Critical Infrastructure: Bundestag Passes NIS2 Law
Germany is lagging behind with the NIS2 implementation. The Bundestag has now approved the government's proposal. The Bundesrat is now up next.
The new regulations are to apply not only to network operators but also to authorities.
(Image: heise medien / Andreas Wilkens)
With the votes of the black-red coalition and the AfD, the Bundestag passed the law presented by the federal government on Thursday afternoon for greater security in networks and information systems. With this law, Germany is implementing the requirements of the European Network and Information Security Directive (NIS2) with over a year's delay.
The law obliges operators of critical infrastructures to implement increased protective and preventive measures against attacks on their systems. At the same time, it significantly expands the circle of affected companies and authorities. These include, among others, companies from the areas of energy, health, transport, or digital services. New rules also apply to authorities and administration.
Extended protective measures
Affected companies and facilities will in future have to take protective measures such as risk analyses, emergency plans, backup concepts, or encryption solutions. Cyberattacks must be reported to the Federal Office for Information Security (BSI) within 24 hours. The BSI will receive more supervisory powers with the law and can impose fines for serious violations.
While Die Linke abstained, the BĂĽndnis90/GrĂĽne parliamentary group voted against the law. The Greens call on the federal government to finally regulate the protection of critical infrastructure with a "real critical infrastructure umbrella law". The critical infrastructure umbrella law is intended to implement further parts of the EU requirements. A draft by the federal government is currently being discussed in committees; the proposals from the Greens will also be submitted there.
Germany is significantly behind with the implementation of NIS2 and the critical infrastructure umbrella law. The traffic light coalition government had not managed to get its draft through the Bundestag before the coalition collapsed, so Schwarz-Rot had to present a new draft. The directive should actually have been transposed into national law by October 2024. The EU is already threatening consequences as part of an infringement procedure.
The industry association Bitkom welcomed the Bundestag's decision as overdue. The law will strengthen cybersecurity in Germany, but the new regulations could have "significant implications" for companies' investment decisions. It is "extremely positive" that federal authorities are now also included in the scope of NIS-2.
Videos by heise
Consequences for network operators
The Federal Association for Broadband Communication (Breko) speaks of a "fundamentally important and necessary step for more security". However, network operators are skeptical about the rules for the use of critical components.
"The draft law allows interventions not only in mobile communication components but also generally in fiber optic networks – even for already deployed components," says Sven Knapp, head of Breko's Berlin office. "This creates uncertainty." Breko appeals to the Bundesrat to advocate for a "more precise and practical regulation".
(vbr)
