According to EU requirements, the NIS 2 Directive should have been transposed into national law by 17 October 2024 at the latest. However, as a result of the new parliamentary elections on 23 February 2025, all legislative proposals that had not yet been passed had to be reintroduced - the NIS2 Implementation Act (NIS2UmsuCG) was also put on hold.
New draft bills from the Federal Ministry of the Interior have been reported since the beginning of June 2025. There is still no official publication, but this marks the unofficial restart of the legislative process. The dynamics of the legislative process can be seen from the fact that three versions of the draft - dated 26 May, 2 June and 23 June 2025 - have been made public in recent weeks, with the most recent version being sent to the associations at the same time as the request for comments.
The latest version, dated 23 June 2025, contains two significant changes at the interface between the supervisory authority and future regulated companies.
Dr. Michael Falk
Partner, Consulting, Cyber Security
KPMG AG Wirtschaftsprüfungsgesellschaft
As part of the impact analysis, an important amendment has been made to Section 28 (3) (Particularly important facilities and important facilities). This clarifies that business activities that are negligible with regard to the overall business activities of the organisation are not taken into account when allocating the types of organisation.
The intention of this change is understandable and an important return to the objective of the European cybersecurity strategy. It is about the resilience of the European economy and its stakeholders against cyber threats. Negligible activities (e.g. the operation of a photovoltaic system on the roof of administrative/logistics or production buildings) should not qualify as energy producers. The term "negligibility" as a relative reference to the overall performance of the company is an unfortunate choice as an undefined legal term and is already the subject of heated legal debate just a few days after publication. If it is to remain "negligible", the reference object should not be the company, but rather the relative impact on the industry or the regulated sector in the respective country.
The second amendment concerns the need to coordinate legal ordinances with the scientific community, operators of critical infrastructures (KRITIS) and associations. Mandatory consultation has been cancelled both in the definition of a KRITIS facility and in the definition of a significant security incident. This change is to be viewed critically from a business perspective and may lead to overregulation. It is also hoped that the dialogue with science, KRITIS operators and associations, which has already been initiated in many areas, will be intensified and that only the formal anchor in the procedure will contribute to acceleration and simplification.
In terms of content, the drafts are based on familiar structures, in particular the risk-based approach to IT security. Although the adjustments in the area of risk management measures are manageable, they provide important information for later interpretation in practice:
The new wording emphasises the security of the supply chain "including security-related aspects of relationships with direct suppliers or service providers". The previous reference to relationships "between the individual organisations" has been deleted. Companies must therefore primarily assess the direct relationship with their suppliers - but not the interdependencies in the supply chain.
The term "cyber hygiene" has disappeared from the catalogue of measures. Instead, it now refers to "basic training and awareness-raising measures". This change is viewed critically by the authors of this article, as the term "basic" leaves room for interpretation - and also deviates from the EU Directive. The latter refers to "basic cyber hygiene procedures and cyber security training". The German legislator is changing the EU requirements here.
The previously required creation of concepts for the management of physical systems no longer applies. Remaining requirements now primarily relate to the security of personnel, access control and the management of ICT systems, products and processes. Whether this still does justice to the reality of hybrid IT/OT infrastructures remains to be seen.
The changes in Section 44 (requirements of the Federal Office) give the BSI standards and the IT baseline protection compendium de facto legal status for federal administration organisations, thus upgrading them. It remains to be seen whether and in what form IT baseline protection will also be used as a benchmark for the implementation of risk management measures for private-sector companies.
Even if the changes are not revolutionary, they make it clear that the implementation of the NIS2 Directive is getting closer. The new draft bill is more than just an interim step - it is a clear signal that companies should not put off preparing for the upcoming obligations any longer.
Background: What the NIS 2 Directive means for companies
The NIS 2 Directive is the central EU instrument for strengthening cybersecurity in Europe. It is aimed at companies and organisations that are essential for the functioning of fundamental social and economic processes - for example in the energy, healthcare, transport, finance, administration and digital infrastructure sectors.
The aim is to achieve a standardised, high level of security for network and information systems across Europe. To achieve this, the directive stipulates that companies in certain sectors must fulfil strict security requirements in order to specifically protect their networks and systems from cyber attacks. Specifically, NIS-2 obliges affected institutions to systematically manage risks, implement suitable technical and organisational protective measures and report serious security incidents within defined deadlines.
According to estimates by the German Federal Office for Information Security (BSI), around 29,000 companies and organisations in Germany fall under the scope of the directive - classified as "essential" or "important" within the meaning of the law.
Infringement proceedings: Germany under pressure
The fact that the leaked draft bills are circulating informally illustrates the political pressure to act: Germany has significantly exceeded the implementation deadline for the NIS 2 Directive. On 28 November 2024, the EU Commission therefore initiated infringement proceedings against Germany and 22 other member states.
The second stage followed on 7 May 2025 - a reasoned opinion to which the German government must now respond. Financial sanctions could be imposed if this is not implemented swiftly.
What companies should do now - specific recommendations according to the BSI standard
Before implementing specific measures, companies should first check whether they are covered by the NIS 2 Directive at all - and to what extent. Is your company affected by the NIS 2 Directive? Take our free quick check now and find out.
Once it has been established whether your organisation is affected, the BSI identifies four key areas of action that companies can use to prepare for the requirements in a structured and effective manner:
- Set up a contact point and secure communication channels
- Systematically carry out a risk analysis
- Implement NIS2 measures - effective, appropriate and documented
- Ensure reportability - clear processes, rapid response
KPMG supports you in implementing the NIS-2 requirements with our many years of experience. Find out more at NIS-2 Guideline: Improving your IT security - KPMG in Germany
Contributors to this article were: Tommy Scheffczyk (tscheffczyk@kpmg.com), Finja Hage (finjahage@kpmg.com) and Stephan Senzel (ssenzel@kpmg.com).
