Court of Auditors sues govt over NIS2 rollout, critical infrastructure safety

The Federal Audit Office has hardly a good word to say about the German government's delayed draft for implementing the EU directive on network and information security, known as NIS2. In a report on the initiative to the Bundestag dated September 15, which has now been made public, the auditors criticize in particular: The executive branch wants to limit the obligation to implement basic IT security and risk management to federal ministries and the Federal Chancellery. This could lead to security risks in the networked federal administration, which would be triggered by subordinate authorities. It is therefore urgently necessary to make basic IT security legally binding for the entire federal administration.

NIS2 is intended to ensure a high level of cybersecurity throughout the EU in critical sectors such as information and communication technologies (ICT), energy and water supply, transport, finance, and media. Member states were required to implement the directive by October 17, meaning that Germany is already significantly behind schedule. The EU Commission therefore initiated the second stage of infringement proceedings against the Federal Republic in May. How the requirements from Brussels are to be incorporated into national law has long been a subject of heated debate in this country.

In its analysis published by Politico, the Court of Auditors now criticizes that the draft law provides for far-reaching exceptions for the Foreign Office, even though a large part of the foreign IT is operated from domestic data centers. It is important to limit these special rules and avoid parallel structures alongside the Federal Office for Information Security (BSI).

Unplausible cost estimate

According to the report, thousands of companies would have to prove their compliance with the requirements every three years through external audits. Federal administration institutions would only have to do so after five years and in the form of a standardized declaration, without external auditors. The same requirements would have to apply here as well.

The government plans to introduce a coordinator for information security (CISO Bund), which has not escaped the attention of the Court of Auditors. However, there is a lack of tasks, duties, and powers "that would enable uniform and coordinated management of cybersecurity across departments." The executive estimates the additional budget expenditure for 2026 to 2029 at over €900 million, mainly for 1,276 additional positions. These figures seem implausible to the auditors due to the sometimes very different information provided by the departments. They advise that the reported expenses be critically examined and cross-checked.

Old implementation plan Kritis not yet fully realized

The Court of Auditors is calling for the new law to be comprehensively reviewed after three years. Previous evaluations in this area have been insufficient. In 2007 , for example , the government adopted a set of rules for the federal administration on the recommendation of the BSI to achieve and maintain an adequate level of IT security. Budget experts complain that this standard has not yet been implemented across the board. Consequences should be drawn from this.

The auditors first gave the Federal Ministry of the Interior, which is responsible for this area, the opportunity to comment on the allegations. The ministry did not make use of this opportunity on many points or stated, for example, that it did not consider a statutory evaluation obligation to be appropriate. In its final report, the Court of Auditors sees little manifest opposition from the executive branch. It also points out that the proposed changes would not result in additional budgetary expenditure.

(emw)