Used Services and Cookies

Our website uses cookies to enhance your user experience. Some cookies are essential for the operation and management of the site, while others are used for anonymous statistics or personalized content. Please note that limiting cookie use may impair certain functions of the website.

More information: Imprint, Data protection

Essential cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website or, for example, saving your cookie settings. The website cannot function properly without these cookies. This category cannot be deactivated.
  • Name:
    ukie_a_cookie_consent_manager
  • Domain:
    blomstein.com
  • Purpose:
    Stores the cookie preferences of website visitors.
  • Name:
    blomstein_session
  • Domain:
    blomstein.com
  • Purpose:
    The session cookie is essential for the basic functioning of the website. It allows users to navigate through the site and use its basic features.
  • Name:
    XSRF-TOKEN
  • Domain:
    blomstein.com
  • Purpose:
    This cookie serves security purposes and aids in preventing Cross-Site Request Forgery (CSRF) attacks. It is a technical necessity.
These cookies collect information about how you use a website, e.g. which pages you have visited and which links you have clicked on.
  • Name:
    _ga
  • Domain:
    blomstein.com
  • Purpose:
    The Google Analytics cookie _ga is used to distinguish users by assigning a unique identification number to each visitor. This number is sent to Google Analytics each time a page is accessed in order to collect user, session and campaign data and to statistically evaluate the use of the website. The cookie helps website operators to understand how visitors interact with the website by collecting information anonymously and generating reports.
  • Name:
    _ga_*
  • Domain:
    blomstein.com
  • Purpose:
    The _ga_[container_id] cookie, specific to Google Analytics 4 (GA4), is used to distinguish website visitors by assigning a unique ID for each session and each user. It enables the collection and analysis of data on user behavior on the website in anonymized form. This includes tracking page views, interactions and the path users take on the website to give website operators deeper insights into the use of their site and improve the user experience.
  • Name:
    _gid
  • Domain:
    blomstein.com
  • Purpose:
    The _gid cookie is a cookie set by Google Analytics that is used to distinguish users. It assigns a unique identification number to each visitor to the website, which is sent to Google Analytics each time the page is accessed. This makes it possible to track and analyze user behavior on the website over a period of 24 hours.
  • Name:
    _gat_gtag_UA_77241503_1
  • Domain:
    blomstein.com
  • Purpose:
    The _gat_gtag_UA_77241503_1 cookie is part of Google Analytics and Google Tag Manager and is used to throttle the request rate, i.e. it limits data collection on high traffic websites. This cookie is linked to a specific Google Analytics property ID (in this case UA-77241503-1), which means that it is used for performance monitoring and control of data collection for that specific website property.
DE EN

NIS-2 implementation in Germany – What’s next?

07.02.2025
PDF download

Last week it became official: Germany’ will not implement the Directive (EU) 2022/2555 (known as the NIS-2 Directive) to improve cybersecurity in the EU under the current administration. See below for some guidance on what that means:

Minimum requirements according to the NIS-2 Directive

On 16 January 2023, the NIS-2 Directive came into force at the European level. It replaced Directive (EU) 2016/1148 (known as the NIS-1 Directive). The NIS-2 Directive aims to establish a more coherent cybersecurity regime within the EU. Compared to the NIS-1 Directive, the scope of the NIS-2 Directive affects significantly more institutions and companies. While the NIS-1 Directive covered around 2,000 entities, up to 30,000 organizations are covered by the new Directive, according to the German Federal Office for Information Security (German only). In addition to the sectors already covered by the NIS-1 Directive, such as energy, transport and healthcare, the NIS-2 Directive now also includes additional sectors such as digital services, postal and courier services, wastewater and waste management, manufacturers of critical products and public administration. Covered entities, which the NIS-2 Directive divides into essential and important entities, are subject to significantly more comprehensive and specific cybersecurity measures. Among other things, the new Directive implements:

  • New minimum requirements for the security of network and information systems

  • Extended reporting obligations for cybersecurity incidents

  • Stricter liability conditions for management

For breaches of the minimum security requirements and reporting obligations described above, maximum fines of up to 2% of the total worldwide annual turnover will be imposed in accordance with Art. 34 of the NIS-2 Directive, depending on the criticality of the entity.

Delayed implementation in Germany

Germany has so far failed to implement the NIS-2 Directive on time. In the summer of 2024, the Federal Ministry of the Interior presented a first draft of a possible implementing law  draft for an implementation law (the NIS2UmsuCG). However, the draft, which in some respects went beyond the minimum requirements of NIS-2, failed to secure a majority in the German parliament after the end of the current coalition government. As a result, the legal situation for affected institutions and companies remains unchanged for the time being: Without a national transposition act, the NIS-2 Directive itself does not create any direct obligations for individuals. Even if the European Court of Justice has recognized the direct effect of directives in the past, this has only been to the benefit of private parties. In short: for the time being, entities covered by the NIS-2 Directive are not at risk of being fined for failing to implement the new cybersecurity requirements prescribed by the Directive.

The situation is different for the German Federal Government, against which the European Commission has initiated infringement proceedings due to the delayed implementation of NIS-2. For this reason, and of course because of the undeniable need for action in the area of cybersecurity, the future German government will have to tackle the implementation of NIS-2 without delay. However, it remains to be seen whether the future government will build on the existing draft. The CDU/CSU parliamentary group, which is expected to be part of the new federal government, has so far advocated a 1:1 transposition of the NIS-2 Directive into German law and has opposed the previous (in some places more far-reaching) draft for the NIS-2 transposition.

Recommended action for entities affected by NIS-2 in the future

In view of the foreseeable legislative changes in German regulatory requirements for cybersecurity, companies should prepare themselves at an early stage, at least with regard to the minimum requirements of the NIS-2 Directive. The BSI’s NIS-2 Impact Assessment (German only) provides a starting point for checking whether your company falls within the scope of the Directive and what obligations it will have to comply with in the future. However, due to the delayed implementation in Germany, there is still some time for internal company adjustments.

 

BLOMSTEIN will continue to monitor the implementation of NIS-2. Please contact Christopher Wolters, Leonard von Rummel and Moritz Schuchert at any time if you have any questions on how to deal with the developments in German IT security law.

Recent News

EU – US Trade War

US Tariffs Spark EU Countermeasures – What Businesses Need to Know

Forced Labour Ban