The Federal Government plans to legally anchor the EU Nis2 Directive of the EU for the mandatory protection of important plants and companies before cyber attacks in Germany by early 2026. “The Federal Ministry of the Interior is currently promoting this topic at the moment,” said the President of the Federal Office for Information Technology (BSI), Claudia Plattner, the German Press Agency. “I have hope that we can get into force in early 2026.”
According to the Interior Ministry, the federal states and affected associations were listened to for the draft, which, among other things, determines the obligation to analysis of risk and to report security incidents. “It is important that companies and institutions hear the starting shot,” says the BSI boss.
Protection against blackmail and sabotage
Table of Contents
With the implementation of the European directive, more cyber security is to be created by companies and institutions. The important facility within the meaning of the law includes larger companies in the sectors of energy, transport, drinking water, food production, waste water and telecommunications. The idea behind it: If you were no longer able to work – for example because a hacker encrypted your data or blocked access to it – this would have a significant impact on the population.
The obligation to implement certain security measures for the defense and coping of cyber attacks should in future affect an estimated around 29,000 companies and thus significantly more than before. The BSI currently looks after around 4,500 operators of critical infrastructure that have to meet certain standards in terms of cybersecurity. The BSI online has been the NIS-2 survey for about four months. This allows everyone to find out whether the planned stricter rules apply to him or not. According to BSI, the test has been used more than 200,000 times. However, Plattner still has the impression: “The requirements that come to the affected companies and institutions still do not really have on the screen.”
Implementation period ran in October
The deadline for the NIS-2 guideline expired on October 17, 2024. By this date, all EU member states should have implemented the directive into national law. Germany and numerous other EU countries have not followed the deadline. The traffic light coalition had decided in the cabinet in July 2024. After the coalition of the SPD, Greens and FDP’s coalition, however, there was no longer a majority in the Bundestag.
“Because we didn’t make it anymore in the last legislative period, there is now really a pace,” warns the BSI president. In their view, it is therefore better to implement the guideline quickly and later improve it again. Because German companies, authorities, research institutes and also institutions in politics would be permanently attacked at a relatively high level and the law will ensure that these attacks are successful.
Criminal and political actors
According to the BSI, the BSI currently observes many supply chains attacks. It is about engineering offices or IT companies, which often turns out afterwards that the service provider was not the actual target, but companies or institutions that are their customers. “This can also be authorities or institutions from political space,” says Plattner. Sometimes it is not entirely clear whether it is about a purely criminal operation or possibly also a state actor in the background. In some cases, both are relevant. “There are unholy alliances between financially motivated and political actors,” reports the BSI President.
A hacker attack had caused a massive IT failure in the past few days and caused problems in the German institutions of the health company Ameo. In Saxony-Anhalt, several ministries were briefly called up on Thursday. The reason is an overload attack by a pro -Russian hacker group on the state portal, it said.
BSI offers support
According to Plattner, the effort that the individual companies and institution must do in order to fulfill the obligations from the NIS 2 directive cannot be estimated. If you have a good IT department and are already taking care of cyber security, you will often be able to manage the challenges “with on-board funds”. For those who have never taken care of the topic, the learning curve will “be significantly steeper”. The head of the federal authority, which is headquartered in Bonn, promises support here. “We strive to make this with our information and advice for companies as painless as possible.”
Read too
(NO)
