In a press commentary, Bitkom President Dr Ralf Wintergerst commented on the implementation of the NIS 2 Directive in Germany. While the EU has successfully improved cyber security with this directive without excessive bureaucracy, German companies lack sufficient time to fulfil the requirements. The deadline for implementation by October 2024 is therefore no longer realistic.
German implementation of the NIS 2 Directive has been decided
The EU's NIS2 Directive is intended to strengthen the cybersecurity of the European economy and raise it to a uniformly high level in view of the increasing threat of cyberattacks. Last week, the German Federal Cabinet passed the necessary German implementation - the NIS-2 Implementation and Cyber Security Strengthening Act (NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz). Bitkom President Dr Ralf Wintergerst explains:
‘Cyberattacks cause massive damage to the German economy. Last year alone, they totalled 148 billion euros. With the NIS2 regulation, the EU has succeeded in strengthening cyber security without placing an excessive burden on companies through too much regulation and bureaucracy. In Germany, however, companies are lacking the urgently needed legal certainty due to delays in departmental coordination. It is already clear that the planned implementation deadline in October can no longer be met. This makes it all the more important to implement the law swiftly and ensure that it comes into force at least by the beginning of 2025. Small and medium-sized companies in particular also need support to determine whether and how they are affected by the law and what measures they need to take.’
There is still a lack of harmonisation with the KRITIS umbrella law
Important details still need to be adjusted in the upcoming parliamentary procedure. For example, there is a lack of harmonisation with the KRITIS umbrella law, whose implementation process is also currently stalling. Physical security and cyber security need to be considered and addressed together, and companies should be able to use standardised definitions of terms and reporting channels as a guide. There is also a lack of necessary clarification in certain areas. For example, the planned inspection of products and systems by the Federal Office for Information Security should also ensure that manufacturers have an interest in keeping sensitive business secrets confidential, explained the Bitkom President.
Further information can be found at www.bitkom.org.