Germany: Berlin Commissioner for Data Protection submitted comments on Draft Act on implementation of NIS-2 Directive and on Regulation of essential principles of information security management in federal administration, including security requirements

On 4 July 2025, the Berlin Commissioner for Data Protection and Freedom of Information (BlnBDI) submitted comments on the Draft Act for the Implementation of the NIS-2 Directive and the Regulation of Essential Principles of Information Security Management in the Federal Administration. The Draft Act applies to essential and important entities subject to cybersecurity and data protection obligations under the NIS-2 Directive and the General Data Protection Regulation (GDPR). The BlnBDI raised concerns that the current draft does not fully implement Article 35(1) of the NIS-2 Directive, particularly regarding the obligation of the Federal Office for Information Security (BSI) to inform data protection authorities of potential personal data breaches. It also called for the creation of integrated electronic reporting procedures to enable companies to meet their NIS-2 and GDPR notification duties simultaneously.