Data Protection lawyers with 50+ years of experience

Free initial consultation
/insights

Updated Monday, December 16, 2024

Updated Monday, December 16, 2024

New requirements for cyber security in Germany - the NIS2-Implementation Act

Even though the implementation of the NIS2 law in Germany has been delayed, there isn't much time left to prepare for to implement the new cybersecurity-requirements of NIS2.

Boris Arendt

Salary Partner (Attorney-at-law)

Jakob Riediger

Scientific Research Assistant

Ana Combei

Scientific Research Assistant

Current Status
Scope of applicability
Risk management measures
Reporting obligations
Registration and information obligations
Personal liability of the management?
Training obligations of the management
Sanctions
Timeline
Outlook

Get assistance from our lawyers

Data Protection compliance can be complicated. Let our experienced team simplify it for you.

Free initial consultation

The cybersecurity landscape in Germany is on the cusp of significant change with the upcoming NIS2 Implementation and Cybersecurity Strengthening Act. This legislation, which amends and expands the existing BSI-Gesetz (Act on the Federal Office for Information Security), transposes the EU NIS2 Directive into German law, significantly broadening the scope and tightening the requirements for cybersecurity across various sectors.

The implementation of the NIS2-UmsuCG has been delayed, meaning that the original implementation deadline of October 17, 2024 has been missed. The parliamentary legislative process must be completed before the NIS2-UmsuCG can become law. The legislature had already expressed requests for amendments to the government draft at an early stage, which was initially adopted on July 24, 2024. The Bundesrat and Bundestag are currently addressing the issue and putting the finishing touches to it. The final second round of the draft in the Bundesrat is planned for February 2025. The law can therefore be expected to come into force in March 2025 at the earliest.


Current Status

The most recent government draft of the BSI Act (BSIG-new) has been revised linguistically and editorially, but the sections on reporting important security events and IT risk management have not been altered. The content for energy systems, public telecommunications networks, energy supply networks, and companies that offer publicly accessible telecommunications services has changed, though. §§ 61 and 62 of the BSIG-new expressly exclude these firms from the supervision and enforcement authorities of the BSI, which results in a limited application beyond the registration requirements.

The Telecommunications Act (TKG-new) and Energy Industry Act (EnWG-new), which were modified in conjunction with the NIS2-UmsuCG, contain the majority of the regulatory text.

§§ 165 (2b)-(2d) TKG-new and § 5c (9-11) EnWG-new require management to implement and monitor safety requirements, participate in training courses, and be liable for any culpably caused damage. These new TKG and EnWG supplement the duties and liability requirements of management in line with the new BSIG.

Minor changes have also been made to the government draft, including a revision to the Federal Office facility requirements in compliance with § 44 BSGI-new and a clarification of the hospital exemption in compliance with § 108 SGB V.

There won't be any significant adjustments, though, and the current level of uncertainty will persist. The fact that distinct regulations will still apply to businesses in distinct EU member states is criticized by business associations, especially for multinational corporations that have subsidiaries operating in many EU member states. Notifying the Federal Ministry of the Interior and Home Affairs of the first use of a crucial component is still required under § 41 BSGI-new.


Scope of applicability

The criterion for the scope of cybersecurity measures required for companies is the criticality of a particular facility. The NIS2-UmsG thus follows a risk-based approach.

The scope of application of the law essentially results from § 28 NIS2-UmsuCG, which differentiates between "important", "particularly important" facilities and "operators of critical facilities" . This results in the following differentiation:

CategoryExplanationSupplementary
particularly important facilitiesEntities that fall under sectors from Annex 1 with more than 250 employees or more than €50 million in turnover and a balance sheet of more than €43 million. In addition, special cases such as qualified trust providers; top level domain name registries or DNS service providers.
important facilitiesFacilities that fall under sectors from Annex 1 and 2 with either more than 50 employees or more than €10 million turnover and balance sheet In addition, certain trust service providers.
critical installationsInvestment in the following sectors: energy, transportation/transport, finance/insurance, health, drinking water/wastewater, food, IT and telecommunications, space or waste disposal.Detailed provision qua statutory order, § 57 (4) NIS2-UmsuCG.

Annex 1 (sectors of high criticality) and Annex 2 (other critical sectors) can be found in the draft, page 73 et seq.

In summary, it is clear that the thresholds have been lowered compared to the previous KRITIS classifications, which expands the scope of application of the NIS2-UmsuCG.

Special features apply to certain financial and insurance companies. While they are exempted from the scope of application of important and particularly important institutions pursuant to § 28 (1) and (2) NIS2-UmsuCG, they are expressly included in the sectors of critical facilities pursuant to § 28 (5) NIS2-UmsuCG. Regarding companies from the financial sector, the special requirements of the DORA should be noted in this regard.


Risk management measures

§ 30 NIS2-UmsuCG manifests risk management measures for important and particularly important institutions. According to § 30 (1) NIS2-UmsuCG, these are obliged to "take appropriate, proportionate and effective technical and organizational measures to avoid disruptions (...) and to minimize the impact of security incidents."

