Overview
- Lawmakers approved the EU NIS-2 transposition with votes from CDU/CSU, SPD and AfD, while the Greens abstained and introduced a motion to designate the Bundestag as critical infrastructure.
- The scope of obliged entities expands to about 14,500 companies, and violations will attract tougher sanctions under the new regime.
- The one-step incident notification is replaced by a three-stage process requiring an early warning, follow-up reports and a final report.
- Cybersecurity requirements in the federal administration are harmonized, IT-Grundschutz becomes mandatory and is to be modernized by 1 January 2026, and a CISO Bund will coordinate implementation.
- The bill cites high economic stakes, with Bitkom estimating annual cyber losses above €200 billion, projected prevention of roughly €3.6 billion for covered firms, and compliance costs of €2.2 billion one-off and €2.3 billion annually.