Germany is strengthening the protection of its digital and physical infrastructure. After a brief round of deliberations, the Bundestag approved a law that aligns German legislation with the European NIS2 directive and establishes unified rules for managing information security across all federal agencies. The document was supported by the CDU/CSU, AfD, and SPD; the Greens voted against it, while the Left Party chose not to take sides.
NIS2 represents a sweeping update to the European Union’s cybersecurity framework. The directive requires member states to impose stricter obligations on companies and institutions deemed critical — from energy and transport to telecommunications, healthcare, and public services. Its core objective is to ensure that all EU countries operate under comparable standards and can withstand major cyberattacks without descending into chaos or suffering prolonged disruptions.
The law adopted in Germany expands the range of companies now required to comply with these rules. Many of them have never before been subject to oversight and will, for the first time, face formal obligations to manage risks, maintain technical records of incidents, and report cyberattacks according to a structured procedure. Germany’s reporting system is also being modernized: instead of a single notification, a three-stage scheme is introduced — an urgent alert on the incident itself, an interim update, and a final report. This model, developed at the EU level, is intended to speed up responses to attacks even when full details are not yet available.
The Federal Office for Information Security (BSI) will receive a broader set of tools, including the authority to conduct audits, assess the quality of protective measures, and require remediation of identified vulnerabilities. For the first time, a unified point of coordination will be established within federal ministries — the office of the CISO Bund. This specialist will be responsible for shaping common standards, ensuring more consistent inter-ministerial cooperation, and helping institutions implement a comprehensive risk-management framework.
The German government stresses that threats to critical infrastructure have become one of the most significant risks facing Europe. The European Commission ranks them among the most severe challenges, on par with climate-related disasters and geopolitical instability. Previously, Germany relied on a patchwork of fragmented regulations and recommendations that did not always offer a consistent level of protection across agencies. The new rules aim to eliminate these disparities and render the country’s defenses more predictable and systematic.
In parallel, lawmakers have begun discussing a proposal from the Greens to introduce a dedicated, unified law on critical infrastructure protection. Their idea is to replace the complex mosaic of existing regulations with a single legal framework that integrates both physical and digital security under one umbrella. Such a structure would simplify the definition of what constitutes a critical asset, introduce minimum nationwide standards, and create a unified system for monitoring security breaches.
The Greens place particular emphasis on small and medium-sized enterprises. Many of these companies have never before been required to comply with critical-infrastructure standards and now risk being overwhelmed by bureaucracy and demanding technical obligations. The party proposes establishing a single supervisory contact point for all security inquiries, as well as a support and advisory system, so that businesses are not left alone with these new expectations.
Both the newly adopted law and the opposition proposal illustrate Germany’s efforts to build a coherent security architecture in which government bodies, private enterprises, and regional authorities operate under uniform and comprehensible rules. As cyberattacks continue to grow in number and complexity, the country needs protection for critical infrastructure that no longer depends on the sector or the individual institution involved, but instead becomes a national standard.
