The background to the increased cybersecurity requirements is the EU's response to the increased threat of cyber-specific threats. The aim is to ensure resilience and economic functionality within the EU and thus indirectly to strengthen public order.
In addition to specific sector- or product-specific requirements at EU level, such as the Cyber Resilience Act ("CRA") or the Digital Operational Resilience Act ("DORA"), this is to be achieved in particular through the expansion of business-related cybersecurity requirements.
Following the NIS Directive ("(EU) 2016/1148") of 2016, which was implemented in Germany by the IT Security Act, the EU adopted the NIS 2 Directive ("(EU) 2022/2555") on February 14, 2022. As a directive at the Union level, the provisions are not directly applicable in Germany, but must be transposed into national law. Implementation is required by October 17, 2024.
In Germany, this will take place within the framework of the NIS2 Implementation Act (hereinafter referred to as "NIS2-UmsG"). After drafts dated April 3, 2023 and July 3, 2023, this is currently available in the form of a discussion paper dated September 27, 2023.
The NIS2-UmsG adapts existing national regulations. The Act on the Federal Office for Information Technology (“BSIG”) will be completely revised and expanded. Other regulations, such as the Energy Industry Act, will also be amended.
Scope of applicability
The criterion for the scope of cybersecurity measures required for companies is the criticality of a particular facility. The NIS2-UmsG thus follows a risk-based approach.
The scope of application of the law essentially results from § 28 NIS2-UmsG, which differentiates between "important", "particularly important" facilities and "operators of critical facilities" . This results in the following differentiation:
Annex 1 (sectors with high criticality) and Annex 2 (other critical sectors) can be found in the discussion paper, page 26 et seq.
In summary, it is clear that the thresholds have been lowered compared to the previous KRITIS classifications, which expands the scope of application of the NIS2-UmsG.
Special features apply to certain financial and insurance companies. While they are exempted from the scope of application of important and particularly important institutions pursuant to § 28 (1) and (2) NIS2-UmsG, they are expressly included in the sectors of critical facilities pursuant to § 28 (5) NIS2-UmsG. Regarding companies from the financial sector, the special requirements of the DORA should be noted in this regard.
Risk management measures
§ 30 NIS2-UmsG manifests risk management measures for important and particularly important institutions. According to § 30 (1) NIS2-UmsG, these are obliged to "take appropriate, proportionate and effective technical and organizational measures to avoid disruptions (...) and to minimize the impact of security incidents."
As part of the proportionality of the measures, the extent of the risk exposure, implementation costs and the size of the facility must be taken into account. Measures implemented should comply with the state of the art and be based on a cross-hazard approach.
§ 30 (2) NIS2-UmsG provides with a catalog of measures intended to outline a minimum scope. This includes:
- Risk analysis and security for information systems
- Management of security incidents
- Maintenance and recovery, backup management, crisis management
- Supply chain security, security between facilities, service provider security
- Security in development, procurement and maintenance, vulnerability management
- Evaluation of the effectiveness of cyber security and risk management
- Cyber security and cyber hygiene training
- Cryptography and encryption
- Personnel security, access control and asset management
- Multi-factor authentication and continuous authentication
- Secure communication and emergency communication if necessary
When implementing the measures, regulated actors must consider the priority of Union requirements set out in § 30 (4) NIS2-UmsG. Accordingly, the European Commission may specify technical and methodological requirements in an implementing act that take precedence over the requirements set out in § 30 (2) NIS2-UmsG. In addition, a specific catalog issued by the European Commission also takes precedence for the types of facilities mentioned in § 30 (3) NIS2-UmsG, which include the operators of data centers, Managed Services, online marketplaces, search engines, social networks and trust services.
Finally, § 31 NIS2-UmsG addresses special requirements for the risk management measures of operators of critical facilities. Following on from the risk-based approach, these exceed the requirements from § 30 NIS2-UmsG. Consequently, § 31 (1) NIS2-UmsG clarifies that more complex measures can also be considered proportionate.
In addition, § 31 (2) NIS2-UmsG obliges operators of critical systems to use attack detection systems. These are intended to identify and prevent ongoing threats and provide suitable remedial measures for incidents that have occurred.
A specification of the measures is not yet apparent. No derivations from existing cyber security standards such as ISO 27001 or C5 are available to date either. An immediate transfer of existing ISMS certifications does not appear to be possible, as the new cyber security requirements are in some cases more comprehensive.
Reporting obligations
§ 32 NIS2-UmsG regulates reporting obligations to the supervisory authorities in the event of security incidents. According to § 32 (1) NIS2-UmsG, there are various reporting deadlines for "significant" security incidents:
In addition, operators of critical facilities are obliged under § 32 (3) NIS2-UmsG to provide information on the type of facility affected, the critical service and the impact of the security incident on this service if a significant security incident has or could have an impact on the critical facility they operate.
Further details of the reporting procedure can be specified by BSI.
Registration and information obligations
§§ 33 and 34 NIS2-UmsG regulate the registration obligations for the relevant entities. It must be taken into account that the failure to register, incorrect, incomplete or late registration can already constitute an offence under §§ 60 (2) No. 4, (5) NIS2-UmsG.
§§ 35 and 36 NIS2-UmsG then regulate the exchange of information between regulated actors and the BSI. While § 35 NIS2-UmsG establishes notification obligations for the actors in the event of significant security incidents, § 36 NIS2-UmsG manifests the BSI's feedback obligations.
§ 39 NIS2-UmsG subsequently results in verification obligations for operators of critical facilities. Originally, inspection obligations were planned for particularly important facilities and the operators of critical facilities every 2 years . These requirements have been lowered in the current discussion paper: as a result, only operators of critical facilities are now subject to the verification obligations and this every 3 years. Important and particularly important facilities still have to implement the respective measures, but generally do not have to provide evidence of this.
Within the scope of its sanctioning powers under §§ 64 and 65 NIS2-UmsG, the BSI can nevertheless also sanction individual important or particularly important facilities. to provide evidence and carry out tests.
Personal liability of the management?
The original core of the NIS2-UmsG was the strict monitoring obligations of the managers of important, particularly important facilities and critical installations in accordance with § 38 NIS2-UmsG. According to this, managers had to personally perform the tasks to ensure cyber security under the NIS2-UmsG. In the event of a breach, personal liability was decided in order to ensure that the new requirements are actually implemented.
These strict requirements have been reduced in the new discussion paper, according to which the delegation of management duties has been made possible by allowing the appointment of third parties. In addition, § 38 (2) NIS2-UmsG, which provided for personal liability, was deleted. Although any internal liability, for example under § 93 AktG, remains unaffected by this, the monitoring obligations have lost some of their impact as a result.
§ 38 NIS2-UmsG in its current version is limited to reduced approval, monitoring and training obligations of the managing directors. These amendments were confirmed in the workshop meeting on October 26, 2023.
Training obligations of the management
Despite the reduction in responsibility, § 38 (3) NIS2-UmsG still stipulates training obligations for managers. Accordingly, they must "regularly participate in training to acquire sufficient knowledge and skills to identify and assess risks and risk management practices in the area of cybersecurity and its impact on the services provided by the institution."
The extent to which these training obligations are required will be determined on a case-by-case basis according to the extent to which knowledge and skills are considered "sufficient".
Sanctions
In §§ 60 et seq. NIS2-UmsG contain provisions on sanctions and supervision by the BSI, § 60 (1) - (4) NIS2-UmsG first define the individual elements of an administrative offense.
Subsequently, §§ 60 (5) et seq. NIS2-UmsG determine the amount of the respective fine. These can amount to up to €10 million or a maximum amount of at least 2% of a company's total global turnover in the previous financial year. The sanctions regime thus ties in with the requirement to ensure proportionate and effective fines, as is already the case under the GDPR, among others.
Outlook
The NIS2-UmsG is expected to be promulgated in March 2024. The law is then expected to enter into force in October 2024. There are no apparent transition periods. It remains to be seen to what extent the requirements will be modified by then. However, is already clear: Those affected must prepare for significantly increased cybersecurity requirements.
In monetary terms, assumes an annual increase in compliance costs of around €1.65 billion at the expense of the German economy. In detail, this means an increase in the operational cybersecurity budget of around 22%; for companies that are already subject to NIS I and comply with the requirements by around 12%.