On July 4, 2025, the Federal Ministry of the Interior invited stakeholders to a public hearing on the NIS2UmsuCG – and we were right in the middle of it. Axel Amelung, Head of Sales at TÜV TRUST IT, attended on behalf of the TÜV Association and shares his impressions here. There was a great need for discussion, and some topics turned out to be more complex than initially expected.
In two rounds of hearings, participants from associations, industry, and public administration engaged in discussions. The following topics and expectations were particularly in focus:
- Less bureaucracy – and as concrete as possible.
- No tightening beyond the NIS-2 Directive.
- More clarity, for example regarding risk management obligations, training, and responsibilities.
- More time for SMEs to implement the new requirements.
- Better coordination with other regulations and ministries, e.g., CRA, critical components, BMDS.
The timeline for implementing the law is ambitious:
- July: Cabinet decision
- From August: Consultations in the Bundesrat
- From autumn: Consultations in the Bundestag
- End of 2025: Entry into force
Whether this will work out in the end remains to be seen. Currently, there is still a lack of shared understanding of key terms.
Overall, the feedback has been rather cautious so far. Many points still seem to be under discussion, responsibilities are partly unclear, and reference was made to the ongoing dialogue with the EU.
Main point of criticism: “Negligible business activity”
This was the term of the hearing – and it continues to raise questions. The new § 28 (3) BSIG-E is intended to define when companies are excluded. The BSI presented two explanatory slides, which were helpful but still leave plenty of room for interpretation.
Axel’s assessment:
“What may be negligible in a large enterprise can be quite critical in an SME. The legislator is aware of the challenge but is still working on better solutions.”
Conclusion: The business community is being heard – but mutual understanding is still lacking in some areas.
Many issues were addressed, but some remained unresolved. Especially on questions that are currently highly relevant for companies, the level of information remains rather vague.
The positive takeaway: The direction is right, and the will to implement is there. What matters now are more concrete details and greater clarity for the next steps.
👉 We’ll keep you posted!