Enactment of NIS2 leads to enhanced cybersecurity responsibilities for financial institutions such as banks and insurers
Germany's NIS 2 Implementation Act Strengthens Cybersecurity for Financial Sector
The German government has taken a significant step towards enhancing cybersecurity, with the adoption of the NIS 2 Implementation Act on 30 July 2025. This law extends cybersecurity obligations to around 29,000 companies, including banks, insurers, and other financial service providers [1][3].
Under the new law, these financial entities are required to treat cybersecurity as a strategic management priority and implement comprehensive risk management measures [3]. Key requirements include establishing verifiable information security management systems (ISMS), conducting thorough risk analyses, ensuring adequate backups, encryption, regular security testing, staff training, and incident reporting to a designated authority [3][5].
The NIS 2 Act significantly raises the compliance bar beyond prior legislation, broadening the scope to many more companies in the financial sector and beyond [1][3]. This broadening implies an intensified regulatory oversight and increased reporting duties, alongside elevated expectations of board-level accountability in cybersecurity risk management [1][2].
Marc Fliehe, Head of the Digitalization and Education Department at the TÜV Association, has commented on the need for affected institutions to prepare for the new requirements in good time, as the obligations will apply without transition periods [6]. He also emphasized the importance of clarification of exceptions and proof obligations, as well as independent certifications [4].
Technical and organizational protective measures must be implemented according to the state of the art under the NIS2 directive. Notification obligations are significantly expanded: security incidents that significantly disrupt business operations or could affect third parties must be reported to the relevant authorities within 24 hours [4]. A detailed analysis of the incident must be submitted within 72 hours at the latest [4].
The TÜV Association has called for the Bundestag to sharpen the bill at crucial points to increase its effectiveness in practice. The law is long overdue and must be passed promptly in view of the threat situation in the cyber space [7]. The current draft provides a solid foundation, but political will is needed to clarify open points constructively and quickly in the parliamentary procedure [7].
Companies under the NIS2 directive will be required to systematically analyze, document, and manage cybersecurity risks. The law makes cybersecurity a top priority, requiring companies to implement risk management measures, monitor their implementation, and educate themselves on questions of evaluation and management of cyber risks [2].
However, there is concern about the uncertainty for companies regarding whether they will fall under NIS2 due to unclear formulations [2]. The Bitkom President has expressed this concern, highlighting the need for clarity to ensure a level playing field for all companies [2].
The federal government is currently exempting itself from stricter cybersecurity requirements under the NIS2 directive [8]. This exemption has been met with criticism, with the TÜV Association calling for the government to adhere to the same standards as private sector entities [8].
In summary, the NIS 2 Implementation Act in Germany requires immediate action from banks, insurers, and financial service providers to enhance their cybersecurity frameworks, focusing on integrated risk management and incident transparency. Institutional support is emerging primarily through governmental guidance and specialized consulting services. The law's effectiveness will depend on the clarity provided in the parliamentary procedure and the government's commitment to adhering to the same standards as private sector entities.
References: [1] Bitkom [2] Handelsblatt [3] BSI [4] TÜV Association [5] PwC [6] TÜV Association [7] Handelsblatt [8] TÜV Association
In light of Germany's NIS 2 Implementation Act focused on the financial sector, the new law mandates financial entities to prioritize cybersecurity as a strategic management goal and implement robust risk management measures. This includes establishing verifiable information security management systems (ISMS), conducting thorough risk analyses, securing data with encryption, and regular security testing, among others [3]. Furthermore, the act intends to incorporate technology advancements, as financial companies are tasked with implementing protective measures in accordance with the latest technological standards [4].
