The German government is racing against the clock to implement the NIS2 Directive, with a deadline set for October 17, 2024. On July 24, 2024, Germany introduced the first draft of the German NIS2 Implementation Act, which will impose extensive obligations and sanctions on around 30,000 companies. This draft represents a crucial step in aligning with the EU’s directive aimed at enhancing cybersecurity across member states.
The NIS2 Directive, effective from January 16, 2023, is designed to strengthen cybersecurity measures across the EU. It builds on and replaces the previous NIS1 Directive, addressing inconsistencies in national implementations and aiming for a higher standard of cybersecurity. However, as of now, not all member states, including Germany, are on track to meet the upcoming deadline for full implementation.
In Germany, the legislative process for the NIS2 Implementation Act has encountered delays, with multiple drafts being published before the final draft was adopted. The act, also known as IT Security Act 3.0, will significantly amend existing laws and introduce new provisions for enhanced cybersecurity. The draft includes detailed regulations for designating the Federal Office for Information Security (BSI) as the competent authority and sets out specific requirements for both “very important” and “important” entities.
The new law will also intersect with other regulations, such as the Critical Entities Resilience (CER) Directive, affecting operators of critical infrastructure. Companies will need to navigate overlapping requirements from both directives. With ongoing legislative work and potential compliance challenges, affected businesses should closely monitor the progress and prepare for the new obligations to ensure timely compliance.
Reference: