At the end of 2022, the European Parliament and the Council of the EU adopted version 2 of the Network and Information Security Directive (NIS2). NIS2 must be transposed into national law by 17 October 2024. In Germany, the draft bill for a law to implement the directive has now been submitted. This will result in a more or less complete revision of the Act on the Federal Office for Information Security (BSIG).
We explain the most important changes to NIS2 and what affected organisations in Germany can and should do now.
Why a NIS2 directive?
The NIS Directive (full name: Directive on measures for a high common level of cybersecurity across the Union) was introduced throughout the EU back in 2016. The NIS2 version came into force in 2023 (full text in the Official Journal of the European Union).
The main reason for the legislative changes to NIS2 is increasing digitalisation and the sharp rise in the threat of cybercrime. This has so far been countered by the completely different approaches of the EU member states based on the old directive. The new directive is intended to address both of these issues.
The most important changes to the NIS2 Directive
The group of organisations addressed by NIS2 will be significantly larger
In future, significantly more organisations will be committed than before. In particular, the threshold values of the BSI Critical Infrastructure Ordinance (Ordinance on the Determination of Critical Infrastructures under the BSI Act – BSI Critical Infrastructure Ordinance) will no longer apply. In general, the size of a facility will no longer necessarily allow a conclusion to be drawn as to whether it falls under the future categories of “essential facility” or “important facility”. The catalogue of facilities covered by the IT Security Act 2.0, which was already expanded in 2021, also remains below the future scope.
Critical and highly critical sectors are already included in the new directive. This means that the individual Member States can no longer decide for themselves which sectors are addressed.
The sectors categorised as critical (important) are:
- Postal and courier services
- Waste management
- Production, manufacture and trade in chemical substances
- Production, processing activities and distribution of foodstuffs
- Goods production and processing activities
- Provider of digital services
- Research
The sectors are categorised as highly critical (material):
- Energy
- Transport
- Banking
- Financial market infrastructures
- Healthcare
- Drinking water
- Wastewater
- Digital infrastructure
- Management of ICT services, excluding the consumer sector
- Public administration
- Space
Organisations that exceed the threshold of a medium-sized enterprise are automatically covered by the directive without any further requirements. This means that all organisations with at least 50 employees or an annual turnover or annual balance sheet total of ten to 43 million euros are addressed.
Some organisations are also subject to the policy below this threshold and are classified as “critical”. In other cases, the categorisation is based on soft factors.
NIS2 sets out new and clear requirements
The new directive defines the requirements in a catalogue and therefore no longer leaves implementation to the Member States.
The requirements are, for example
- Concepts for analysing risks
- Concepts for the security of information systems
- Process for evaluating the effectiveness of measures
- Process for dealing with security incidents (incident response management)
- Process for maintaining operations (business continuity) and crisis management
- Implementation of security measures as early as the purchasing, development and maintenance of network or information systems
- Training in the area of cyber security
- Security of the supply chain
- Asset management
- Personnel security
- Cryptography
- Communication and emergency communication
All facilities addressed are committed to identifying and then implementing appropriate and proportionate state-of-the-art technical, operational and organisational measures to counter relevant threats. Not only cyber hazards are relevant, but also others such as environmental hazards (fire, water) or direct physical impact by people.
Please note: Proportionality is based on the potential impact, not the cost of protective measures!
NIS2 prevents hiding
For some facilities, mandatory registration with ENISA (European Union Agency for Cybersecurity) is required.
Irrespective of this, the reporting of security incidents to one’s own security authority must take place in several steps in future:
- The initial notification must be made within 24 hours.
- This must be updated within 72 hours.
- A final report to the BSI (Federal Office for Information Security) must be made within one month.
Under NIS2, the management is personally responsible
It is made explicitly clear that overall responsibility for cyber security and the prevention of security incidents also lies with top management. This is not really a surprise, as it is all about compliance. However, the legislator felt it was necessary to state this explicitly.
Accordingly, top management is also threatened with personal liability in the event of deficiencies in implementation. The draft for NIS2 implementation in Germany explicitly stipulates that management is liable for any damage caused to the organisation if it breaches its obligations. As is usually the case, it will not be possible to delegate this responsibility completely. This is a misconception that many managers still fall for – also supported by unfounded promises made by some consultants.
Tip: Read our guide on responsibility, liability and the delegability of data protection.
It is also very interesting that the BSI is apparently to be given the power to temporarily prohibit management from carrying out its management duties if management disregards the orders of this authority.
Possible sanctions under the NIS2
The directive commits the EU Member States to creating fines for violations. In future, very severe fines will be possible, which are very reminiscent of the EU General Data Protection Regulation (GDPR). Fines of up to 20 million euros are on the cards, as well as fines that depend on last year’s total global turnover.
Recommended action for (potentially) affected organisations
Clarify now whether you will be subject to future obligations under NIS2!
Make sure you have sufficient resources and, if necessary, external support in good time! Once the law takes effect and the implementation deadline has passed, we will experience a similar scenario to the introduction of the GDPR. There will not be enough consultants available on the market and the time for implementation is very limited.
Determine the need for action now! Regardless of whether an organisation will ultimately be legally committed to doing something about its own cybersecurity, it certainly won’t hurt to know where improvements can be made.
Since all institutions are committed to taking suitable technical and organisational measures for other reasons (first and foremost data protection) anyway, this is an opportunity to kill several birds with one stone.
Don’t forget supply chains, purchasing and development! It will hardly be possible to make significant changes in these areas spontaneously.