New start for the NIS2 Act: What companies can expect now

According to EU requirements, the NIS 2 Directive should have been transposed into national law by 17 October 2024 at the latest. However, as a result of the new parliamentary elections on 23 February 2025, all legislative proposals that had not yet been passed had to be reintroduced - the NIS2 Implementation Act (NIS2UmsuCG) was also put on hold.

New draft bills from the Federal Ministry of the Interior have been reported since the beginning of June 2025. There is still no official publication - yet this marks the unofficial restart of the legislative process. The dynamics of the legislative process can be seen from the fact that three versions of the draft - dated 26 May, 2 June and 23 June 2025 - have become public in recent weeks, with the most recent version being sent to the associations at the same time as the request for comments.

Important news

Scope of application reduced

As part of the impact analysis, an important amendment has been made to Section 28 (3) (Particularly important facilities and important facilities). This clarifies that business activities that are negligible with regard to the overall business activities of the organisation are not taken into account when allocating the types of organisation.

Die Intention dieser Änderung ist nachvollziehbar und eine wichtige Rückbesinnung auf das Ziel der europäischen Cybersicherheitsstrategie. Es geht um die Widerstandsfähigkeit der europäischen Wirtschaft und ihrer Akteure gegen Cyberbedrohungen. Vernachlässigbare Tätigkeiten (z. B. der Betrieb einer Photovoltaikanlage auf dem Dach von Verwaltungs-/Logistik- oder Produktionsgebäuden) sollten nicht als Energieerzeuger qualifizieren. Der Begriff der „Vernachlässigbarkeit“ als relativer Bezug zur Gesamtleistung des Unternehmens ist als unbestimmter Rechtsbegriff unglücklich gewählt und wird bereits wenige Tage nach der Veröffentlichung juristisch heiß diskutiert. Wenn es schon bei „vernachlässigbar“ bleiben soll, ist als das Bezugsobjekt nicht das Unternehmen, sondern in Relation die Auswirkung auf die Branche oder den regulierten Sektor im jeweiligen Land zu wählen.
Weniger Anhörungen und Abstimmung

The second amendment concerns the need to coordinate legal ordinances with the scientific community, operators of critical infrastructures (KRITIS) and associations. Mandatory consultation has been cancelled both in the definition of a KRITIS facility and in the definition of a significant security incident. This change is to be viewed critically from a business perspective and may lead to overregulation. It is also hoped that the dialogue with science, KRITIS operators and associations, which has already been initiated in many areas, will be intensified and that only the formal anchor in the procedure will contribute to acceleration and simplification.

Notes on the subsequent interpretation in practice

In terms of content, the drafts are based on familiar structures, in particular the risk-based approach to IT security. Although the adjustments in the area of risk management measures are manageable, they provide important information for later interpretation in practice:

Supply chain protection revised

The new wording emphasises the security of the supply chain "including security-related aspects of relationships with direct suppliers or service providers". The previous reference to relationships "between the individual organisations" has been deleted. Companies must therefore primarily assess the direct relationship with their suppliers - but not the interdependencies in the supply chain.
Cyber hygiene cancelled

The term "cyber hygiene" has disappeared from the catalogue of measures. Instead, it now refers to "basic training and awareness-raising measures". This change is viewed critically by the authors of this article, as the term "basic" leaves room for interpretation - and also deviates from the EU Directive. The latter refers to "basic cyber hygiene procedures and cyber security training". The German legislator is changing the EU requirements here.
Asset management cancelled

The previously required creation of concepts for the management of physical systems no longer applies. Remaining requirements now primarily relate to the security of personnel, access control and the management of ICT systems, products and processes. Whether this still does justice to the reality of hybrid IT/OT infrastructures remains to be seen.
Upgrading basic IT protection

The changes in Section 44 (requirements of the Federal Office) give the BSI standards and the IT baseline protection compendium de facto legal status for federal administration organisations, thus upgrading them. It remains to be seen whether and in what form IT baseline protection will also be used as a benchmark for the implementation of risk management measures for private-sector companies.

Even if the changes are not revolutionary, they make it clear that the implementation of the NIS2 Directive is getting closer. The new draft bill is more than just an interim step - it is a clear signal that companies should not put off preparing for the upcoming obligations any longer.

Background: What the NIS 2 Directive means for companies

The NIS 2 Directive is the central EU instrument for strengthening cybersecurity in Europe. It is aimed at companies and organisations that are essential for the functioning of fundamental social and economic processes - for example in the energy, healthcare, transport, finance, administration and digital infrastructure sectors.r.

The aim is to achieve a standardised, high level of security for network and information systems throughout Europe. To achieve this, the directive stipulates that companies in certain sectors must fulfil strict security requirements in order to protect their networks and systems against cyber attacks. Cyber-Attacken to protect them. In concrete terms NIS-2 affected facilities to systematically manage risks, implement suitable technical and organisational protective measures and report serious security incidents within defined deadlines.

According to estimates by the Federal Office for Information Security (BSI), around 29,000 companies and organisations in Germany fall under the scope of the directive - classified as "essential" or "important" within the meaning of the law.

Infringement proceedings: Germany under pressure

The fact that the leaked draft bills are circulating informally illustrates the political pressure to act: Germany has significantly exceeded the implementation deadline for the NIS 2 Directive. On 28 November 2024, the EU Commission therefore initiated infringement proceedings against Germany and 22 other member states.

The second stage followed on 7 May 2025 - a reasoned opinion to which the German government must now respond. If this is not implemented swiftly, financial penalties may be imposed.

What companies should do now - specific recommendations according to the BSI standard

Before implementing specific measures, companies should first check whether they are covered by the NIS 2 Directive at all - and to what extent. Is your company affected by the NIS 2 Directive? Complete our free quick check and find out.

Once the impact has been clarified, the BSI identifies four key areas of action that companies can use to prepare for the requirements in a structured and effective manner: