New cabinet decision on German NIS2 implementation law

On July 30, 2025, the German Federal Cabinet approved the draft bill for the implementation of the NIS2 Directive („NIS2 Implementation Act“), as amended by the government draft of July 25, 2025 (available here). This marks a decisive step forward in the legislative process. However, it remains to be seen whether the legislator's intended goal will be achieved. This envisages the adoption of the NIS2 Implementation Act by the end of the year.

I. Overview of the key content of the cabinet decision

In terms of content, the government draft largely corresponds to the previous drafts of the NIS2 Implementation Act and mainly contains editorial adjustments in various places, particularly in the new BSI Act ("BSIG-E").

This means that companies and organizations classified as "particularly important entities" (this term corresponds to the term „essential entites“ used by the NIS2 Directive) or "important entities" must comply with the following requirements in particular:

• Implementation of appropriate IT risk management measures,
• Establishment of binding processes for handling and reporting significant security incidents (incident response),
• Compliance with supply chain security requirements,
• Implementation of awareness-raising and training measures.

The management of affected companies and organizations are also explicitly subject to governance and training obligations. Failure to comply may result in fines for the companies and organizations concerned.

II. A key point of contention: Negligible business activities

It should be emphasized that the government draft also retains the already widely criticized provision in Section 28 (3) BSIG-E. According to this provision, business activities that are "negligible" in relation to the overall business activities of an institution are not to be taken into account when assigning an institution to a type of institution in accordance with Annexes 1 and 2 to the BSIG-E – and thus when assessing applicability under the BSIG-E.

As already explained in our previous newsletter (available here), the term "negligible business activities" is not defined by law. According to the explanatory memorandum to the law, this should refer to minor secondary activities. An overall assessment of all relevant factors should therefore be carried out.

Another new feature is that the explanatory memorandum now contains specific guidelines for interpreting the term. For example, the number of employees working in the relevant area, the turnover generated by the business activity, or the balance sheet total for this area are to be considered as possible indicators.

According to the explanatory memorandum, an indication that the business activity is negligible is whether the business activity is listed in the partnership agreement, articles of association, or other founding document. However, the latter seems unconvincing, as companies are only permitted to engage in business activities that are described in their articles of association.

As a result, it remains difficult for potentially affected companies to assess with legal certainty when a business activity is actually negligible and therefore not covered by the scope of application. Furthermore, such a national exemption is not provided for in the NIS2 Directive and could therefore be contrary to European law.

III. New KRITIS category in the area of social security and basic social benefits

As in previous drafts, the government draft of the NIS 2 Implementation Act retains the new KRITIS category in the area of social security and basic social benefits in the BSI-KRITIS Regulation. However, what is new in the government draft is that a new Annex 9 with corresponding asset categories and thresholds for this sector is now provided for in the BSI-KRITIS Regulation.

Specifically, this affects the following asset categories:

• Administrative and payment systems in the area of statutory health and long-term care insurance,
• Service systems,
• Payment systems.

IV. Next steps and timetable

With the cabinet decision, the legislative process has now officially entered the parliamentary process. The timetable is as follows:

• August 2025: Submission of the draft law to the the Bundesrat
• September 2025: First reading in the Bundestag
• November 2025: Second and third readings in the Bundestag
• December 2025 or January 2026: Targeted adoption and promulgation

The Federal Ministry of the Interior still plans for the NIS2 Implementation Act to enter into force by the beginning of 2026 at the latest. However, given the unresolved issues, it remains to be seen whether this timetable will be adhered to.

V. Conclusion and recommendation

Although the government draft is an important step forward, it does not resolve the many problems with the NIS2 Implementation Act. The public consultation in July 2025 once again showed that the drafts to date are in urgent need of revision. It remains to be seen whether the German legislator will take into account the many objections raised in the public consultation phase.

Nevertheless, companies and organizations should already be taking a close look at the current government draft. The first step is to check whether they fall within the scope of application. The second step is to determine the extent to which existing measures and processes already cover the legal requirements and where gaps may still exist. Any gaps must then be closed in a final step.