This week, the implementation of the NIS-2 Directive is on the agenda in the German Bundestag. Following consultations in the Interior Committee, the law is expected to be passed in the plenary session. One thing is already certain: the new requirements are coming – and without a transition period.
Ulrich Plate, Head of the KRITIS Competence Group at eco – Association of the Internet Industry, states the following:
“A late start, but on the home stretch: Germany has managed the long run-up and will now finally adapt the important NIS-2 implementation. The second stage of the EU infringement procedure hung over Berlin like a sword of Damocles for a long time; but now there is finally movement in the legislative backlog on cybersecurity.
“However, this speed comes at a price. Many voices from industry, including eco, have warned in vain that the intervention powers regarding ‘critical components’ (see German § 41 BSIG-E) will lead to uncertainty. What is new is that the German Federal Ministry of the Interior (BMI) will now be able to take action to ban components, even without notification from the operator. For companies, this means that assessments by the Ministry of the Interior can result in costly replacement obligations.
“The Ministry can also initiate the prohibition of risky components itself and involves other departments solely on the basis of their ‘expertise and perspective’. From an economic perspective, this poses a risk to investment clarity and trust. At the same time, supervision and sanctions will be increasingly consolidated in the Federal Ministry of the Interior in future, representing a further step towards the political centralisation of the cybersecurity architecture.
“Although the role of the Federal Office for Information Security (BSI) has been strengthened in certain areas – for example, through expanded supervisory and coordination responsibilities – its certifications remain subject to political decisions. The significance and status of BSI certification therefore remain difficult for businesses to assess.
“On a positive note, the amendment now explicitly refers to the European Cyber Resilience Act (CRA). This is an important step towards harmonising technical security requirements for products across the EU. Nevertheless, the interfaces between the NIS-2 Implementation Act and the CRA could have been more closely aligned to avoid duplicate regulation and room for interpretation.
“The regulatory phase will now be decisive: In the coming months, the German federal government should work together with industry and trade associations to define clear, verifiable criteria for ‘critical components’ and to coordinate the decision-making processes between the BMI, the BSI, and other ministries in a binding manner.
“Only then will a late law become a good law; one that strengthens trust and doesn’t create new uncertainty.”
