Adoption failed – What's next for the NIS2 Implementation Act and the KRITIS Umbrella Act?

For a long time, there was still a struggle for a solution, but now it is clear: The negotiations in the Bundestag on the two planned drafts of the NIS2 Implementation Act and the KRITIS Umbrella Act have failed. Both laws will therefore no longer be passed in the current legislative period. In the following, an overview will be given of how the implementation of the underlying European requirements will continue and what companies should be prepared for.

What does the failed adoption of the laws mean?

In view of the failed adoption of the two implementing laws, it is now finally clear that the requirements of the NIS2 Directive and the CER Directive will not be transposed into German law until further notice. At the same time, however, this does not mean that the implementation of the two directives is now finally on hold. On the contrary, since the NIS2 Directive and the CER Directive are European requirements, they must be transposed into German law.

It will therefore be the task of the next federal government to transpose the requirements of the two directives into German law. In this respect, it remains to be seen whether the next federal government will take up the current implementation drafts again or enter the legislative process with completely new implementation drafts. In any case, however, the drafts must be reintroduced into the newly constituted Bundestag, discussed and then adopted.

When this will finally be the case cannot be realistically assessed at present. Either way, however, a further, considerable delay is to be expected until the European requirements of the NIS2 Directive and the CER Directive will apply directly in Germany. Some experts expect that the implementation will not take place until the end of this year. However, there is no reliable assessment of this.

What should companies pay attention to now?

At first glance, potentially affected companies should breathe a sigh of relief for the time being. True to the motto "Postponed is not canceled", however, companies should not remain idle, but should continue to keep a close eye on further developments and use the additional time gained effectively to prepare for the upcoming requirements. The question is not whether the new European requirements will be implemented in Germany, but only at what point in time.

In this respect, companies are recommended to continue to deal with the question of whether they fall within the scope of the NIS2 and CER Directives and, if this is the case, which requirements they (will) have to implement in concrete terms. This applies in particular to the implementation of technical and organizational security measures. In this respect, it is currently advisable to orient oneself both to the European requirements in the two directives and to the current implementation drafts.