Global Data and Cyber Handbook

Germany

Select a Topic
Start Comparison
Key Data & Cybersecurity Laws
Jump to
Key Data & Cybersecurity Laws Start Comparison
How are data and cybersecurity laws/regulations implemented?

Last review date: 17 December 2024

  • omnibus — all personal data
  • sector-specific — e.g., financial institutions, governmental bodies
  • constitutional
What are the key data privacy laws and regulations?

Last review date: 17 December 2024

Please refer to the EU Chapter for detailed information regarding EU-wide legislation.

What are the key cybersecurity laws and regulations?

Last review date: 17 December 2024

Please refer to the EU Chapter for detailed information regarding EU-wide legislation.

There is no omnibus law on cybersecurity in Germany. However, there are, for example, IT security requirements and notification requirements that are relevant in the context of cybersecurity, in particular, in the following laws:

  • EU General Data Protection Regulation
  • There is a draft bill to implement the NIS2 Directive (EU 2022/2555) — however, the future of the same is unclear.
  • There is also a draft bill to implement the Critical Entities Resilience Directive (EU 2022/2557) — however, the future of the same is unclear.

Sector-specific, e.g.:

  • Act on the Federal Office for Information Security, which, inter alia, implements the NIS Directive (this Act will be significantly amended in the future in the context of transposing the NIS2 requirements)
  • Telecommunications Act (in the future, it is intended to transpose certain provisions of the NIS2 Directive as applicable to telecommunications operators)
What are the key laws and regulations relating to non-personal data?

Last review date: 17 December 2024

We are not aware of non-sector specific national laws relating to non-personal data. However, certain sector-specific national laws such as the Telecommunication Digital Services Data Protection Act also covers non-personal data, e.g. traffic data in the telecommunications context as well as requirements in relation to information on end user equipment.

Are new or material changes to those key data and cybersecurity laws anticipated in the near future?

Last review date: 17 December 2024

In September 2023 the Federal Ministry of the Interior and Community published a first draft law amending the German Federal Data Protection Act. The draft focuses inter alia on the role of the German Data Protection Conference. The draft law was introduced into the official legislative process as a government bill at the beginning of 2024. The future of this draft bill is unclear.

There is a draft bill to implement the NIS2 Directive (EU 2022/2555), which would, inter alia, amend the Act on the Federal Office for Information Security and the Telecommunications Act. However, the future of the draft bill is currently unclear.

There is also a draft bill to implement the Critical Entities Resilience Directive (EU 2022/2557), however, the future of the same is unclear.

{{ $store.state.loadingScreen.message }} ...