As part of the proportionality of the measures, the extent of the risk exposure, implementation costs and the size of the facility must be taken into account. Measures implemented should comply with the state of the art and be based on a cross-hazard approach.

§ 30 (2) NIS2-UmsuCG provides with a catalog of measures intended to outline a minimum scope. This includes:

  • Risk analysis and security for information systems
  • Management of security incidents
  • Maintenance and recovery, backup management, crisis management
  • Supply chain security, security between facilities, service provider security
  • Security in development, procurement and maintenance, vulnerability management
  • Evaluation of the effectiveness of cyber security and risk management
  • Cyber security and cyber hygiene training
  • Cryptography and encryption
  • Personnel security, access control and asset management
  • Multi-factor authentication and continuous authentication
  • Secure communication and emergency communication if necessary

When implementing the measures, regulated actors must consider the priority of Union requirements set out in § 30 (4) NIS2-UmsUCG. Accordingly, the European Commission may specify technical and methodological requirements in an implementing act that take precedence over the requirements set out in § 30 (2) NIS2-UmsUCG. In addition, a specific catalog issued by the European Commission also takes precedence for the types of facilities mentioned in § 30 (3) NIS2-UmsUCG, which include the operators of data centers, Managed Services, online marketplaces, search engines, social networks and trust services.

Finally, § 31 NIS2-UmsUCG addresses special requirements for the risk management measures of operators of critical facilities. Following on from the risk-based approach, these exceed the requirements from § 30 NIS2-UmsUCG. Consequently, § 31 (1) NIS2-UmsUCG clarifies that more complex measures can also be considered proportionate.

In addition, § 31 (2) NIS2-UmsUCG obliges operators of critical systems to use attack detection systems. These are intended to identify and prevent ongoing threats and provide suitable remedial measures for incidents that have occurred.

A specification of the measures is not yet apparent. No derivations from existing cyber security standards such as ISO 27001 or C5 are available to date either. An immediate transfer of existing ISMS certifications does not appear to be possible, as the new cyber security requirements are in some cases more comprehensive.


Reporting obligations

§ 32 NIS2-UmsuCG regulates reporting obligations to the supervisory authorities in the event of security incidents. According to § 32 (1) NIS2-UmsuCG, there are various reporting deadlines for "significant" security incidents:

CategoryExplanation
early initial report (No. 1)An "early initial report" must be made within 24 hours of becoming aware of the incident. This includes the suspicion as to whether the incident is due to an illegal or malicious act or could have cross-border effects.
Confirmation/update (No. 2)A confirmation or update of the initial notification must be provided within 72 hours of becoming aware of the incident. This must include an initial assessment of the significant security incident, including its severity and impact and, if applicable, the indicators of compromise.
Interim report (No. 3)At the request of the Federal Office for Information Security ("BSI"), interim reports must be made.
Final message (No. 4)A final report must be submitted within one month of the notification under no. 2, unless the security incident is still ongoing.

In addition, operators of critical facilities are obliged under § 32 (3) NIS2-UmsuCG to provide information on the type of facility affected, the critical service and the impact of the security incident on this service if a significant security incident has or could have an impact on the critical facility they operate.

Further details of the reporting procedure can be specified by BSI.


Registration and information obligations

§§ 33 and 34 NIS2-UmsuCG regulate the registration obligations for the relevant entities. It must be taken into account that the failure to register, incorrect, incomplete or late registration can already constitute an offence under §§ 60 (2) No. 4, (5) NIS2-UmsuCG.

§§ 35 and 36 NIS2-UmsuCG then regulate the exchange of information between regulated actors and the BSI. While § 35 NIS2-UmsuCG establishes notification obligations for the actors in the event of significant security incidents, § 36 NIS2-UmsuCG manifests the BSI's feedback obligations.

§ 39 NIS2-UmsuCG subsequently results in verification obligations for operators of critical facilities. Originally, inspection obligations were planned for particularly important facilities and the operators of critical facilities every 2 years. These requirements have been lowered: as a result, only operators of critical facilities are now subject to verification obligations, namely every 3 years. Important and particularly important facilities still have to implement the respective measures, but generally do not have to provide evidence of this.

Within the scope of its sanctioning powers under §§ 64 and 65 NIS2-UmsuCG, the BSI can nevertheless also oblige individual important or particularly important facilities to provide evidence and carry out audits.


Personal liability of the management?

The original core of the NIS2-UmsuCG was the strict monitoring obligations of the managers of important, particularly important facilities and critical installations in accordance with § 38 NIS2-UmsuCG. According to this, managers had to personally perform the tasks to ensure cyber security under the NIS2-UmsuCG. In the event of a breach, personal liability was decided in order to ensure that the new requirements are actually implemented.

