There are new developments regarding the implementation of the NIS2 Directive in Germany: After discussions on the transposition of the NIS2 Directive (NIS2) and the CER Directive (CER) stalled earlier this year due to the change in government, the new government has now provided an updated timeline. In addition, the Federal Ministry of the Interior (BMI) published an official new draft of the German implementation law (PDF).

A. What Has Happened?

During the presentation of the Cybercrime Situation Report, the Federal Minister of the Interior announced that the Ministry is targeting June 2025 to advance the legislative process for NIS2. The Head of the Cyber and Information Security Policy Department at the Federal Ministry of the Interior, provided further details at the Public IT Security Fair. He indicated that, in an ideal scenario, the NIS2 legislation would be introduced to Parliament in autumn 2025 and published in the Federal Gazette before the end of the year.

On 24 June 2025 the BMI released a new draft of the implementation law. Our initial review indicates that, so far, the changes are relatively limited. However, one notable amendment concerns the controversial German method for calculating quantitative threshold values. Previously, the determination of employee numbers or annual turnover was based on the business activities attributable to the relevant type of critical entity. The new draft now specifies that only business activities deemed "negligible" in relation to the entity’s overall operations should be disregarded when calculating these thresholds.

This change has two significant implications. On the one hand, it considerably broadens the scope of the law’s application compared to earlier drafts. On the other hand, the term "negligible" is not defined in the legislation, which introduces ambiguity and may lead to interpretive challenges for organizations seeking to determine their obligations.

B. What Does This Mean for Your Business?

Based on the statements from the government officials, the earliest possible date for the NIS2 implementation law to take effect is now expected to be late 2025. While some significant changes to the previous draft are still anticipated, the limited time available may mean that these changes are less extensive than previously expected.

The key message for businesses is clear: companies that are within the scope of NIS2, or expect falling under its requirements, should not wait for the national implementation. Proactive preparation is essential. Companies should begin implementing the necessary cybersecurity risk management measures as soon as possible to ensure compliance and minimize risk.

C. Ongoing Updates and Support

The Emerging Technologies Team at Reed Smith will continue to monitor developments and provide regular updates on the status of the NIS2 Directive, including any new legislative drafts or significant changes. If your organization needs guidance or support with NIS2 compliance in Europe, our team is ready to assist you.