Critical infrastructures: No implementation of the NIS-2 and CER directives before the federal elections

The implementation of Directives (EU) 2022/2555 (NIS-2 Directive) and (EU) 2022/2557 (CER Directive) has failed in Germany for the time being. As has now become known, the previous coalition partners were unable to agree on transposing the directives into German law after the government's collapse. Nevertheless, companies should assess whether they are likely to be affected by the implementing legislation and prepare to implement the associated obligations.

What do the directives regulate?

The NIS-2 and CER Directives aim to establish a uniform level of protection across the EU with regard to the security of critical infrastructures, including those in the energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, and space sectors. The NIS 2 Directive aims to obligate affected companies to maintain a high level of cybersecurity. Its scope is significantly broader than that of its predecessor, Directive (EU) 2016/1148 (NIS 1 Directive), meaning that numerous companies will be subject to concrete cybersecurity obligations for the first time. Furthermore, the obligations go further than those under the NIS 1 Directive. In particular, companies will be required to assess security within their supply chains and ensure it through appropriate measures. The CER Directive, on the other hand, focuses on increasing the physical resilience of critical infrastructure in the context of hybrid threats, natural disasters, and extreme weather events caused by climate change. Affected companies will be required to implement various measures to ensure the physical resilience of critical facilities. The measures to be summarized in a resilience plan include preventative measures, physical security, crisis management systems, recovery measures, employee-related security management, and awareness training. ‍

Implementation into German law has failed for now

The directives do not apply directly but must first be transposed into national law by the EU member states. The deadline for this (October 17, 2024) has already passed.

In Germany, the CER Directive was to be transposed into German law through the KRITIS umbrella law, and the NIS-2 Directive through the corresponding implementing act. Under the leadership of the Federal Ministry of the Interior and Community (BMI), negotiators from the SPD, Alliance 90/The Greens, and FDP discussed the government's draft legislation, initially even after the government's collapse in November 2024. However, no agreement was reached, so it will be the task of a new federal government to draft the necessary laws and bring them through the legislative process. What companies should do now: Although the implementation of the NIS-2 Directive and the CER Directive failed during this legislative period, it can be assumed, not least because of a possible infringement procedure against Germany, that the next federal government will transpose the directives into national law as soon as possible. Even though the implementation of the directives has come to a standstill for the time being, the companies concerned should not let the time go to waste and should prepare for the expected regulations. Based on the guidelines, certain requirements for companies can already be anticipated and their implementation prepared. Companies that have not yet addressed the anticipated impact of the new regulations should promptly review the guidelines to determine whether they fall within their scope. If so, a risk analysis should be conducted to assess the extent to which existing IT and physical security measures need to be strengthened. It is also advisable to begin developing or adapting internal company guidelines at this stage, outlining responsibilities and defining processes for implementing the obligations expected to be contained in the national implementing legislation.