German Cabinet approves new cybersecurity guidelines

The German government on Wednesday initiated new European guidelines for cybersecurity in the economy, affecting 29,500 companies in Germany, from sectors as varied as energy, health, transport and digital services.

The lower house of parliament, said the Bundestag, still needs to approve the new guidelines.

Under the new framework, all affected companies would need to establish protective measures such as risk analyses, emergency plans, backup concepts or encryption solutions.

The extent of the precautions is said to depend on the significance of the facility.

The guideline stipulates that if a company becomes a victim of a cyberattack, it will have to report this within 24 hours, provide an update after 72 hours, and submit a final report within a month, according to the rules.

The Federal Office for Information Security in Bonn is to receive more supervisory powers under the changes, in cases of serious violations, it could impose fines.

In addition to implementing the EU’s NIS-2 directive on enhanced cybersecurity, the Interior Ministry is working on what it calls the KRITIS Umbrella Act.

The act concerns the physical protection of critical infrastructures, such as facilities for electricity and water supply or the health system.