Germany is likely to have a new government soon. On November 6, 2024, the so-called Traffic Light Coalition collapsed, possibly leading to new elections in March 2025. While Chancellor Scholz announced that certain key legislative proposals shall be seen through, he did not mention any from the digital sector. Without enactment, many of these initiatives will lapse with the legislative period’s end, impacting several digital agendas. We summarise the likely consequences for upcoming initiatives.
Cyber and infrastructure security
The planned proposals on cyber and infrastructure safety are particularly affected. The following laws should have been transposed into national law by 17 October 2024. Due to the end of the coalition and ongoing discussions, their implementation in this legislative period is uncertain.
- NIS2 Implementation Act (NIS2UmsuCG): This proposal aims to transpose the EU's NIS2 Directive into national law and tighten cybersecurity requirements for businesses and public institutions. It expands the range of sectors and companies subject to cybersecurity requirements, introduces stricter IT security and reporting obligations, and increases penalties for breaches. A hearing was held in the Digital Committee of the German Federal Diet on 6 November and further discussion is needed. Entry into force in March 2025 is theoretically possible, but seems unlikely due to the political situation.
- KRITIS Umbrella Act (KRITIS DachG): This proposal has not yet been discussed in parliament and is therefore unlikely to be passed. It aims to make the physical protection of critical infrastructure mandatory. It lays down cross-sectoral minimum requirements for resilience measures and reporting obligations in the event of disruptions. The latest version focuses on reducing the burden on business by reducing compliance costs and avoiding duplication of regulation. Harmonisation with NIS2 and the EU DORA regulation relevant to financial institutions has been undertaken. Responsibilities have been adjusted and equivalent security requirements recognised under specific legislation. Despite this progress, it is highly unlikely that the legislation will be adopted in this parliamentary term.
Therefore, companies may have won time with regard to implementation. However, they should make the most of it: Surveys show that many companies are not yet sufficiently prepared for the increasing, future security requirements.
Other laws that are unlikely to be passed:
Some digital law proposals are already being discussed in parliament. However, they are at an early stage. Hence, they are unlikely to be passed before the next election.
- Mobility Data Act: The aim is to encourage the provision and re-use of travel and transport infrastructure data on fair terms. Vehicle data is excluded.
- Act to Accelerate the Expansion of Telecommunications Networks (Telecoms Network Expansion Acceleration Act): In addition to the creation of an information portal for the expansion of fibre optic and mobile networks, the aim is to increase transparency, reduce bureaucracy and enable more efficient administrative action. To this end, changes are planned to speed up approval procedures. Regulations on the collection and use of data by the Federal Network Agency are also planned.
- Amendment of the Federal Data Protection Act (BDSG): The aim is to institutionalise and formalise the "Data Protection Conference", an association of the data protection authorities of the federal states and the federal government, which is currently only de facto and legally hardly formalised. Companies and research institutions acting as joint controllers should be able to report to a single state data protection authority.
- Employee Data Protection Act (BeschDG): This proposal aims to regulate the legal framework for employee data protection in a separate law. Typical processing situations in the employment space should be defined and regulated. Performance monitoring and the use of AI in the work environment are among the topics covered by the recently published draft.
- Act on the Implementation of the Data Governance Act (Data Governance Act - DGG): The long-delayed implementing law for the EU Data Governance Regulation was intended to introduce administrative offences and supervisory provisions.
Planned legislation that is unlikely to be passed:
- National implementing law for the AI Act: The EU AI Act, which came into force in August 2024, requires certain implementation measures at national level. For example, it sets a one-year deadline for setting up the necessary authority structures. Given the current political situation, it may not be possible to determine the responsible authorities in time, although there is broad political support for the Federal Network Agency to be responsible for the AI Act.
- Research Data Act (FDG): Access to research data for public and private research should be comprehensively improved and simplified. It is now unlikely to be passed in this legislative period.
- Quick freeze: A draft law on the storage of IP addresses to combat serious crime has been on the table since mid-October. Due to the collapse of the coalition and the resulting delay, it is also unlikely to proceed in the near future.
- eIDAS Implementation Act II: The aim of this law is to create the conditions for the effective implementation of the updated eIDAS regulation. Among other things, it provides for a European wallet for a digital identity. This identity will be established as a cross-border means of identification for citizens and businesses. There will also be new trust services such as the issuance of electronic attribute certificates and electronic archiving. So far, however, there is only a draft law.