DDORA & IT Security

NIS2 meets DORA – What changes for financial institutions as a result of the NIS2 Implementation and Adjustment Act (NIS2UmsuCG)?

NIS2 meets DORA – What changes for financial institutions as a result of the NIS2 Implementation and Adjustment Act (NIS2UmsuCG)? 1
0
Shares
0
0
0
0
0
0

On 30 July 2025, the Federal Government finally presented the Draft Act for the Implementation of the NIS-2 Directive and for the Regulation of Essential Principles of Information Security Management in the Federal Administration  – abbreviated as “NIS2UmsuCG” – to the public. With this, Directive (EU) 2022/2555 (NIS-2 Directive) is transposed into German law, and the existing framework of IT security law is significantly expanded.

For the financial sector, which has been subject to the DORA Regulation (EU) 2022/2554 since 17 January 2025, the following question arises: Is there still an obligation to consider NIS-2, or does a complete exemption apply?

Annerton DORA Monitor Adjust processes, review systems, document evidence: DORA’s requirements are diverse, and implementation calls for clarity and structure.

The Annerton DORA Monitor supports you on your journey to digital resilience: We summarise developments and practical tips for you in a concise format.

📥 Download the first edition free of charge now. – And sign up for our mailing list to be automatically notified by email whenever a new edition is released – ensuring you are reliably guided through the DORA jungle.

Background: From NIS to NIS-2

The legislative process for NIS2UmsuCG was unusually protracted. The background was the change of government in 2024, which resulted in the previously drafted ministerial draft not being pursued further but instead being subjected to substantive review and a new political prioritization. It was only in May 2024 that the Federal Ministry of the Interior and Community officially presented the revised draft. The interministerial coordination and consultations with the affected sectors required additional months, so that the cabinet version was finally adopted only at the end of July 2025. Thus, the draft is now before the Bundestag with significant delay – whereas the Union law deadline for transposing the NIS-2 Directive had already expired at the end of 2024.

The german NIS2UmsuCG is an omnibus act that serves to implement the NIS-2 Directive through comprehensive amendments to numerous existing legal instruments at the national level. Central to this is the complete revision of the Act on the Federal Office for Information Security (BSI Act – BSI-Gesetz), which is supplemented by new categories of affected entities, expanded minimum requirements, and enhanced supervisory powers. In addition, sector-specific laws such as the Telecommunications Act (Telekommunikationsgesetz – TKG), the Telemedia Act (Telemediengesetz – TMG), the Energy Industry Act (Energiewirtschaftsgesetz – EnWG), the Banking Act (Kreditwesengesetz – KWG), and the Insurance Supervision Act (Versicherungsaufsichtsgesetz – VAG) are amended in targeted ways to establish cross-references, delineate responsibilities, and clarify the scope in relation to the implementation of the NIS-2 Directive. In doing so, the legislator embeds the new cybersecurity standards across sectors within German law.

What is included? IT security becomes a matter for executive management

A core element of NIS-2-Directive is a catalogue of minimum security requirements harmonized across the Union for IT systems (Article 21 NIS-2), as well as a three-stage notification procedure for significant security incidents (Article 23 NIS-2). The German government’s draft of NIS2UmsuCG implements these requirements from NIS-2 essentially through amendments to the Act on the Federal Office for Information Security (BSI Act, BSIG).

Particularly important and important entities are under BSIG-E inter alia required to register, to report significant security incidents, and to implement comprehensive technical and organizational measures for risk management. These include:

  • Conducting risk analyses,
  • Establishing measures for managing security incidents,
  • Establishing measures to maintain operations, such as backup management and restoration after an emergency,
  • Crisis management,
  • Security of the supply chain, including security-related aspects of the relationships with direct suppliers or service providers,
  • Security measures in the acquisition, development, and maintenance of information technology systems, components, and processes, including the management and disclosure of vulnerabilities,
  • Concepts and procedures for evaluating the effectiveness of risk management measures in the field of information technology security,
  • Regular training and awareness-raising measures,
  • Concepts and processes for the application of cryptographic procedures
  • Concepts for personnel security, access control, and for the management of ICT systems, products, and processes
  • Use of solutions for multi-factor authentication or continuous authentication, secure voice, video, and text communication, as well as, where applicable, secure emergency communication systems.

