The NIS-2 Directive of the European Union will significantly increase the overall level of cybersecurity in the EU. The directive envisages an expansion of cybersecurity regulations to new sectors and institutions, aiming to improve the resilience and response capabilities of public and private entities, authorities, and ultimately the EU as a whole (https://digital-strategy.ec.europa.eu/).

The IT Planning Council, a steering committee that coordinates cooperation in the field of information technology between the federal and state governments in Germany, recently decided not to extend the scope of the NIS-2 Directive to include local public administration institutions and educational establishments (https://www.it-planungsrat.de/).

TeleTrusT, a leading German competence network for information security that unites members from various sectors such as industry, consulting, administration, and science, has now confronted this decision in an open letter. TeleTrusT is calling on the IT Planning Council to reconsider its decision on the limited implementation of the NIS-2 Directive (https://www.teletrust.de/).

While federal-level legislation is being developed to implement the NIS-2 Directive, it is the responsibility of the federal states to create or adapt their own IT security laws to also include institutions of public administration at the regional and local levels, as well as educational establishments.

The criticism from TeleTrusT and the co-signers of the open letter regarding the IT Planning Council’s decision to exclude certain institutions from the NIS-2 Directive is entirely justified.

In particular, municipalities and educational institutions should be included in the legal requirements for IT security to ensure a uniformly high level of IT security throughout Germany. The decision of the IT Planning Council to exclude these institutions could significantly hinder constructive participation in addressing the challenges of IT security.

On the other hand, the rejection of regulation, possibly also due to practical implementation difficulties, raises doubts about whether IT security could be effectively implemented on a voluntary basis without such regulation.