Cologne, June 12, 2025 / updated on June 27, 2025
On June 5, 2025, the AG KRITIS published a new – unofficial – draft titled “Draft Act for the Implementation of the NIS-2 Directive and for Regulating Key Principles of Information Security Management in the Federal Administration” (dated May 26, 2025). On June 23, 2025, the Federal Ministry of the Interior (BMI) released another revised draft (now again referred to as NIS2UmsuCG) and sent it to various associations. These were invited to submit comments and participate in a stakeholder hearing on July 4, 2025.
We at TÜV TRUST IT were also invited to take part in the hearing and will be able to share first-hand insights from the discussions. 
Big surprises? Not really. But it’s all about the details – and those will be crucial in the implementation.
What’s new in the draft from June 23, 2025 – The three key points:
§ 28 (3) BSIG-E: “Negligible business activities”
The previous option to exclude certain employees when classifying an entity as critical has been replaced: going forward, “negligible business activities” are to be disregarded. What exactly qualifies remains unclear – the explanation only refers to “minor secondary activities.” A legal interpretation is already circulating, highlighting the lack of legal certainty. The risk: NIS-2 requirements could be effectively weakened.
§ 30 (2) BSIG-E: Removal of the term “cyber hygiene”
The vague term “cyber hygiene” has been removed – understandably, given its ambiguity. However, this also eliminates some of the requirements originally associated with it. Whether this is a meaningful clarification or a problematic softening remains to be seen.
§ 5c EnWG-E: More influence for the BSI in the energy sector
A significant change affects the energy sector: going forward, the Federal Network Agency (BNetzA) may only issue IT security catalogs in agreement with the Federal Office for Information Security (BSI) – previously, mere consultation was sufficient. A seemingly small change that significantly strengthens the BSI’s role and strategic position in energy infrastructure.
What the leaked draft changes – and why it matters:
Closing gaps for telecom providers
A loophole has been closed to ensure that all telecom providers are classified at least as critical entities. Those who previously felt unaffected should now reassess.
Less room for interpretation in risk management measures
Changes have also been made to minimum risk management requirements: no additional obligations, but clearer wording. Less ambiguity – more clarity.
Stakeholder hearings become mandatory
What was previously at the discretion of the BMI will now require formal involvement of industry stakeholders. Associations must be officially consulted when regulations are issued. A small step for lawmakers, a big one for those affected.
Politically?
If the involved ministries reach an agreement, the draft could go to the cabinet before the summer break. Parliamentary proceedings would then begin in the fall. Entry into force by the end of 2025 or early 2026? Quite realistic.
Surprisingly, the newly established Federal Ministry for Digitalization and State Modernization is not mentioned at all in the current draft.
Our conclusion:
Those hoping for major headlines will be disappointed.
Those hoping for leaner requirements – likewise.
The two drafts don’t bring a revolution – but they do bring new clarifications. And also new uncertainties.
And that’s exactly what matters now:
Is my company affected? Are our processes sufficient – or do we just think they are?
We’ll provide answers in our webinar:
“Pressure to act due to NIS-2 – act now instead of waiting!”
For everyone who wants to understand what the law means in practice – and what it doesn’t.
Register here now.