The German federal government has finally delivered: the cabinet decision on implementing the NIS 2 Directive has been passed. Ulrich Plate, Leader of the Critical Infrastructures (KRITIS) Competence Group at eco – Association of the Internet Industry, welcomes this move: “This finally brings the issue of cybersecurity back onto the political agenda – long overdue in light of the current security situation. The EU Directive calls for nothing less than a structural modernisation of the security architecture of critical infrastructures.”
However, Plate emphasises that this cabinet decision marks only the beginning: “The real work is now beginning with the parliamentary process. It remains to be seen whether the federal government is truly prepared to offer clarity on exemptions, responsibilities and transition periods. Even after the most recent revision, key questions remain unresolved. One such case concerns the planned exemptions for companies engaged in supposedly “negligible” critical activities. While this may sound politically pragmatic, it is problematic under European law. If this regulation fails before the Court of Justice of the European Union, infringement proceedings could follow – leading us straight back to the legal uncertainty that NIS 2 was actually intended to end.”
Harmonisation or a European patchwork quilt?
Ulrich Plate warns that the European dimension deserves more attention. While Germany is still negotiating internally, other Member States are already establishing national regulations – not always in the spirit of harmonisation. Italy, for instance, is pursuing its own interpretations, thereby increasing the risk of a regulatory patchwork. “Germany would be well advised not to go it alone in this regard,” says the KRITIS expert.
“At least the foundations for implementation are beginning to take shape. The Federal Office for Information Security (BSI) is preparing organisationally for its new responsibilities – including a planned reporting and registration portal through which companies will in future be able to indicate their level of concern and report security incidents. For companies, this means that now is the right time to take action. This includes not only reviewing existing security architectures, but above all sharpening internal risk analyses – one of the core requirements of NIS 2. Those who establish clarity early on not only bolster their own compliance, but also their operational resilience,” says Ulrich Plate.
