Overview
- CDU/CSU and SPD negotiators agreed to empower the Interior Ministry to ban listed critical components, with prohibitions issued by the ministry leadership after deployment under an ex‑post notification regime.
- Operators may use components at their own risk but must notify the BSI and remove items later prohibited under a cabinet ordinance that catalogs components deemed critical or untrustworthy.
- The package moves the federal chief information security officer to the BSI and subjects federal authorities to cybersecurity obligations, with upgrades financed from a special sovereign fund.
- The law’s scope tied to NIS2 will expand covered entities from roughly 4,500 to more than 30,000 and introduce a three‑tier incident reporting system with strengthened BSI oversight tools.
- Unresolved rules on handling disclosed software vulnerabilities were deferred to the Cyber Resilience Act, while a separate Kritis‑Dachgesetz to harden physical infrastructure advanced with requirements for registration, risk analyses and resilience plans.