[Disclaimer] This article is reconstructed based on information from external sources. Please verify the original source before referring to this content.
News Summary
The following content was published online. A translated summary is presented below. See the source for details.
On July 30, 2025, the German federal government, under Chancellor Friedrich Merz, adopted the draft “NIS-2 Implementation and Cybersecurity Strengthening Act” (NIS2UmsuCG). This landmark legislation transposes the EU NIS 2 Directive into German law, significantly expanding cybersecurity obligations from approximately 4,500 to 29,500 companies across various sectors. The law introduces stricter requirements for reporting, risk management, compliance, and regular audits by the Federal Office for Information Security (BSI), which will become Germany’s central cybersecurity authority. The act creates a distinction between “essential” and “important” entities, both subject to specific cybersecurity obligations and sanctions for non-compliance. This move comes in response to a surge in cyber threats, including a 33% increase in ransomware attacks in 2024, with 83% of German businesses affected, causing estimated damages of around 179 billion euros. The legislation is part of Germany’s broader Digital Strategy 2025 and aims to strengthen the nation’s cyber resilience in the face of evolving threats from organized crime gangs, hacktivist groups, and state-sponsored actors.
Source: Bundesregierung (Germany)
Our Commentary
Background and Context
Germany’s adoption of the NIS2UmsuCG comes at a critical juncture in the nation’s cybersecurity landscape. The country has been grappling with an escalating cyber threat environment, evidenced by high-profile attacks such as the July 2024 incident targeting the Federal Office for Cartography and Geodesy (BKG). This new legislation represents a significant expansion of Germany’s cybersecurity framework, aligning it with broader EU directives while tailoring implementation to the country’s specific needs.
Expert Analysis
The NIS2UmsuCG marks a pivotal shift in Germany’s approach to cybersecurity, moving from a relatively limited scope to a comprehensive framework that encompasses a much broader range of entities. This expansion reflects the growing recognition that cybersecurity is not just a concern for critical infrastructure but for a wide array of businesses that play crucial roles in the digital economy.
Key points:
- The law significantly increases the number of companies subject to cybersecurity regulations, from 4,500 to approximately 29,500.
- It introduces a tiered system of “essential” and “important” entities, each with specific obligations and potential sanctions.
- The Federal Office for Information Security (BSI) is empowered as the central cybersecurity authority, enhancing coordination and oversight.
Additional Data and Fact Reinforcement
The urgency of these measures is underscored by recent cybersecurity statistics in Germany:
- Ransomware attacks increased by 33% in 2024, affecting 83% of German businesses.
- Estimated damages from cybercrime reached 179 billion euros in 2024.
- Over 131,000 cybercrime cases were recorded by German police in 2024.
Related News
This legislative move aligns with broader trends in EU cybersecurity policy, including the implementation of the NIS 2 Directive across member states. It also comes in the wake of increased tensions with China over cyber espionage, as evidenced by Germany’s accusation of a “serious” cyberattack by China against the BKG in July 2024.
Summary
Germany’s adoption of the NIS2UmsuCG represents a significant leap forward in national cybersecurity strategy. By dramatically expanding the scope of regulated entities and empowering the BSI, Germany is positioning itself to better address the complex and evolving cyber threats of the modern digital landscape. However, the effectiveness of these measures will depend on their implementation and the ability of businesses to adapt to new regulatory requirements.
