Germany: Announced NIS 2 Implementation and Cybersecurity Strengthening Act including Security requirements

On 7 May 2024, the Federal Interior Minister presented the draft NIS 2 Implementation and Cybersecurity Strengthening Act, including security requirements. The Act transposes the Directive on measures for a high common level of cybersecurity across the Union (NIS 2 Directive/2022/2555) in the national legislation. The proposed Act will extend IT security requirements and incident reporting obligations to a broader range of companies across more sectors, significantly expanding the scope beyond operators of critical infrastructures, digital service providers, and companies of special public interest. Furthermore, the Act incorporates in the national legislation the minimum security requirements from the NIS-2 Directive and the three-tier reporting system, requiring an initial report within 24 hours, an update within 72 hours, and a final report to be submitted within one month.