Dennis-Kenji Kipker about the future of NIS2 in Germany and Europe

With the new elections, the implementation of NIS2 in Germany appears to have been halted for the time being. While other European countries are already ready, German companies will have to wait several more months until legal certainty is established. Everything has actually been said, templates have been drawn up, but the change of government means a new start is necessary.

We spoke to one of the leading experts on NIS2: Dennis-Kenji Kipker is Scientific Director of the cyberintelligence.institute in Frankfurt/Main, professor at the Riga Graduate School of Law and regularly consults as an expert at the German Federal Office for Information Security (BSI) and many other public and scientific institutions.

Why did the German government reject the final NIS2 draft?

Kipker: This is due to the so-called discontinuity principle. Just like with the old government, all unfinished projects must be archived. “Due to the early elections, the parliamentary procedure for the NIS2UmsuCG could not be completed” is the official term. In line with the principle of discontinuity, when a newly elected Bundestag is constituted, all bills not yet passed by the old Bundestag must be reintroduced and renegotiated. This means that the work already done on NIS2 will fall by the wayside. But you can of course build on this and reintroduce almost the same text.

Will that happen?

Kipker: There is an internal 100-day plan from the Federal Ministry of the Interior for the period after the election. According to rumors, cybersecurity is a very high priority in the plan, and NIS2 in particular is now to be implemented very quickly. If this can be implemented before fall/winter 2025 (the actual current schedule), Germany will at least avoid the embarrassment of bringing up the rear in Europe.

Is that realistic?

Kipker: You would have to recycle a lot, i.e. take over things from the last legislative period despite the principle of discontinuity. Now, it seems that the current Ministry of the Interior wants to do just that. Only the politicians and officials directly involved know whether this is realistic. However, 100 days seems very ambitious to me in the Berlin political scene, even if everyone involved pulls together. There would need to be a budget, the current NIS2UmsuCG draft would need to be revised and addressed but also finalized, and the German scope of application of the law would need to be clarified and aligned with EU law. Furthermore, at the end of 2024 and the beginning of 2025, attempts were still being made to push through many things in the Bundestag after the expert hearing on NIS2, some of which are rather questionable. In any case, this would have to be renegotiated politically and evaluated technically.

When do you think this will happen?

Kipker: It’s hard to say, but even if you break the 100-day deadline, it should be feasible to complete a national NIS2 implementation before the winter of 2025/2026. But that’s just a very preliminary assumption that I keep hearing from “usually well-informed circles”. One way or another, we will be at the bottom of the league when it comes to Europe-wide implementation, and all the current ambitions won’t change that.

And what is the situation like in other European countries?

Kipker: A lot is happening right now. It has been recognized, for example, that the different national implementations of NIS2 lead to frictional losses and additional costs for the affected companies – that’s not really surprising. A few weeks ago, the European Union Agency For Cybersecurity (ENISA) published a report that is well worth reading, which explains and evaluates the maturity and criticality of relevant NIS2 sectors in a European comparison. “NIS360 is intended to support Member States and national authorities in identifying gaps and prioritizing resources”, writes the EU cybersecurity authority. And we at cyberintelligence.institute have produced a comprehensive study on behalf of the Swiss company Asea Brown Boveri, which also takes a closer look at the EU-wide implementation of the NIS2 directive.

What key insight did you gain there?

Kipker: The Comparison Report is primarily aimed at transnationally operating companies that are looking for a first point of contact for cybersecurity compliance. Above all, there is a lack of central administrative responsibilities in the sense of a “one-stop store”, and the diverging implementation deadlines are causing problems for companies. As of the end of January, only nine EU states had transposed NIS2 into national law, while the legislative process had not yet been completed in 18 other states. Another key insight: Just because I am NIS2-compliant in one EU member state does not necessarily mean that this also applies to another member state.

So, Germany may not be a pioneer, but it is not lagging behind either?

Kipker: We are definitely not at the forefront, but if we manage to implement it nationally this year, we may not be the last, but we will be among the last. My guess in this respect now is that we won’t have really reliable results until the fourth quarter of 2025. So, it’s going to be close to avoid being left in the red after all. Politicians will have to decide whether this can meet our requirements in terms of cyber security and digital resilience.

Where can affected companies find out about the current status?

Kipker: There are ongoing events and opportunities for participation. On March 18, for example, there will be a BSI information event (in German language) where you can ask about the plans. Then, in May 2025, there will also be the NIS-2 Congress right next door to us in Frankfurt, for which the “most recognized NIS-2 Community Leader” has just been selected. There will certainly be one or two interesting tidbits of information to pick up here. Otherwise, feel free to contact me at any time if you have any questions about NIS2!