New attempt at the German NIS2 Implementation Law

The deadline for implementing the NIS2 Directive expired on October 17, 2024. However, the German legislator has not yet managed to pass a corresponding NIS2 implementation law. After months of stagnationthe legislative process has recently gained momentum again with the publication of several revised drafts of the German NIS2 implementation law  in recent weeks. The following is a summary of the key changes regarding the current draft dated June 23, 2025 (available here) and an outlook on the next steps in the legislative process.

I. Changes to the BSIG-E

In terms of structure, the current draft remains largely unchanged in key areas. This applies in particular to the provisions on the scope of application for important and particularly important entities and on IT risk management in the newly planned BSI Act ("BSIG-E").

Essentially, the amendments contain almost exclusively (minor) editorial clarifications in the area of IT risk management. For example, the relevant risk management measures have been partially adjusted once again by deleting the previously unclear term "cyber hygiene," which is explicitly provided for in the NIS2 Directive. Instead, affected entities are now required to implement „basic training and awareness-raising measures“ on IT security. The focus on supply chain security has also been slightly adjusted: companies must now consider security aspects relating to their immediate suppliers, but not between them. The term "encryption" has been completely removed; instead, the term "cryptographic procedures" is now used.

One significant change concerns the introduction of the new Section 28 (3) BSIG-E. This provision now stipulates that when assessing the applicability of the BSIG-E in connection with the sector-relevant business activities of an important or particularly important entity (note: the term „particularly important entity“ in the BSIG-E correspondes to the term „essential entity“ in the NIS2 Directive), any business activities of an entity that are negligible in relation to the overall business activities of the entity in question shall not be taken into account. The draft does not contain any further information on when a business activity is negligible. In addition to the associated legal uncertainty, it is also problematic that the NIS2 Directive itself does not provide for a corresponding provision or opening clause. Therefore, it cannot be ruled out that the provision in Section 28 (3) BSIG-E would be contrary to European law and thus ineffective. Companies that are currently assessing the scope of application based on the draft are therefore faced with the question of whether and how to interpret the requirements in Section 28(3) BSIG-E into account. It remains to be seen whether the legislator will retain this provision in the further course of the legislative process.

The explanatory memorandum to the current draft now also explicitly emphasizes that intra-group IT service providers may also fall under the term "managed service providers." The prerequisite for this is the actual access to ICT products, networks, or infrastructure, whereas pure consulting activities are not sufficient.

II. Digital nergy services as a new category in the EnWG and KRITIS Regulation

The last draft from November 2024 already introduced a new category under German energy law with the term "digital energy services." Along with this, the November 2024 draft provided for far-reaching changes to the newly planned Energy Industry Act (Energiewirtschaftsgesetz, „EnWG“) and the newly planned KRITIS Regulation. The new draft from June 2025 also sticks to the introduction of this new category. Unfortunately, there are still no further information on which services are specifically covered by the term "digital energy services." Due to the broad definition of the term, this includes all digital systems and equipment that can control or influence the control of decentralized consumption systems. In this context, it is also to be hoped that the legislator will provide further information to clarify this new term in its practical application and interpretation.
 

III. Conclusion and outlook

The new draft of the NIS2 implementation law does not bring any fundamental changes. The structural problems already known from previous drafts therefore remain. This applies in particular to the assessment of the impact on important and particularly important entities. Various unclear issues remain in this regard. Section 28(3) BSIG-E also gives rise to new difficulties of interpretation. The few clarifications, for example on intra-group IT service providers, create transparency in some areas but do not solve the core problems.

According to feedback from the BMI, an official cabinet decision on the NIS2 implementation law is to be made in the coming weeks. This will then be forwarded to the Bundesrat in August and read for the first time in the Bundestag in the fall. The aim is to announce the law by the end of 2025 or early 2026. It remains to be seen whether this schedule will be adhered to. In any case, it should be noted that the legislative process is back on track.