Germany: Issued draft NIS 2 Implementation and Cybersecurity Strengthening Act including provisions expanding Federal Office for Information Security powers

On 24 July 2024, the draft NIS 2 Implementation and Cybersecurity Strengthening Act, including provisions expanding Federal Office for Information Security (BIS) powers, was adopted by the German Government. The Act transposes the Directive on measures for a high common level of cybersecurity across the Union (NIS 2 Directive/2022/2555) in the national legislation. In particular, the Act would expand the BSI's powers to include new supervision and enforcement measures under the NIS-2 Directive, introducing penalty frameworks based on a company's global annual turnover. The BIS will be the national cybersecurity authority tasked with protecting government networks and securing critical infrastructures while also supporting IT security across public administration, business, and consumer sectors. Under NIS 2, Member States are required to designate competent national authorities to manage large-scale crises or incidents, supervise the application of the Directive at the national level, and establish single points of contact and Computer Security Incident Response Teams (CSIRTs), which will act as trusted intermediaries to facilitate interaction between the various entities involved and will be linked by a network of national CSIRTs. The draft Act will now be submitted to the German federal parliament for adoption.