The goal of the NIS-2 Directive is fundamentally sound and correct: Europe's cyber resilience must be strengthened. And with regard to the planning certainty urgently needed by companies, it is good that the NIS-2 Implementation Act has finally been passed. However, there are clear points of criticism regarding its content.

The crucial point is that the implementation of the law remains manageable for companies in practice. Especially given the current economic situation, businesses must not be burdened with additional bureaucracy or excessive regulations. Only in this way the safety and competitiveness of the automotive industry can be reconciled. However, there is still significant room for improvement regarding practical manageability, particularly concerning administrative relief and a clear, comprehensible design of the requirements.

In the future, the Federal Ministry of the Interior will be able to decide on critical components in a two-stage process. It is important that these decisions are made transparently and quickly in order to avoid lengthy approval processes. Only in this way, the planning certainty needed by the industry can be achieved.

The VDA continues to strongly reject stricter deadlines and extended managerial liability beyond EU regulations, as currently enshrined in law. These measures place an unnecessary burden on companies. Instead, clear rules for the delegation of tasks, safe harbor solutions, and a fair liability framework that ensures legal certainty are needed.

It is positive that, in addition to the ministries, the entire federal administration is now more closely involved in the directive. For the concrete implementation of the law, the following now applies: The federal government should create a coordinated information network that provides for clear responsibilities and established decision-making processes. This will accelerate procedures and ensure greater uniformity in implementation. Unilateral national actions or multiple required reports must be avoided at all costs. Furthermore, it should be possible for corporate groups to consolidate reports in order to minimize the bureaucratic burden. A 'one-stop shop' procedure that also allows reports in English would significantly reduce the workload for companies. Reporting procedures should also be designed to be fully digital and interoperable.

To implement risk management obligations, the Federal Office for Information Security (BSI) should provide clear, practical, and, where possible, binding guidance early on, so that companies can adapt their processes in a timely manner. This will ensure a uniform and practical implementation. The BSI needs increased resources to achieve this.

Furthermore, it should be possible to initiate security checks for security-critical employees ('core personnel') in order to ensure the protection of sensitive information and systems.

With a view to future requirements under the Cyber Resilience Act and the EU Commission's 'ICT Supply Chain Toolbox', practical and objective criteria as well as sufficient transition periods are needed. It is crucial that these regulations complement each other and that no redundant or contradictory requirements arise.