Germany: NIS 2 Implementation and Cybersecurity Strengthening Act including security requirements was passed by Parliament

NIS 2 Implementation and Cybersecurity Strengthening Act including security requirements was passed by Parliament

On 13 November 2025, the NIS 2 Implementation and Cybersecurity Strengthening Act, including security requirements, was passed by the Parliament. It introduces a minimum set of risk measures, including incident-handling procedures, business continuity requirements, vulnerability management, authentication, cryptographic protection, and supply chain controls. Companies are required to assess their own risks and implement proportionate safeguards. The Act also replaces the single-step reporting model with a three-tier regime requiring reports at 24 hours, 72 hours, and one month.

Original source

Scope

Policy Area

Data governance

Policy Instrument

Cybersecurity regulation

Regulated Economic Activity

cross-cutting

Implementation Level

national

Government Branch

legislature

Government Body

parliament

Complete timeline of this policy change

Hide details

2024-05-07

under deliberation

On 7 May 2024, the Federal Interior Minister presented the draft NIS 2 Implementation and Cybersecu…

2024-07-24

under deliberation

On 24 July 2024, the draft NIS 2 Implementation and Cybersecurity Strengthening Act, including secu…

2025-06-23

under deliberation

On 23 June 2025, the updated draft Act on the Implementation of the NIS-2 Directive and on the Regu…

2025-07-04

under deliberation

On 4 July 2025, the Berlin Commissioner for Data Protection and Freedom of Information (BlnBDI) sub…

2025-11-13

under deliberation

On 13 November 2025, the NIS 2 Implementation and Cybersecurity Strengthening Act, including securi…

Description

NIS 2 Implementation and Cybersecurity Strengthening Act including security requirements was passed by Parliament

Scope

Complete timeline of this policy change