Overview
- CDU/CSU and SPD negotiators say they resolved nearly all disputes on the NIS2 implementation bill, with a parliamentary vote expected next week that would ease penalty pressure from Brussels.
- The Interior Ministry would gain authority to prohibit and order removal of designated critical hardware and software, with those components defined through a cabinet ordinance.
- Regulation shifts to an ex post model under which operators may deploy components at their own risk, must notify the BSI, and would be required to remove items if later banned.
- The federal CISO role will be housed at the BSI, and federal agencies will face binding cybersecurity obligations financed from a special fund.
- Separately, the government is advancing a Kritis umbrella law for physical resilience that requires operator registration, regular risk analyses and comprehensive resilience plans.