"Cyber resilience must be on people's minds": Bundestag discusses NIS2
The Bundestag has held an initial debate on the NIS2 Implementation Act. The late implementation in Germany was criticized.
(Image: Ivan Marc/Shutterstock.com)
In front of almost empty rows of seats, the Bundestag debated the Implementation and Cybersecurity Strengthening Act of the second EU Directive on Network and Information Security (NIS2) for the first time today, Friday – one week before the transposition deadline. The EU NIS2 Directive must be transposed into national law by October 18. Germany will miss this deadline – It is currently assumed that NIS2 will not come into force in Germany until spring 2025.
Johannes Saathoff, Parliamentary State Secretary at the Ministry of the Interior, summarized the key requirements of NIS2: a defined level of security measures and reporting obligations in the event of cybersecurity incidents. NIS2 expands the number of companies subject to state cybersecurity requirements from the current 4,500 critical infrastructures to around 29,500 companies from 18 sectors.
Although cyber incidents caused record losses of 267 billion euros in the economy in 2023, the problem has not yet reached all boardrooms: "Cyber resilience must be on people's minds." It is therefore right that the NIS2 directive places the onus on company management.
Strengthening cybersecurity in the federal administration?
The German NIS2 implementation is also intended to strengthen the cybersecurity of the federal administration. The Federal Office for Information Security (BSI) is to be given more powers and developed into a central security authority. The federal and state governments are also to work more closely together.
Marc Henrichmann from the CDU/CSU parliamentary group doubted that this would be successful. He criticized the fact that downstream federal authorities would remain at a minimal level of protection. Although the BSI is to be given additional powers, the BSI budget has been cut by 21 million euros in the 2025 budget. His parliamentary group colleague Petra Nicolaisen criticized the late implementation of the EU directive by the federal government.
Videos by heise
Anke Domscheit-Berg from the Left Party accused the traffic light government of failing in the area of cybersecurity. 750 security positions in the federal government are currently vacant. The implementation of NIS2 is too late and the current draft of the German implementation law is limited to a minimum of measures. The fact that municipal authorities are explicitly exempt from the NIS2 requirements is not justified.
The NIS2 Implementation and Cyber Security Strengthening Act will now be discussed further in the committees.
(odi)
