With today's cabinet decision to transpose the European NIS 2 Directive into German law, around 30,000 companies will have to comply with stricter cybersecurity requirements in future. The TÜV-Verband supports the draft in principle, but sees a need for improvements.

"Germany is the target of hybrid attacks and cyberattacks on companies, critical infrastructures and political institutions are a daily occurrence. The transposition of the NIS-2 Directive into national law is an important step towards improving cyber security in the German economy. The law is long overdue and must be passed quickly in view of the threat situation in cyberspace," said Marc Fliehe, Head of Digitalization and Education at the TÜV-Verband.

In the view of the association, there is a particular need for action on the following points:

1. Unclear exemptions: The exemption for "negligible" business activities provided for in the law is too vague. The term is not explained in more detail, which could lead to legal uncertainty and potential circumvention of areas subject to regulation. The association is calling for a clear definition in line with European law.
2. Specify obligations to provide evidence: According to the TÜV-Verband, the current implementation only provides for random case-by-case inspections. This fails to achieve the goal of regular inspections. The association also criticizes the planned extension of the verification periods for operators of critical infrastructures from two to three years. Fliehe described this step as "more than counterproductive" in view of the threat situation.
3. Strengthen independent certifications: In order to create trust in the implementation of security measures, the association proposes the mandatory involvement of independent, accredited conformity assessment bodies in the verification process.
4. Specifying supply chain security: The association calls for binding guidance for companies in order to be able to implement requirements such as "security by design" in a practical manner. The aim is to reduce room for interpretation and create legal clarity.

The NIS 2 Implementation Act obliges companies to carry out risk analyses, security concepts, measures for IT incident management, encryption, access controls, training and emergency plans, among other things. The requirements are based on the size, sector and criticality of the company and must correspond to the "state of the art".