Germany: Issued draft NIS 2 Implementation and Cybersecurity Strengthening Act including security requirements

On 24 July 2024, the draft NIS 2 Implementation and Cybersecurity Strengthening Act, including security requirements, was adopted by the German Government. The Act transposes the Directive on measures for a high common level of cybersecurity across the Union (NIS 2 Directive/2022/2555) in the national legislation. The proposed Act will extend IT security requirements and incident reporting obligations to a broader range of companies across more sectors, significantly expanding the scope beyond operators of critical infrastructures, digital service providers, and companies of special public interest. Furthermore, the Act incorporates the minimum security requirements from the NIS-2 Directive and the three-tier reporting system in the national legislation, requiring an initial report within 24 hours, an update within 72 hours, and a final report to be submitted within one month. The draft Act will now be submitted to the German federal parliament for adoption.