NIS2 in Germany: A Law Between Late Implementation and Structural Half-Heartedness

Germany has transposed the European NIS2 directive into national law with considerable delay. The late implementation alone would already be politically problematic – it stands for years of standstill in cybersecurity and for a structural inability to transpose European minimum standards quickly and coherently into German law. But the substantive decisions weigh heavier than the time lag.

The new law is intended to better protect critical infrastructures, harmonize cybersecurity requirements, and give the Federal Office for Information Security (BSI) more extensive supervisory powers. Provisions include reporting obligations for security incidents within 24 hours, mandatory emergency plans, risk analyses, and technical protective measures. Around 29,000 companies are expected to fall under these requirements in the future – significantly more than before.

At the same time, central security mechanisms remain insufficiently anchored. Vulnerability management, which performs a core function in modern cybersecurity, was massively weakened in the parliamentary procedure. A coherent obligation for continuous identification, evaluation, and remediation of security gaps is missing. This undermines the purpose of the law: without systematic vulnerability processes, every reporting path remains a reactive tool. Resilience, however, arises through prevention.

The regulations on so-called critical components are particularly controversial. The bill enables intervention not only in the mobile communications sector but also in fiber-optic networks – even with components already installed. This generates uncertainty, dampens investment, and burdens primarily small and medium-sized enterprises. This affects telecommunications providers as well as operators of energy or transport infrastructures who need long-term planning security.

At the same time, the decision-making authority over critical components is shifting more towards ministerial administration. In the future, the Ministry of the Interior – in coordination with other ministries – should be able to determine which components are considered critical and prohibit their use. A technical assessment by specialized authorities remains possible but loses weight. For the affected companies, a gray area arises: the regulatory basis remains volatile, and economic risks increase.

At the same time, the scope of application is deliberately narrowed in some sectors. Certain energy producers and municipal operations are exempted from additional regulations to avoid dual structures. This reduces bureaucratic burdens but risks sectoral gaps in the security architecture at the same time.

The political line thus appears inconsistent: on the one hand, the circle of those obligated is being massively expanded. On the other hand, security-relevant obligations are being weakened or relativized by later ministerial decisions. The result is a law that formally fulfills European requirements but factually lags behind the structural requirements of a modern cybersecurity strategy.

NIS2 could have been the impulse to systematically professionalize cybersecurity in Germany and consistently adopt European standards. What is now available is a compromise between security policy requirements, economic interests, and administrative overburdens. The actual question remains open: whether this compromise is sufficient to actually protect critical infrastructures in a time of increasing digital risks.