New requirements for cyber security in Germany - the NIS2-Implementation Act

The most recent government draft of the BSI Act (BSIG-new) has been revised linguistically and editorially, but the sections on reporting important security events and IT risk management have not been altered. The content for energy systems, public telecommunications networks, energy supply networks, and companies that offer publicly accessible telecommunications services has changed, though. §§ 61 and 62 of the BSIG-new expressly exclude these firms from the supervision and enforcement authorities of the BSI, which results in a limited application beyond the registration requirements.

The Telecommunications Act (TKG-new) and Energy Industry Act (EnWG-new), which were modified in conjunction with the NIS2-UmsuCG, contain the majority of the regulatory text.

§§ 165 (2b)-(2d) TKG-new and § 5c (9-11) EnWG-new require management to implement and monitor safety requirements, participate in training courses, and be liable for any culpably caused damage. These new TKG and EnWG supplement the duties and liability requirements of management in line with the new BSIG.

Minor changes have also been made to the government draft, including a revision to the Federal Office facility requirements in compliance with § 44 BSGI-new and a clarification of the hospital exemption in compliance with § 108 SGB V.

There won't be any significant adjustments, though, and the current level of uncertainty will persist. The fact that distinct regulations will still apply to businesses in distinct EU member states is criticized by business associations, especially for multinational corporations that have subsidiaries operating in many EU member states. Notifying the Federal Ministry of the Interior and Home Affairs of the first use of a crucial component is still required under § 41 BSGI-new.

The criterion for the scope of cybersecurity measures required for companies is the criticality of a particular facility. The NIS2-UmsG thus follows a risk-based approach.

The scope of application of the law essentially results from § 28 NIS2-UmsuCG, which differentiates between "important", "particularly important" facilities and "operators of critical facilities" . This results in the following differentiation:

Annex 1 (sectors of high criticality) and Annex 2 (other critical sectors) can be found in the draft, page 73 et seq.

In summary, it is clear that the thresholds have been lowered compared to the previous KRITIS classifications, which expands the scope of application of the NIS2-UmsuCG.

Special features apply to certain financial and insurance companies. While they are exempted from the scope of application of important and particularly important institutions pursuant to § 28 (1) and (2) NIS2-UmsuCG, they are expressly included in the sectors of critical facilities pursuant to § 28 (5) NIS2-UmsuCG. Regarding companies from the financial sector, the special requirements of the DORA should be noted in this regard.

§ 30 NIS2-UmsuCG manifests risk management measures for important and particularly important institutions. According to § 30 (1) NIS2-UmsuCG, these are obliged to "take appropriate, proportionate and effective technical and organizational measures to avoid disruptions (...) and to minimize the impact of security incidents."

As part of the proportionality of the measures, the extent of the risk exposure, implementation costs and the size of the facility must be taken into account. Measures implemented should comply with the state of the art and be based on a cross-hazard approach.

§ 30 (2) NIS2-UmsuCG provides with a catalog of measures intended to outline a minimum scope. This includes:

• Risk analysis and security for information systems
• Management of security incidents
• Maintenance and recovery, backup management, crisis management
• Supply chain security, security between facilities, service provider security
• Security in development, procurement and maintenance, vulnerability management
• Evaluation of the effectiveness of cyber security and risk management
• Cyber security and cyber hygiene training
• Cryptography and encryption
• Personnel security, access control and asset management
• Multi-factor authentication and continuous authentication
• Secure communication and emergency communication if necessary

When implementing the measures, regulated actors must consider the priority of Union requirements set out in § 30 (4) NIS2-UmsUCG. Accordingly, the European Commission may specify technical and methodological requirements in an implementing act that take precedence over the requirements set out in § 30 (2) NIS2-UmsUCG. In addition, a specific catalog issued by the European Commission also takes precedence for the types of facilities mentioned in § 30 (3) NIS2-UmsUCG, which include the operators of data centers, Managed Services, online marketplaces, search engines, social networks and trust services.

Finally, § 31 NIS2-UmsUCG addresses special requirements for the risk management measures of operators of critical facilities. Following on from the risk-based approach, these exceed the requirements from § 30 NIS2-UmsUCG. Consequently, § 31 (1) NIS2-UmsUCG clarifies that more complex measures can also be considered proportionate.

In addition, § 31 (2) NIS2-UmsUCG obliges operators of critical systems to use attack detection systems. These are intended to identify and prevent ongoing threats and provide suitable remedial measures for incidents that have occurred.

A specification of the measures is not yet apparent. No derivations from existing cyber security standards such as ISO 27001 or C5 are available to date either. An immediate transfer of existing ISMS certifications does not appear to be possible, as the new cyber security requirements are in some cases more comprehensive.

§ 32 NIS2-UmsuCG regulates reporting obligations to the supervisory authorities in the event of security incidents. According to § 32 (1) NIS2-UmsuCG, there are various reporting deadlines for "significant" security incidents:

In addition, operators of critical facilities are obliged under § 32 (3) NIS2-UmsuCG to provide information on the type of facility affected, the critical service and the impact of the security incident on this service if a significant security incident has or could have an impact on the critical facility they operate.

Further details of the reporting procedure can be specified by BSI.

