Germany strengthens cybersecurity: New IT security law introduces stricter rules for 29,500 companies

The digital threat situation in Germany is steadily increasing, and the Federal Government is responding:

The Federal Cabinet adopted a new IT Security Act on 30 July 2025, which is intended to fundamentally strengthen cybersecurity in Germany.

This law will be the second European NIS 2 Directive transposed into German law on network and information security and comprehensively modernised the existing IT security law. Affected are now ~29,500 companies from critical areas.

Who is affected?

The new law extends the Group of obligated undertakings significant. In addition to the previous operators of critical infrastructures (KRITIS), Now also so-called ‘important’ and ‘particularly important’ Facilities’ in focus.

The approximately 29,500 companies are companies from the following areas:

• energy
• healthcare
• Information technology and telecommunications
• Transport and transport
• water
• nutrition
• Finance and insurance
• Settlement waste disposal

This significant expansion of the Scope of application It shows how seriously the federal government is taking the cyber threat. The affected industries form the backbone of the German economy and must be particularly protected in the event of cyberattacks that can have far-reaching social effects.

Specific requirements for companies

Preventive protective measures

All affected companies will have to establish comprehensive safety precautions in the future:

• Risk analysis: Systematic assessment of cyber threats
  
• Contingency plans: Prepared emergency response strategies
  
• Backup concepts: Secure data backup and recovery procedures
  
• Encryption solutions: Protection of sensitive data through cryptography

The extent of the necessary protective measures depends on the importance of the respective facility, thus maintaining a balance between safety requirements and practical feasibility.

Strict reporting requirements in case of emergency

In the event of a cyber attack, strict reporting deadlines will apply in the future:

1. 24 hours: First notification of the incident
2. 72 hours: Interim report with initial findings
3. One month: Full final report

This reporting chain is designed to enable a quick response and help other companies protect themselves from similar attacks.

Extended powers for the BSI

The Federal Office for Information Security (BSI) is given significantly extended supervisory powers by the new law. In the future, the Authority may:

• Support companies in the implementation of security measures in a more targeted manner
• Actively monitor compliance with safety standards
• In the case of serious infringements, impose fines based on the annual turnover of the companies

This strengthening of supervision is intended to ensure that the new rules are not only on paper, but also implemented consistently. The BSI already provides extensive information, including an Digital tools for self-assessment, so that companies can assess at an early stage which regulations are relevant to them.

Political classification

Federal Minister of the Interior Alexander Dobrindt stressed the importance of the law: “With the new law, we are creating a significantly higher level of security for our economy and administration. Businesses and governments are becoming more resilient to cyberattacks. We rely on clear rules without unnecessary bureaucracy.”

The direction is clear: Companies should be able to reliably maintain their important services even in an emergency, for the benefit of society as a whole.

Outlook: KRITIS roof law and better protection of the federal administration

In parallel with the NIS-2 implementation, the Federal Ministry of the Interior The next big step: a so-called KRITIS Roofing Act. For the first time, it will set minimum cross-sectoral standards for the physical protection of critical infrastructure, an important complement to digital security measures. Areas such as electricity, water, health or nutrition are the focus.

In addition, the federal administration itself is better protected in order to lead by example and make its own IT systems future-proof.

Conclusion:

A necessary step in turbulent times. The new IT security law comes at a critical time. Cyberattacks on critical infrastructure are on the rise worldwide, and Germany cannot afford to be unprepared. With the implementation of the NIS 2 Directive, the Federal Government closes important security gaps and finally set the course for a more resilient digital future.

For the companies concerned, this initially means additional effort, but in the long term also more security and trust in their digital processes. The Bundestag still has to approve the bill, but in view of the broad political support for more cybersecurity, it is to be expected that it will be adopted soon.

The digital transformation of our society requires not only innovation, but also security. With this law, Germany is taking an important step in the right direction.

Sources: bmi.bund.de | it-fachportal.de | cio.de | nis2-navigator.de | bsi.de