Cybersecurity requirements for businesses from 2026

Berlin (dpa) – The Federal Government plans to enshrine an EU directive mandating the protection of critical infrastructure and businesses against cyberattacks into national law by early 2026. “The Federal Ministry of the Interior is currently giving this top priority,” said Claudia Plattner, President of the Federal Office for Information Security (BSI), in an interview with dpa. “I’m hopeful we’ll manage to have it in force by the beginning of 2026.” According to the Ministry of the Interior, the draft legislation – which includes obligations such as conducting risk assessments and reporting security incidents – was submitted to Germany’s federal states and relevant associations for consultation in early July. 

The aim of implementing the EU’s NIS 2 Directive is to increase cybersecurity across companies and institutions. The law defines “critical infrastructure” as including larger companies in sectors such as energy, transport, drinking water, food production, wastewater management and telecommunications. The idea behind it is that if such organisations were no longer able to operate – for instance, if a hacker encrypted their data or blocked access to it – the consequences for the population would be severe. The obligation to implement specific cybersecurity measures for defence and incident response is expected to apply to around 29,000 companies – significantly more than at present.