About us News service Jobs & Career Press bayern-innovativ.de
  1. Bayern Innovativ
  2. eMagazine
  3. # mobility
  4. Detail

Bundestag adopts national IT security law

14.11.2025

Source: E & M powernews

The new NIS-2 Implementation and Cybersecurity Strengthening Act significantly expands the number of critical companies with registration and reporting obligations.

The cyber security situation in Germany remains tense. This is evident not least from the status report on IT security in Germany, which the Federal Office for Information Security (BSI) publishes annually in November. The law passed in the Bundestag to implement the European NIS 2 Directive will now comprehensively modernize IT security law, according to a statement from the authority.

The amendment to the BSI Act, which goes hand in hand with the implementation of NIS-2, will significantly expand the number of regulated institutions: instead of around 4,500 previously, around 29,500 institutions will be subject to the rules in future. These must register with the BSI and report significant security incidents. In addition, technical and organizational risk management measures must be implemented.

At the same time, minimum information security requirements will become mandatory for federal authorities for the first time. In the role of Chief Information Security Officer (CISO Bund), the BSI will be responsible for the cross-departmental IT governance of federal authorities and institutions in future.

BSI President Claudia Plattner emphatically described the Bundestag resolution as a milestone for a more resilient cyber defense. The consolidation of mandate, expertise and resources will enable a more effective organization of IT security within the federal administration. The aim is to support companies with starter packages and kick-off seminars to help them get to grips with the new obligations.

Pre-release of critical components no longer required

The Association of Municipal Enterprises (VKU) also rated the changes as fundamentally positive. In the association's view, the MPs have focused on the core areas relevant to security and avoided excessive bureaucracy. The rule on critical components is particularly crucial from the VKU's point of view, as it prevents over-regulation and additional reporting obligations for facilities that only produce energy as a secondary purpose, such as thermal waste treatment plants or sewage treatment plants. These companies would continue to be regulated exclusively under the BSI Act and would not have to report to the Federal Network Agency in addition. In addition, municipal utilities would no longer be required to obtain prior approval for critical components on a case-by-case basis. This is intended to speed up expansion projects in the energy and telecommunications infrastructure sector.

The prohibition of critical components was the subject of intense debate during the legislative process, particularly with regard to possible risks of espionage or sabotage from abroad. In the end, it was agreed that the Ministry of the Interior can issue such a ban retrospectively if public order or security is likely to be impaired.

Further supervisory powers

Dennis Rendschmidt, Managing Director of VDMA Power Systems, spoke of an important step towards a higher level of protection for critical infrastructure. Attacks could destabilize entire grid areas due to the strong networking of the energy system. Cyber security is therefore not just a technical necessity, but a central element of security of supply and national security. The possibility for the Ministry of the Interior to subsequently prohibit critical components increases the state's ability to act. However, the association believes that it is not enough to simply look at individual components. A consistent review of all digital access, for example by manufacturers or service providers with remote access to system-related functions, is also necessary.

With the implementation of the EU's NIS 2 Directive, which aims to standardize the protection of critical infrastructure across Europe, the German parliament is setting stricter and more binding standards for cybersecurity in the area of critical infrastructure. Around 29,500 companies and all federal authorities are affected. In future, they will have to establish comprehensive protective measures, including risk analyses, emergency plans, backup concepts and encryption solutions.

The extent of the requirements depends on the importance of the respective institution. Cyber attacks must be reported within 24 hours, an interim report must be submitted after 72 hours and a final report after one month. The BSI will be given more extensive supervisory powers, including the ability to impose fines.

Author: Fritz Wilhelm

Bayern Innovativ News Service

Would you like to receive regular updates on Bayern Innovativ's industries, technologies and topics? Our news service is the right place for you!

Register now free of charge

Fotolia©Sirius125_167114528_XXL,