While transpositions in many Member States remain stalled, Germany’s is underway, gold-plating a new law to restrict high-risk components from critical sectors

The Bundestag has approved transposition of the NIS2 Directive into German law

On 13 November 2025, the lower house of the German Parliament (Bundestag) passed the NIS2 Implementation Act, paving the way for the transposition of the EU’s NIS2 Directive into national law. NIS2 establishes new risk management measures and reporting requirements, as well as rules for cooperation, information sharing and the enforcement of cybersecurity measures. Transposition of the Directive would amend a number of other laws in Germany, such as the Federal Act on the Federal Office for Information Security (BSI Act), the Telecommunications Act (TKG) and the Energy Industry Act. The upper house of the Parliament (Bundesrat) will now review the implementing act, and is expected to provide its approval by early 2026 at the latest.

The transposition further empowers the Government to block ‘high-risk’ technology from use across critical sectors

The act enables the Federal Ministry of the Interior (BMI) to restrict ‘high-risk components’ in critical facilities. This provision is unique to the German transposition, going beyond the Directive’s standard requirements. It also reflects the approaches taken by a number of European countries to ban such components in telecoms networks, most notably banning Huawei (and sometimes ZTE) equipment from 5G rollouts. However, by applying this to components in critical facilities, other sectors such as energy, transport and healthcare may be subject to similar restrictions. Friedrich Merz (Chancellor, Bundestag) recently turned his attention to the use of Chinese equipment in telecoms networks, telling a German retail conference that ‘high-risk’ technology would be prohibited from use in the country’s future 6G networks. This would reflect the BMI’s current approach to 5G, which will require operators to stop using all critical components made by Huawei and ZTE in their core networks by the end of 2026. 

The need for digital resilience and security improvements has driven support for the new law

The transposition of the NIS2 Directive strengthens the resilience of key digital processes, which the Bundestag has argued are ineffectively controlled by the current BSI Act, creating national security vulnerabilities. The Bundestag considers that this vulnerability leaves critical parts of the German economy open to cyberattacks. Additionally, in response to the new bill, the Alliance 90/Greens party put forward a parliamentary motion to further codify requirements for digital resilience. The motion calls for the introduction of an umbrella law that establishes a standard for uniform protection and digital security of firms in critical sectors.

Member States have been slow to implement the NIS2 Directive, with most missing deadlines set by the EC so far

Despite increasing cyberthreats, the majority of Member States are yet to transpose the Directive. So far, only seven countries have completed the process. In May 2025, the EC sent reasoned opinions to 19 Member States urging action after they missed the original deadline of October 2024. The EC gave the countries an extra two months to complete their transpositions, a deadline that has since passed with limited visible progress. Nevertheless, several Member States – including Germany – are in the process of passing relevant legislation to implement NIS2, while others such as Finland, Hungary and Latvia have already done so, although this has not been formally recognised by the EC, likely due to its multi-step review process. Once the EC receives a notification of transposition from a Member State, it must then review the relevant piece of legislation, assessing its compliance with the Directive.