
As Germany works towards implementing the NIS-2 Directive, it is clear that the issue of cybersecurity is a priority for the federal government. The traffic light coalition passed a corresponding bill in July 2024, but there was no longer a majority in the Bundestag for it after the breakup of the coalition. The draft for the cybersecurity law was discussed with the federal states and affected associations in July, and it remains to be seen how the final law will be shaped.
[1] European Commission (2025). "Commission sends reasoned opinions to 19 Member States for failing to transpose the NIS2 Directive." Press release. [2] European Commission (2024). "NIS2 Directive: Member States must protect critical entities against cyberattacks." Press release. [3] European Commission (2024). "NIS2 Directive: Commission sends letters of formal notice to 19 Member States for failing to transpose the Directive." Press release. [4] European Commission (2024). "NIS2 Directive: Commission sends reasoned opinions to 19 Member States for failing to transpose the Directive." Press release.
- Germany's emphasis on cybersecurity is evident as they work to implement the necessary security measures for companies in critical sectors, like energy and telecommunications, as stipulated by the NIS-2 Directive, which aims to boost cybersecurity.
- In the process of complying with the NIS-2 Directive, Germany is focusing on strengthening its risk management, incident reporting, and enforcement mechanisms to protect critical infrastructure and companies from cyberattacks, such as extortionists and sabotage.