§§ 33 and 34 NIS2-UmsuCG regulate the registration obligations for the relevant entities. It must be taken into account that the failure to register, incorrect, incomplete or late registration can already constitute an offence under §§ 60 (2) No. 4, (5) NIS2-UmsuCG.

§§ 35 and 36 NIS2-UmsuCG then regulate the exchange of information between regulated actors and the BSI. While § 35 NIS2-UmsuCG establishes notification obligations for the actors in the event of significant security incidents, § 36 NIS2-UmsuCG manifests the BSI's feedback obligations.

§ 39 NIS2-UmsuCG subsequently results in verification obligations for operators of critical facilities. Originally, inspection obligations were planned for particularly important facilities and the operators of critical facilities every 2 years. These requirements have been lowered: as a result, only operators of critical facilities are now subject to verification obligations, namely every 3 years. Important and particularly important facilities still have to implement the respective measures, but generally do not have to provide evidence of this.

Within the scope of its sanctioning powers under §§ 64 and 65 NIS2-UmsuCG, the BSI can nevertheless also oblige individual important or particularly important facilities to provide evidence and carry out audits.

The original core of the NIS2-UmsuCG was the strict monitoring obligations of the managers of important, particularly important facilities and critical installations in accordance with § 38 NIS2-UmsuCG. According to this, managers had to personally perform the tasks to ensure cyber security under the NIS2-UmsuCG. In the event of a breach, personal liability was decided in order to ensure that the new requirements are actually implemented.

These strict requirements have been relaxed, allowing the delegation of management duties to third parties. This change permits the appointment of external entities to handle specific cybersecurity responsibilities. In addition, § 38 (2) NIS2-UmsuCG, which provided for personal liability, was deleted. Although any internal liability, for example under § 93 AktG, remains unaffected by this, the monitoring obligations have lost some of their impact as a result.

§ 38 NIS2-UmsuCG in its current version is limited to reduced approval, monitoring and training obligations of the managing directors. These amendments were confirmed in the draft released by the BMI on July 24th, 2024.

Previous Provisions: As stated in § 38 of the original NIS2-UmsuCG, management was directly in charge of guaranteeing cybersecurity at significant, especially significant facilities and essential installations. Personal liability for noncompliance with cybersecurity requirements was included in this.

Changes in the draft as of July 24th, 2024:

• Delegation of Duties: The revised draft preserves the option to assign particular cybersecurity-related management responsibilities to outside parties. Organizations are able to designate specific businesses or individuals for compliance due to this flexibility.
• Personal Liability: The most recent draft does, in fact, remove § 38 (2) NIS2-UmsuCG, which formerly described managers' personal liability. As a result, managers are no longer held directly accountable for cybersecurity breaches, even if they must still supervise cybersecurity procedures.
• Internal Liability: Other types of internal liability, such as those relating to directors' duties under § 93 of the Aktiengesetz (AktG), are untouched even though personal liability under § 38 (2) NIS2-UmsuCG has been eliminated.

By eliminating § 38 (2) from the draft, managers' direct personal culpability under the NIS2-UmsuCG is decreased, and the emphasis is now placed on broader compliance duties rather than individual accountability.

Although it offers an organized method of handling complicated cybersecurity needs, assigning cybersecurity activities to outside parties does not absolve managers of their managerial responsibilities.

While the new draft does reduce the scope of personal liability for managers, it does not remove the overarching responsibility for ensuring compliance with cybersecurity measures. Managers still have a significant role in overseeing these measures, even though the specific provision for personal liability has been omitted.

Despite the reduction in responsibility, § 38 (3) NIS2-UmsuCG still stipulates training obligations for managers. Accordingly, they must "regularly participate in training to acquire sufficient knowledge and skills to identify and assess risks and risk management practices in the area of cybersecurity and its impact on the services provided by the institution."

The extent to which these training obligations are required will be determined on a case-by-case basis according to the extent to which knowledge and skills are considered "sufficient".

In §§ 60 et seq. NIS2-UmsuCG contain provisions on sanctions and supervision by the BSI, § 60 (1) - (4) NIS2-UmsuCG first define the individual elements of an administrative offense.

Subsequently, §§ 60 (5) et seq. NIS2-UmsuCG determine the amount of the respective fine. These can amount to up to €10 million or a maximum amount of at least 2% of a company's total global turnover in the previous financial year. The sanctions regime thus ties in with the requirement to ensure proportionate and effective fines, as is already the case under the GDPR, among others.

The NIS2 Directive, implemented through the NIS2-UmsuCG, significantly improves Germany's cybersecurity system. Businesses ought to begin evaluating the effects of the NIS2-UmsuCG right now because there isn't a transition period following adoption. To assist businesses in determining whether they are impacted by NIS2, the BSI offers a tool and FAQ.

Particularly for businesses that engage in a wide range of activities, a thorough evaluation of the scope of their business operations is required. It's also essential to carefully calculate important metrics like personnel counts, turnover, and balance sheet totals. Companies should inventory their current network and IT infrastructure, including security infrastructure, and compare it with the NIS2-UmsuCG standards after finishing the impact assessment. If gaps are identified, they must be closed promptly due to the lack of a transition period.