Government endorses fresh legislation to enhance enterprise cybersecurity
The German government has approved a new IT Security Act on Wednesday, aimed at enhancing cybersecurity across the nation. Drafted by Alexander Dobrindt (CSU), the legislation is a response to the growing need for improved cybersecurity measures in Germany and is part of the country's efforts to comply with the EU's directive on network and information security (NIS-2).
The new law transposes the EU NIS-2 directive into German national law, raising baseline cybersecurity across critical infrastructure and important digital service providers. The scope of the law is substantially broader compared to earlier rules, covering more sectors and more types of organisations.
Operators of essential services and important entities, such as those in energy, transport, health, finance, digital infrastructure, public administration, and many digital services, will now be subject to the new regulations. Covered entities must implement risk-management measures across governance, technical, and organisational controls, including incident prevention, detection, resilience, supply-chain risk management, encryption, access control, asset management, patching, business continuity, and recovery.
The Act requires timely reporting of significant cyber incidents to the Federal Office for Information Security (BSI) and other competent authorities, with strict timelines and specified content requirements for reports. Organisations must also assess and manage cybersecurity risks arising from suppliers and service providers and take mitigation measures.
The BSI and sectoral regulators will obtain strengthened supervisory powers, including audits, on-site inspections, and requirements to remediate deficiencies. The Act introduces substantially higher administrative fines and penalties for non-compliance than prior German law, aligned with NIS-2’s tougher enforcement regime.
Certain critical service providers must register with or notify the BSI or relevant authority to allow targeted supervision. The updated IT Security Act works alongside the BSI-Gesetz and Germany’s data protection regime; it does not replace sectoral rules but creates a unified baseline reflecting EU minimums.
Alexander Dobrindt (CSU) reiterates that the new IT Security Act will provide a higher level of security for the economy and administration, while relying on clear rules without unnecessary bureaucracy. The law aims to have a larger number of companies actively involved in protecting their digital infrastructure across key economic sectors.
The implementation date for the new IT Security Act provisions has been adopted or updated in 2024–2025 and is now being enforced and integrated into supervisory practice via the BSI and sector regulators. Companies affected by the NIS-2 categories are advised to prepare or update their risk-management program, strengthen supply-chain security, establish incident detection & reporting processes, and ensure executive accountability and documentation for audits.
For exact legal text, compliance deadlines, fines, and thresholds applicable to a specific organisation, consult the official BSI guidance and the full text of the amended IT-Sicherheitsgesetz and NIS-2 transposition measures. The BSI will be able to accompany companies more specifically and monitor compliance with prescribed security standards.
- The new IT Security Act, approved in Germany, aligns with the EU's NIS-2 directive, aiming to strengthen cybersecurity across essential sectors such as energy, transport, health, finance, digital infrastructure, public administration, and digital services.
- Companies operating in these sectors are now required to implement robust risk-management measures, including incident prevention, detection, resilience, supply-chain risk management, and reporting of significant cyber incidents to the Federal Office for Information Security (BSI).
- The Act introduces stiffer penalties for non-compliance, relying on strengthened supervisory powers for the BSI and sectoral regulators, and requires affected organizations to prepare or update their risk-management programs, focus on supply-chain security, and establish incident detection & reporting processes.
