POSITION | DIGITAL POLICY | CYBERSECURITY
NIS 2 – Amending Directive German Industry’s Position on the European Commission’s Proposal amending Directive (EU) 2022/2555 as regards simplification measures and alignment with the Cybersecurity Act 2 20 April 2026 Executive Summary German industry welcomes the European Commission’s aim to significantly strengthen Europe’s cyber-resilience and to create a level playing field for essential and important entities across the European Union. Cyber and IT security are the basis for a long-term secure digital transformation of the state, economy and society. All those involved – from hardware and software manufacturers to commercial operators, private users and government agencies – must be actively and holistically involved in strengthening Europe’s cyber-resilience. German industry will continue to make its contribution to this, because a high degree of cyber-resilience is a basic prerequisite for the trouble-free functioning of highly digitalised processes in companies. Policy Recommendations The European Commission’s proposal for amending Directive (EU) 2022/2555 represents a constructive step towards improving the current regulatory framework. It introduces important clarifications and promotes a more consistent approach. At the same time, several issues continue to create uncertainty or impose disproportionate obligations on entities. To fully achieve its objectives, further adjustments are needed, such as introducing maximum harmonisation for incident reporting thresholds and timelines, ensuring consistent application of the main establishment principle, enhancing the proposed framework for collecting data on ransomware attacks, introducing more robust liability protection for entities, and maintaining the voluntary nature of European Cybersecurity Certification Schemes. Furthermore, it would be appreciated if the EU would streamline the requirements emanating from NIS 2, the Cyber Resilience Act (CRA) and the Resilience of Critical Entities Directive so that obligations for companies are clear and reporting to different government bodies is suspended. In addition, German industry would appreciate if the co-legislators were to adopt the following targeted changes to the proposal: Amendment to Art. 3(1) (Essential and important entities) German industry supports the introduction of the new category of small mid-cap enterprises and the respective higher threshold for entities falling within the scope of NIS 2. While this increases proportionality, we call for a more risk-based differentiation between essential and important entities to better reflect criticality and reduce unnecessary compliance burdens.
Federation of German Industrie (BDI) Barış Bayrak | Innovation, Security and Technology | T: +49 30 2028-1471 | b.bayrak@bdi.eu | www.bdi.eu Steven Heckler | Innovation, Security and Technology | T: +49 30 2028-1523 | s.heckler@bdi.eu | www.bdi.eu