Suche
Mein Konto
Cyber risk in sight: New law for 30,000 companies from 2026!
The federal government plans to implement EU cybersecurity regulations for companies in 2025 to protect critical infrastructure.
Cyber risk in sight: New law for 30,000 companies from 2026!
The federal government plans to take a decisive step to improve cybersecurity in Germany. How Radio Ennepe Ruhr reports, the rules adopted by the EU, which aim to protect important facilities and companies from cyberattacks, are to be implemented into national law by the beginning of 2026. Claudia Plattner, President of the Federal Office for Information Security (BSI), expresses the hope that this law can come into force at the beginning of 2026.
But what does that mean specifically? The implementation of the European NIS 2 Directive, which has been in force since December 27, 2022, aims to significantly improve the cybersecurity of companies and institutions. Around 29,000 companies that are classified as particularly important will be affected by the new regulations. This number represents a significant increase, as so far only around 4,500 critical infrastructure operators have received intensive support. An “NIS 2 impact test” has already been put online and has now received over 200,000 queries. However, Plattner warns that many companies are not yet taking the new requirements seriously enough.
The challenges of implementation
A big point is that the deadline for implementing the NIS 2 Directive actually ended on October 17, 2024, but this was not met by Germany and some other EU states. A lack of majorities in the Bundestag after the breakup of the traffic light coalition has severely delayed the progress of legislation. Early elections also prevented the parliamentary procedure for the NIS 2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG) from being completed. There is therefore a strong need to increase the pace of implementation.
Loud BSI The role of the BSI is strengthened by the NIS 2 guideline. The law is expected to come into force in 2025 and will not only transfer EU minimum standards for cybersecurity into German legislation, but also improve cooperation between the state and business. The safety requirements are significantly increased for operators of critical systems.
Scope of the new regulations
Affected sectors include energy, transport, telecommunications, drinking water, food production and sanitation. The introduction of new categories of facilities promotes adaptation to modern challenges in cyberspace. Operators of critical systems must provide evidence of compliance with safety measures every three years. Furthermore, security-related incidents must be reported within 24 hours, with penalties for violations of these regulations ranging from 100,000 to 20 million euros, depending on global sales.
These far-reaching regulations are necessary to ensure the long-term functionality of the critical infrastructure in Germany. If everything goes according to plan, the NIS-2-UmsG could really lead to better protection against cyber attacks, which, last but not least, could significantly increase the security of the population OpenKritis shows.
The federal government is facing one of the most fundamental challenges in finally bringing cybersecurity in Germany up to date. It will be exciting to see how the bureaucracy behaves in the coming year and whether the planned measures can actually be implemented on time.