These strict requirements have been relaxed, allowing the delegation of management duties to third parties. This change permits the appointment of external entities to handle specific cybersecurity responsibilities. In addition, § 38 (2) NIS2-UmsuCG, which provided for personal liability, was deleted. Although any internal liability, for example under § 93 AktG, remains unaffected by this, the monitoring obligations have lost some of their impact as a result.

§ 38 NIS2-UmsuCG in its current version is limited to reduced approval, monitoring and training obligations of the managing directors. These amendments were confirmed in the draft released by the BMI on July 24th, 2024.

Previous Provisions: As stated in § 38 of the original NIS2-UmsuCG, management was directly in charge of guaranteeing cybersecurity at significant, especially significant facilities and essential installations. Personal liability for noncompliance with cybersecurity requirements was included in this.

Changes in the draft as of July 24th, 2024:

  • Delegation of Duties: The revised draft preserves the option to assign particular cybersecurity-related management responsibilities to outside parties. Organizations are able to designate specific businesses or individuals for compliance due to this flexibility.
  • Personal Liability: The most recent draft does, in fact, remove § 38 (2) NIS2-UmsuCG, which formerly described managers' personal liability. As a result, managers are no longer held directly accountable for cybersecurity breaches, even if they must still supervise cybersecurity procedures.
  • Internal Liability: Other types of internal liability, such as those relating to directors' duties under § 93 of the Aktiengesetz (AktG), are untouched even though personal liability under § 38 (2) NIS2-UmsuCG has been eliminated.

By eliminating § 38 (2) from the draft, managers' direct personal culpability under the NIS2-UmsuCG is decreased, and the emphasis is now placed on broader compliance duties rather than individual accountability.

Although it offers an organized method of handling complicated cybersecurity needs, assigning cybersecurity activities to outside parties does not absolve managers of their managerial responsibilities.

While the new draft does reduce the scope of personal liability for managers, it does not remove the overarching responsibility for ensuring compliance with cybersecurity measures. Managers still have a significant role in overseeing these measures, even though the specific provision for personal liability has been omitted.


Training obligations of the management

Despite the reduction in responsibility, § 38 (3) NIS2-UmsuCG still stipulates training obligations for managers. Accordingly, they must "regularly participate in training to acquire sufficient knowledge and skills to identify and assess risks and risk management practices in the area of cybersecurity and its impact on the services provided by the institution."

The extent to which these training obligations are required will be determined on a case-by-case basis according to the extent to which knowledge and skills are considered "sufficient".


Sanctions

In §§ 60 et seq. NIS2-UmsuCG contain provisions on sanctions and supervision by the BSI, § 60 (1) - (4) NIS2-UmsuCG first define the individual elements of an administrative offense.

Subsequently, §§ 60 (5) et seq. NIS2-UmsuCG determine the amount of the respective fine. These can amount to up to €10 million or a maximum amount of at least 2% of a company's total global turnover in the previous financial year. The sanctions regime thus ties in with the requirement to ensure proportionate and effective fines, as is already the case under the GDPR, among others.


Timeline

MilestoneDateDetails
Draft publicationMarch 2024The draft of the NIS2 Implementation Act was published for public feedback.
Feedback DeadlineMay 28th, 2024Deadline for federal states and stakeholders to submit comments on the draft.
Stakeholder HearingJune 2024Hearing held with federal states and associations to discuss the draft bill.
Cabinet decision on government draftJuly 24th, 2024The Federal Cabinet has approved the draft submitted by the BMI.
Review and Amendments of the draftAugust 2024 - February 2025Adaptation of the draft law with the involvement of the Bundesrat and Bundestag.
Effective DateMarch 2025The law comes into force. All entities must comply from this date.
Initial Compliance Audits2nd to 3rd quarter of 2025BSI begins audits to ensure compliance with the new regulations.

Outlook

The NIS2 Directive, implemented through the NIS2-UmsuCG, significantly improves Germany's cybersecurity system. Businesses ought to begin evaluating the effects of the NIS2-UmsuCG right now because there isn't a transition period following adoption. To assist businesses in determining whether they are impacted by NIS2, the BSI offers a tool and FAQ.

Particularly for businesses that engage in a wide range of activities, a thorough evaluation of the scope of their business operations is required. It's also essential to carefully calculate important metrics like personnel counts, turnover, and balance sheet totals. Companies should inventory their current network and IT infrastructure, including security infrastructure, and compare it with the NIS2-UmsuCG standards after finishing the impact assessment. If gaps are identified, they must be closed promptly due to the lack of a transition period.

Legal advice

Simpliant Legal - Wittig, Bressner, Groß Rechtsanwälte Partnerschaftsgesellschaft mbB

Consulting

Simpliant GmbH

Technology

Simpliant Technologies GmbH

Data protection

We will support you in implementing all data protection requirements with the GDPR.

Information security

We support you in setting up a holistic ISMS such as ISO 27001.

Artificial intelligence

We advise you on the integration of AI and develop legally compliant usage concepts.


© 2019 - 2024 Simpliant