Approved IT security legislation for businesses by the Federal Cabinet
Germany Strengthens Cybersecurity with New IT Security Act
The German government has passed a new IT Security Act, aiming to bolster cybersecurity and protect both the economy and administration from potential threats. This legislation, drafted by Alexander Dobrindt (CSU), transposes the second EU directive on network and information security (NIS-2) into German law [6].
Under the new act, more companies across key economic sectors will be required to actively protect their digital infrastructure [2]. The federal administration's digital infrastructure will also benefit from enhanced security measures [3]. Dobrindt reiterated that the new law will provide a significantly higher level of security for the economy and administration [1].
The focus of the new IT Security Act is on clear rules without unnecessary bureaucracy, ensuring that companies and authorities become more resilient against cyberattacks [5]. The Federal Office for Information Security (BSI) will receive new oversight instruments under the new law, allowing it to more specifically accompany companies and monitor compliance with prescribed security standards [2].
The BSI plays a central role in enforcement and oversight under the updated Act on the Federal Office for Information Security (BSI Act – BSIG) [1]. Companies must self-register as NIS-2 entities and operate a verifiable Information Security Management System (ISMS) covering technical, operational, and organizational controls [3].
A range of mandatory risk management measures must be implemented, including risk analyses, backups, encryption, regular testing, and cybersecurity training [1]. Affected companies, especially those categorized as important or critical facilities, are obliged to report significant security incidents promptly to competent authorities [1][5].
The new law reflects heightened cybersecurity concerns amid geopolitical tensions, such as increased cyberattacks from state actors and organized crime since 2022 [4]. The aim is to have significantly more companies actively involved in protecting their digital infrastructure, aligning with the EU's reinforced cybersecurity framework [1].
The implementation of NIS-2 in Germany involves amending several laws, primarily the BSI Act. Although the cabinet decision has been made, key questions about exemptions for negligible critical activities and harmonization risks at the EU level remain unresolved [2]. The parliamentary process is ongoing, and some details like transition periods remain unclear [3].
In summary, the German NIS-2 implementation through amendments in the BSI Act will mandate expanded cybersecurity duties for many companies classified as critical or important infrastructure operators. This ensures more structured risk management, incident reporting, and compliance oversight to align with the EU's reinforced cybersecurity framework [1][2][3]. The process remains dynamic during 2025 with continuing legislative steps.
- The new IT Security Act in Germany, a policy-and-legislation development, aims to improve cybersecurity in line with the EU's reinforced cybersecurity framework, particularly focusing on key economic sectors and the federal administration.
- The implementation of the Act on the Federal Office for Information Security (BSI Act – BSIG) includes technology-related aspects, such as self-registration as NIS-2 entities for affected companies, which are required to have a verifiable Information Security Management System (ISMS).
- The General News landscape features ongoing discussions regarding the new IT Security Act, including the need for companies to implement mandatory risk management measures, report significant security incidents, and adhere to prescribed security standards for enhanced cybersecurity, thereby highlighting the critical role of technology and policy-and-legislation in today's political climate.
