In the coalition agreement, the future federal government, supported by the CDU/CSU and SPD, also sets priorities in the area of cybersecurity. The focus is on the national implementation of existing EU requirements such as the Cyber Resilience Act (CRA) and the NIS 2 Directive, the expansion of the Federal Office for Information Security (BSI) and measures to strengthen digital sovereignty. For companies, this means that the political course is being set.
Cyber Resilience Act
For the first time, the CRA contains directly applicable requirements for the cyber security of digital products and software across the entire life cycle. The German government has announced that it will support companies with implementation, especially smaller providers. However, compliance with the requirements remains mandatory, even for those companies that were previously outside the scope of comparable EU regulations. The coalition agreement emphasizes that the implementation of the CRA will be politically supported and prioritized at a national level.
Find out more from SKW Schwarz about the Cyber Resilience Act here: EU Commission proposal for a 'Cyber Resilience Act'
NIS-2 and BSI reform
The implementation of the NIS-2 Directive is legally binding and urgent. It must be implemented by means of a national transposition law, according to EU requirements by October 2024 at the latest. The coalition agreement makes it clear that the BSI Act will be amended for this purpose. The directive significantly expands the group of obligated companies, including parts of industry, logistics, energy and waste management as well as digital services.
In future, binding requirements for IT security measures, reporting obligations and governance structures will apply there. As part of this, the Federal Office for Information Security is to be expanded into a central supervisory authority for cyber security with extended responsibilities. Companies that were not previously covered must check whether they will fall under the new obligations in future and take appropriate precautions.
Digital sovereignty
The coalition has also announced measures to strengthen digital sovereignty. Among other things, it is planned to be able to exclude providers in sensitive areas that are not trustworthy in terms of security policy on a legal basis in future. At the same time, European IT infrastructures and open source solutions are to be strengthened in a targeted manner. Against this backdrop, companies should analyze the technological resilience of their supply chains, not only technically, but also with regard to regulatory and geopolitical risks.
It is worth noting in this context that a version of the coalition agreement that has since been published by the coalition parties no longer uses the phrase “components from trustworthy countries”, but simply “trustworthy components”. This would place greater emphasis on the substantive assessment of the security and integrity of the technology, while the geographical origin would become less important.
Find out more from SKW Schwarz on digital sovereignty in the EU here: Digital Decade Update - What's next on the EU's digital regulation agenda?
National cyber security strategy
In addition, the national cyber security strategy is to be further developed. The aim is to achieve a clearer distribution of tasks between the responsible bodies, better dovetailing of existing instruments and a strengthening of strategic security objectives at federal level. This should also have an impact on the relationship between state supervision and affected companies.
In the area of IT security, the new federal government is focusing on enforcing existing European legislation and reforming national structures. For companies, this will not only result in new formal obligations, but also structural requirements in terms of organization, processes and the use of technology. The coming months should be used to review existing systems, clarify responsibilities and align their own IT compliance with future legal requirements.