Germany: Updated draft NIS 2 Implementation and Cybersecurity Strengthening Act including security requirements was released

On 23 June 2025, the updated draft Act on the Implementation of the NIS-2 Directive and on the Regulation of Essential Principles of Information Security Management in the Federal Administration was released. The Act, proposed by the Federal Ministry of the Interior and Community (BMI), incorporates the minimum security measures set out in Article 21(2) of Directive (EU) 2022/2555 into the Federal Office for Information Security Act (BSIG), with differentiated application based on the category of entity to ensure proportionality. The Act establishes mandatory risk management measures for particularly important and important entities and stipulates additional obligations for operators of critical installations. The Act also introduces a three-tier incident notification regime, replacing the previous single-stage obligation, requiring early warning notifications within 24 hours, intermediate reports within 72 hours, and final assessments within one month. Further, the Act mandates registration with the Federal Office for Information Security (BSI), and imposes implementation, oversight, and training duties on executive management. The requirements include measures relating to the security of network and information systems, incident handling, business continuity, supply chain security, encryption, authentication, and staff training, in line with the Directive’s objective to achieve a high common level of cybersecurity across the Union.