Data Protection lawyers with 50+ years of experience

Free initial consultation
/insights

Updated Thursday, November 30, 2023

Updated Thursday, November 30, 2023

New requirements for cyber security in Germany - the NIS2-Implementation Act

Germany must transpose the NIS2 Directive into national law by 17 October 2024. In this article, we provide an overview of the current status based on the discussion paper of the Federal Ministry of the Interior and for Europe on the implementation of the NIS2 Directive in Germany dated 27 September 2023.

Boris Arendt

Salary Partner (Attorney-at-law)

Jakob Riediger

Scientific Research Assistant

Scope of applicability
Risk management measures
Reporting obligations
Registration and information obligations
Personal liability of the management?
Training obligations of the management
Sanctions
Outlook

Get assistance from our lawyers

Data Protection compliance can be complicated. Let our experienced team simplify it for you.

Free initial consultation

The background to the increased cybersecurity requirements is the EU's response to the increased threat of cyber-specific threats. The aim is to ensure resilience and economic functionality within the EU and thus indirectly to strengthen public order.

In addition to specific sector- or product-specific requirements at EU level, such as the Cyber Resilience Act ("CRA") or the Digital Operational Resilience Act ("DORA"), this is to be achieved in particular through the expansion of business-related cybersecurity requirements.

Following the NIS Directive ("(EU) 2016/1148") of 2016, which was implemented in Germany by the IT Security Act, the EU adopted the NIS 2 Directive ("(EU) 2022/2555") on February 14, 2022. As a directive at the Union level, the provisions are not directly applicable in Germany, but must be transposed into national law. Implementation is required by October 17, 2024.

In Germany, this will take place within the framework of the NIS2 Implementation Act (hereinafter referred to as "NIS2-UmsG"). After drafts dated April 3, 2023 and July 3, 2023, this is currently available in the form of a discussion paper dated September 27, 2023.

The NIS2-UmsG adapts existing national regulations. The Act on the Federal Office for Information Technology (“BSIG”) will be completely revised and expanded. Other regulations, such as the Energy Industry Act, will also be amended.


Scope of applicability

The criterion for the scope of cybersecurity measures required for companies is the criticality of a particular facility. The NIS2-UmsG thus follows a risk-based approach.

The scope of application of the law essentially results from § 28 NIS2-UmsG, which differentiates between "important", "particularly important" facilities and "operators of critical facilities" . This results in the following differentiation:

CategoryExplanationSupplementary
particularly important facilitiesEntities that fall under sectors from Annex 1 with more than 250 employees or more than €50 million in turnover and a balance sheet of more than €43 million. In addition, special cases such as qualified trust providers; top level domain name registries or DNS service providers.
important facilitiesFacilities that fall under sectors from Annex 1 and 2 with either more than 50 employees or more than €10 million turnover and balance sheet In addition, certain trust service providers.
critical installationsInvestment in the following sectors: energy, transportation/transport, finance/insurance, health, drinking water/wastewater, food, IT and telecommunications, space or waste disposal.Detailed provision qua statutory order, § 57 (4) NIS2-UmsG.

Annex 1 (sectors with high criticality) and Annex 2 (other critical sectors) can be found in the discussion paper, page 26 et seq.

In summary, it is clear that the thresholds have been lowered compared to the previous KRITIS classifications, which expands the scope of application of the NIS2-UmsG.

Special features apply to certain financial and insurance companies. While they are exempted from the scope of application of important and particularly important institutions pursuant to § 28 (1) and (2) NIS2-UmsG, they are expressly included in the sectors of critical facilities pursuant to § 28 (5) NIS2-UmsG. Regarding companies from the financial sector, the special requirements of the DORA should be noted in this regard.


Risk management measures

§ 30 NIS2-UmsG manifests risk management measures for important and particularly important institutions. According to § 30 (1) NIS2-UmsG, these are obliged to "take appropriate, proportionate and effective technical and organizational measures to avoid disruptions (...) and to minimize the impact of security incidents."

As part of the proportionality of the measures, the extent of the risk exposure, implementation costs and the size of the facility must be taken into account. Measures implemented should comply with the state of the art and be based on a cross-hazard approach.

§ 30 (2) NIS2-UmsG provides with a catalog of measures intended to outline a minimum scope. This includes:

  • Risk analysis and security for information systems
  • Management of security incidents
  • Maintenance and recovery, backup management, crisis management
  • Supply chain security, security between facilities, service provider security
  • Security in development, procurement and maintenance, vulnerability management
  • Evaluation of the effectiveness of cyber security and risk management
  • Cyber security and cyber hygiene training
  • Cryptography and encryption
  • Personnel security, access control and asset management
  • Multi-factor authentication and continuous authentication
  • Secure communication and emergency communication if necessary

When implementing the measures, regulated actors must consider the priority of Union requirements set out in § 30 (4) NIS2-UmsG. Accordingly, the European Commission may specify technical and methodological requirements in an implementing act that take precedence over the requirements set out in § 30 (2) NIS2-UmsG. In addition, a specific catalog issued by the European Commission also takes precedence for the types of facilities mentioned in § 30 (3) NIS2-UmsG, which include the operators of data centers, Managed Services, online marketplaces, search engines, social networks and trust services.

