The German Federal Government has taken another step forward in the legislative process to implement the NIS2 Directive in Germany. On September 8, 2025, a new draft bill was introduced, marking the beginning of the parliamentary procedure to establish a new legal framework for cybersecurity in Germany. This draft will now be reviewed and debated by the Bundestag, Germany’s federal parliament.

Key Features of the New Draft

The latest draft, available in German here, does not introduce significant changes compared to the previous version. One of the most noteworthy elements is the continued inclusion of a controversial provision regarding the law’s scope of application. Specifically, the draft maintains the rule that only business activities considered “negligible” in relation to an entity’s overall operations should be excluded when determining whether the law applies. This approach has generated considerable debate among stakeholders, with some questioning whether this provision aligns fully with the requirements of the NIS2 Directive.

What’s Next?

It remains to be seen whether this provision will be included in the final version of the legislation. The parliamentary process will offer further opportunities for discussion, and potential amendments. Lawmakers and industry representatives continue to express concerns about the draft, particularly regarding its compliance with the NIS2 Directive and its practical implications for affected organizations.

Stay Informed

The Emerging Technologies team at Reed Smith is actively monitoring all developments related to the implementation of the NIS2 Directive in the European Union.

If you would like more information or wish to discuss how these changes may impact your business, please do not hesitate to contact our team. We are here to help you navigate the evolving cybersecurity regulatory landscape in Germany.