Germany: Updated draft NIS 2 Implementation and Cybersecurity Strengthening Act including provisions expanding Federal Office for Information Security powers was released

On 23 June 2025, the updated draft Act on the Implementation of the NIS-2 Directive and on the Regulation of Essential Principles of Information Security Management in the Federal Administration was released. The Act, proposed by the Federal Ministry of the Interior and Community (BMI), introduces expansions to the powers of the Federal Office for Information Security (BSI). Pursuant to Section 3 of the Act on the Federal Office for Information Security and on the Security of Information Technology of Entities (BSIG), the BSI is tasked with promoting information security through responsibilities such as identifying and addressing threats to federal information technology systems, analysing vulnerabilities, conducting security assessments, developing certification schemes, and acting as the national authority for cybersecurity certification under Regulation (EU) 2019/881. The BSI is authorised to issue binding measures against operators of critical installations, digital service providers, and manufacturers of information and communication technology products (Sections 10 to 18 BSIG), monitor and analyse protocol and interface data from federal communications networks (Sections 7 to 8 BSIG), and cooperate with law enforcement and intelligence services in cybersecurity matters (Section 8(6)–(7) BSIG). Additionally, Section 4 BSIG designates the BSI as the central federal reporting body for information security, while Section 6 BSIG mandates the operation of a national cybersecurity information-sharing platform.