Moreover, the new BSI Act (BSIG-E) expressly elevates cybersecurity to a responsibility of executive management: The management of the affected entities must not only implement risk management measures, but also continuously monitor their effectiveness and are obligated to further educate themselves in the assessment and management of cyber risks.

 

Lex specialis – Relationship between NIS-2 and DORA

For financial institutions that have been subject, since 17 January 2025, to directly applicable Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (“DORA”), the question arises as to the extent to which the new requirements under the NIS2UmsuCG are applicable. The government draft of the new BSI Act (BSIG-E) provides for an explicit lex specialis rule in this regard: pursuant to Section 28 (6) BSIG-E, the provisions on ICT risk management and on reporting obligations (Sections 30, 31, 32, 35, 36, 38, 39 BSIG-E) do not apply to financial institutions within the meaning of Article 2 (2) DORA, nor to undertakings to which DORA requirements apply by virtue of the references in the German Banking Act (§ 1a(2) and (2a) KWG) or the German Insurance Supervision Act (§ 293(5) VAG). DORA therefore takes precedence as lex specialis over the corresponding requirements of the BSIG.

Attention: No complete exemption

This statutory clarification avoids double regulation and ensures that financial institutions fulfill their compliance obligations in the area of ICT risk management and incident reporting exclusively in accordance with the requirements of DORA. However, this does not result in a complete exemption from all NIS-2 obligations. The lex specialis clause refers exclusively to the area governed by DORA, namely ICT risk management and reporting obligations in the event of ICT incidents. Other obligations under the BSI Act (BSIG), such as the registration requirement under Section 33 BSIG-E or general cooperation and disclosure obligations vis-à-vis the Federal Office for Information Security (BSI), may also apply to financial institutions if they are classified as an “essential” or “important entity.”


Scope of Application as an “Important Entity”

Whether a company receives this classification depends on qualitative and quantitative thresholds. A financial institution classified as critical infrastructure (KRITIS) is also subject to the scope of the Draft BSI Act (BSIG-E). However, it may also qualify as an “important entity” outside of KRITIS if:

  1. there are at least 50 employees;
  2. annual turnover and annual balance sheet total each exceed EUR 10 million; and
  3. the company operates in one of the sectors listed in Annex 1 or 2 of the Draft BSI Act (BSIG-E)

 

Recommendations for Action for Financial Institutions

For practical purposes, this means that financial institutions, while principally exempted from the core obligations of the NIS-2 Directive due to the overriding applicability of DORA, are nevertheless required to conduct a thorough assessment of the remaining obligations not covered by the lex specialis rule. In particular, affected institutions should clarify at an early stage whether they are subject to the registration requirement and, if necessary, review their security measures in light of the minimum security requirements set out in Sections 28 et seq. of the Draft BSI Act (BSIG-E). This is advisable because, while there is likely to be substantial substantive alignment with the DORA requirements, identical compliance in every detail cannot be assumed.

What`s next?

The legislative process for the NIS2UmsuCG is now in the parliamentary stage. Changes to the scope, obligations, or thresholds are therefore still possible. Financial institutions should closely monitor further developments in order to be able to respond promptly to any new or amended obligations.
For financial institutions that fall under DORA, the NIS2UmsuCG does not entail a duplicate implementation obligation in the area of ICT risk management and incident reporting. Nevertheless, affected companies should follow the legislative process closely, as further obligations may still apply.

0
0

Josefine Spengler is a lawyer and IT law specialist at Annerton's Berlin office. She has many years of in-house experience as Head of Legal and Data Protection Officer at a payment service provider. As an expert in the IT and FinTech segment, Josefine Spengler advises national and international clients on all issues at the interface between regulatory law and IT law as well as on compliance and AML issues. Josefine Spengler is a regular speaker at events on IT law and regulatory requirements for the IT of financial companies.



By continuing, you accept our privacy policy.
You May Also Like