Germany Races to Implement Landmark EU Cyber Protection Law by 2026

The German government is accelerating efforts to legally enshrine the EU’s NIS2 Directive, mandating robust cyber protection measures for critical infrastructure and companies by early 2026. The move comes as the nation faces a sustained barrage of cyberattacks, targeting everything from healthcare providers to state government portals.

The Federal Ministry of the Interior is currently spearheading the initiative, with hopes of enacting the legislation within the next two years, according to Claudia Plattner, President of the Federal Office for Information Technology (BSI). “I have hope that we can get into force in early 2026,” Plattner stated.

The NIS2 Directive aims to bolster cybersecurity across the European Union by establishing a baseline of mandatory security standards. Federal states and affected associations were consulted on the draft design in early July, which includes obligations for risk analysis and the reporting of security incidents. “It is important that companies and institutions hear the starting shot,” Plattner emphasized.

Expanding the Scope of Cyber Defense

The directive will significantly broaden the scope of cyber defense requirements, extending beyond traditional critical infrastructure to encompass larger companies in sectors like energy, transport, drinking water, food production, wastewater management, and telecommunications. The rationale is clear: disruption to these essential services – through data encryption or access blockage – would have a substantial impact on the population.

An estimated 29,000 companies will be affected by the new regulations, a substantial increase from the approximately 4,500 operators of critical infrastructure currently overseen by the BSI. To help organizations understand their obligations, the BSI launched an online NIS-2 Service test four months ago. The test has already been utilized over 200,000 times, though Plattner notes that many companies still appear unaware of the impending requirements. “The requirements that come to the affected companies and institutions still do not really have on the screen,” she observed.

Missed Deadlines and Renewed Urgency

The original deadline for implementing the NIS 2 directive was October 17, 2024, requiring all EU member states to transpose the directive into national law. However, Germany, along with numerous other EU nations, failed to meet this deadline. While the governing coalition initially approved the legislation in July 2024, a subsequent shift in the parliamentary majority stalled progress.

“Because we didn’t make it anymore in the last legislative period, there is now really a pace,” Plattner warned. She believes a swift implementation, followed by iterative improvements, is the most pragmatic approach, given the constant and high level of cyberattacks targeting German companies, authorities, research institutions, and political organizations.

Evolving Threat Landscape: Supply Chain Attacks and State-Sponsored Actors

The BSI is currently observing a surge in supply chain attacks, where engineering firms and IT companies are targeted not for their own data, but as stepping stones to reach their clients. “This can also be authorities or institutions from political space,” Plattner explained. Distinguishing between purely criminal operations and those with state-sponsored backing is often challenging, with evidence suggesting “unholy alliances between financially motivated and political actors.”

Recent incidents underscore the escalating threat. A recent cyberattack caused significant IT disruptions at the German healthcare company Ameos. Simultaneously, several ministries in Saxony-Anhalt were briefly taken offline due to a denial-of-service attack attributed to a pro-Russian hacker group.

BSI Support and the Road Ahead

The BSI recognizes that fulfilling the obligations outlined in the NIS 2 directive will require a significant effort from affected organizations. Companies with established IT departments and existing cybersecurity practices may be able to adapt “with on-board funds,” but those lacking prior experience will face a “significantly steeper” learning curve.

The BSI is committed to providing support, striving to make the transition “as painless as possible” through information and advisory services. The agency is prepared to assist companies in navigating the new requirements and bolstering their defenses against an increasingly sophisticated and relentless cyber threat landscape.