Finally, § 31 NIS2-UmsG addresses special requirements for the risk management measures of operators of critical facilities. Following on from the risk-based approach, these exceed the requirements from § 30 NIS2-UmsG. Consequently, § 31 (1) NIS2-UmsG clarifies that more complex measures can also be considered proportionate.

In addition, § 31 (2) NIS2-UmsG obliges operators of critical systems to use attack detection systems. These are intended to identify and prevent ongoing threats and provide suitable remedial measures for incidents that have occurred.

A specification of the measures is not yet apparent. No derivations from existing cyber security standards such as ISO 27001 or C5 are available to date either. An immediate transfer of existing ISMS certifications does not appear to be possible, as the new cyber security requirements are in some cases more comprehensive.


Reporting obligations

§ 32 NIS2-UmsG regulates reporting obligations to the supervisory authorities in the event of security incidents. According to § 32 (1) NIS2-UmsG, there are various reporting deadlines for "significant" security incidents:

CategoryExplanation
early initial report (No. 1)An "early initial report" must be made within 24 hours of becoming aware of the incident. This includes the suspicion as to whether the incident is due to an illegal or malicious act or could have cross-border effects.
Confirmation/update (No. 2)A confirmation or update of the initial notification must be provided within 72 hours of becoming aware of the incident. This must include an initial assessment of the significant security incident, including its severity and impact and, if applicable, the indicators of compromise.
Interim report (No. 3)At the request of the Federal Office for Information Security ("BSI"), interim reports must be made.
Final message (No. 4)A final report must be submitted within one month of the notification under no. 2, unless the security incident is still ongoing.

In addition, operators of critical facilities are obliged under § 32 (3) NIS2-UmsG to provide information on the type of facility affected, the critical service and the impact of the security incident on this service if a significant security incident has or could have an impact on the critical facility they operate.

Further details of the reporting procedure can be specified by BSI.


Registration and information obligations

§§ 33 and 34 NIS2-UmsG regulate the registration obligations for the relevant entities. It must be taken into account that the failure to register, incorrect, incomplete or late registration can already constitute an offence under §§ 60 (2) No. 4, (5) NIS2-UmsG.

§§ 35 and 36 NIS2-UmsG then regulate the exchange of information between regulated actors and the BSI. While § 35 NIS2-UmsG establishes notification obligations for the actors in the event of significant security incidents, § 36 NIS2-UmsG manifests the BSI's feedback obligations.

§ 39 NIS2-UmsG subsequently results in verification obligations for operators of critical facilities. Originally, inspection obligations were planned for particularly important facilities and the operators of critical facilities every 2 years . These requirements have been lowered in the current discussion paper: as a result, only operators of critical facilities are now subject to the verification obligations and this every 3 years. Important and particularly important facilities still have to implement the respective measures, but generally do not have to provide evidence of this.

Within the scope of its sanctioning powers under §§ 64 and 65 NIS2-UmsG, the BSI can nevertheless also sanction individual important or particularly important facilities. to provide evidence and carry out tests.


Personal liability of the management?

The original core of the NIS2-UmsG was the strict monitoring obligations of the managers of important, particularly important facilities and critical installations in accordance with § 38 NIS2-UmsG. According to this, managers had to personally perform the tasks to ensure cyber security under the NIS2-UmsG. In the event of a breach, personal liability was decided in order to ensure that the new requirements are actually implemented.

These strict requirements have been reduced in the new discussion paper, according to which the delegation of management duties has been made possible by allowing the appointment of third parties. In addition, § 38 (2) NIS2-UmsG, which provided for personal liability, was deleted. Although any internal liability, for example under § 93 AktG, remains unaffected by this, the monitoring obligations have lost some of their impact as a result.

§ 38 NIS2-UmsG in its current version is limited to reduced approval, monitoring and training obligations of the managing directors. These amendments were confirmed in the workshop meeting on October 26, 2023.


Training obligations of the management

Despite the reduction in responsibility, § 38 (3) NIS2-UmsG still stipulates training obligations for managers. Accordingly, they must "regularly participate in training to acquire sufficient knowledge and skills to identify and assess risks and risk management practices in the area of cybersecurity and its impact on the services provided by the institution."

The extent to which these training obligations are required will be determined on a case-by-case basis according to the extent to which knowledge and skills are considered "sufficient".


Sanctions

In §§ 60 et seq. NIS2-UmsG contain provisions on sanctions and supervision by the BSI, § 60 (1) - (4) NIS2-UmsG first define the individual elements of an administrative offense.

Subsequently, §§ 60 (5) et seq. NIS2-UmsG determine the amount of the respective fine. These can amount to up to €10 million or a maximum amount of at least 2% of a company's total global turnover in the previous financial year. The sanctions regime thus ties in with the requirement to ensure proportionate and effective fines, as is already the case under the GDPR, among others.


Outlook

The NIS2-UmsG is expected to be promulgated in March 2024. The law is then expected to enter into force in October 2024. There are no apparent transition periods. It remains to be seen to what extent the requirements will be modified by then. However, is already clear: Those affected must prepare for significantly increased cybersecurity requirements.

In monetary terms, assumes an annual increase in compliance costs of around €1.65 billion at the expense of the German economy. In detail, this means an increase in the operational cybersecurity budget of around 22%; for companies that are already subject to NIS I and comply with the requirements by around 12%.

Legal advice

Simpliant Legal - Wittig, Bressner, Groß Rechtsanwälte Partnerschaftsgesellschaft mbB


© 2019 - 2024 Simpliant