The efforts to implement the NIS2 Directive (NIS2) and the CER Directive (CER) have finally failed. Representatives from the German governing parties - “Die Grünen”, “SPD” und “FDP” - announced that negotiations have broken down and an agreement is no longer attainable.

Until the very end, there was still (a slight) hope that the current German government would be able to agree on a transposition law, given the critical importance of these directives for German companies and the ongoing infringement proceeding initiated by the the European Union (EU). However, this hope has now vanished, leaving considerable legal uncertainty for companies operating in Germany.

A. Background

The NIS2 establishes a unified legal framework for cybersecurity across the European Union. Compared to the previous NIS1 Directive, the NIS2 significantly expands the scope and obliges companies in various business sectors to take comprehensive risk management measures. 

Complementing the NIS2 is the CER , which aims to mitigate vulnerabilities and enhance the physical resilience of critical entities within the EU. CER is often neglected in the public debate due to its arguably narrower range of applications.

As directives, both NIS2 and CER must be transposed into national law by the member states to become effective. The deadline for this transposition was October 17, 2024. In Germany, the implementation was to be carried out through the NIS2UmsuCG and the KRITIS-DachG. However, Germany, along with some other member states, missed this deadline, prompting the EU Commission to initiate infringement procedures against these countries.

B. Outlook

Many companies are now left wondering about the next steps. The responsibility for implementing the NIS2 and CER now falls to the future federal government. It is highly likely that the new draft will include some modifications within the scope of the two Directives as experts where not fully happy with the latest draft. However, the timeline for the actual passage of the law remains uncertain.  Given the infringement procedure, it is expected that the implementation will be prioritized. Nevertheless, we expect the earliest possible adoption to be in the third quarter of 2025. Companies that are in scope of NIS2 or expect to be in scope should not wait for the implementation of NIS2 into national law, but should aim to implement the cybersecurity risk-management measures in accordance with Art. 21 NIS2. 

The Emerging Technologies Team at Reed Smith will keep you updated on all developments. Stay tuned!