On 7 May 2024, the Federal Ministry of the Interior (BMI) published the first official draft of the NIS2 Implementation and Cyber Security Strengthening Act (NIS2UmsuCG for short) and simultaneously launched the consultation with associations. Despite some improvements, the legislator has missed the opportunity to create legal clarity for the economy. Companies are still faced with almost impossible tasks.
Statement on the draft bill
As our detailed statement shows, the new draft bill contains some improvements compared to the previous version, but does not solve the fundamental problems of the NIS2 Directive. The German legislator has missed several opportunities to create legal clarity. Instead of a political tug-of-war between the ministries and an entanglement of the NIS2UmsuCG with other political demands, pragmatism and a clarification of the open legal issues at European level are now required in the further legislative process. It remains to be seen whether this will succeed.
What happens next?
The official draft bill was published to mark the start of the consultation process for associations. Comments can be submitted until 28 May 2024. A hearing will take place on 3 June 2024. However, there is only a short time left until 17 October 2024. It is very unlikely that the draft bill will pass the Bundestag, be signed by the Federal President and published in the Federal Law Gazette by then. As long as the NIS2 Directive has not been transposed into national law, it will not result in any obligations for companies.
First aid for companies
Affected companies do not have to fulfil the requirements in Germany until the NIS2UmsuCG has been published in the Federal Law Gazette. However, as the fulfilment of the new requirements is associated with considerable effort, companies should start implementation at an early stage. Companies can only be recommended to orientate themselves on the wording of the NIS2 Directive itself. If no changes are made as part of the legislative process, one or other of the provisions of the NIS2UmsuCG will probably only have a short half-life. It is also already clear that the NIS2 Directive completely fails to achieve the goal of harmonising cybersecurity law across Europe.
We will be happy to assist you with any questions you may have about how you are affected by the NIS2 Directive and how you can implement the requirements in your company. We will also submit our criticism of the draft bill for the NIS2UmsuCG to the legislator as part of the consultation with the associations and are confident that the interests of the business community will still be sufficiently taken into account. Please contact dbu@reuschlaw.de directly if you have any points that you would like us to include in the consultation with the associations.
Further information can be found here
- Detailed Statement dated 10 May 2024
- Free Quick-Check on the impact of the NIS2 Directive
- Article (German) on LinkedIn: What happens if Germany does not implement the directive (on time)?
- Onepager: NIS2 Compliance for companies