Germany: Berlin Commissioner for Data Protection submitted a formal position on Draft Act Implementing NIS-2 Directive, including provisions expanding Federal Office for Information Security powers

On 4 July 2025, the Berlin Commissioner for Data Protection and Freedom of Information (BlnBDI) submitted a formal position on the draft German Act implementing Directive (EU) 2022/2555 (NIS-2) and establishing essential principles of information security management in the federal administration, with particular attention to provisions expanding the powers of the Federal Office for Information Security (BSI). The BlnBDI observed that Section 61(11) of the draft law insufficiently transposes Article 35(1) of the NIS-2 Directive by limiting the BSI’s obligation to notify data protection authorities only in cases of “obvious” violations, rather than encompassing all instances where breaches of obligations under the Act may lead to a personal data breach as defined in Article 4(12) GDPR. The position advocated for an amendment to Section 61(11) to ensure the BSI is required to notify competent supervisory authorities without delay whenever a breach of the Act may potentially cause a reportable incident under Article 33 GDPR. Furthermore, under Section 40, which outlines the BSI’s role as the central reporting office, the BlnBDI proposed an additional sub-paragraph (No. 5) requiring the BSI to offer suitable electronic procedures enabling essential and important entities to simultaneously meet reporting obligations under both the NIS-2 Act (Section 32) and Article 33 GDPR. The BSI would also be responsible for ensuring the immediate transmission of such reports to the competent data protection authorities, with the procedural details governed by internal administrative arrangements.