NIS-2: The Most Important Takeaways from the German Implementation Act

7. June 2024

The law implementing the NIS-2 Directive aims to transpose the requirements of the European NIS-2 Directive into the German legal system. On May 7, the Federal Ministry of the Interior and Home Affairs (BMI) published its first official draft bill.

In this article, our KRITIS expert Vinzent Ratermann answers the mopst important questions about the NIS-2 Implementation Act and shares his key takeaways from the draft bill with you.

Vinzent Ratermann,
Managing Security Consultant, usd AG

What is the NIS-2 Implementation Act?

The NIS-2 Directive (Network and Information Security 2, NIS-2) is the directive on measures for a high common level of cybersecurity and cyber resilience in the European Union. In Germany, the provisions of NIS-2 are transposed into German law by the “Act on the Implementation of the NIS-2 Directive and on the Regulation of Essential Principles of Information Security Management in the Federal Administration” (German: „Gesetz zur Umsetzung der NIS-2-Richtlinie und zur Regelung wesentlicher Grundzüge des Informationssicherheitsmanagements in der Bundesverwaltung“; NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz – NIS2UmsuCG). Colloquially, the term NIS-2 Implementation Act has become established.

What is the current status?

The federal states had until May 28, 2024 to submit their comments on the draft bill and express any concerns.

At the beginning of June 2024, a hearing was also held with the federal states and various associations, in which comments and concerns about the draft law could be expressed.

The resulting comments and recommendations are now being reviewed. It is expected that further discussions on possible amendments to the draft bill will follow in order to address the concerns raised before the bill is introduced to the Bundestag.

Who is affected?

The NIS-2 Directive stipulates that all entities classified as important or essential are obliged to comply with it. This primarily includes companies in certain sectors and companies that reach certain thresholds in terms of turnover and number of employees. In addition, requirements are set for the information security of the Federal Administration.

It is not possible to give a blanket answer as to which companies will be specifically affected. However, one thing is certain: NIS-2 will affect significantly more companies than NIS-1 and the IT Security Act. The new directive covers more sectors than NIS-1 and lower thresholds than the IT Security Act and will also affect SMEs. In addition, there are other special regulations that apply regardless of the size of a company. A careful case-by-case assessment is therefore always necessary to determine whether a company falls under the NIS-2 Directive.

A look into the draft bill

The draft bill for the NIS-2 Implementation Act holds no major surprises for anyone already familiar with the NIS-2 Directive: It consistently transposes the requirements of the European Directive into German law and brings additional clarity to numerous aspects.

Here is an overview of the most important and, from our expert's point of view, most interesting points from the draft bill for affected companies:

Affected companies

  1. Operators of critical infrastructures (KRITIS) are automatically considered essential entities, regardless of whether they meet the thresholds defined in NIS-2.
    (§28)

  2. When assessing whether a company meets the thresholds for the number of employees or the amount of annual turnover, only the business areas involved in the provision of the service relevant to NIS-2 are taken into account.
    (§28)

    Note: This could allow conclusions to be drawn about the scope of the directive within the company. As we see it, according to the current draft bill, the entire company is generally in scope. However, the restriction described here means that it may also be possible to limit the scope to the relevant services.

  3. Companies that fall under the Digital Operational Resilience Act (DORA) may also be affected by the NIS-2 Implementation Act. However, as a lex specialis, DORA takes precedence over NIS-2, so if a company falls under DORA, some relevant sections of the NIS-2 Implementation Act do not apply to that company (§§30-32,§§35-36,§§38-39).
    (§28)

More on NIS-2 and DORA:
https://www.usd.de/en/nis-2-and-dora-why-two-pieces-of-eu-legislation/

Measures

  1. The NIS-2 Implementation Act requires security measures in line with the current state of the art, which should be based on European and international standards. The three protection goals of integrity, confidentiality and availability are mentioned in the current draft. The protection objective of authenticity is omitted. From our point of view, the specific consideration of this protection objective should therefore no longer apply to operators of critical infrastructures.

    According to the NIS-2 Implementation Act, the following measures must be taken as a minimum:

    • Concepts relating to risk analysis and security in information technology,,
    • Management of security incidents,
    • business continuity, such as backup management and disaster recovery, and crisis management,
    • security of the supply chain, including security-related aspects of relationships between individual entities and their direct vendors or service providers,
    • security measures for the acquisition, development and maintenance of information technology systems, components and processes, including vulnerability management and disclosure,
    • concepts and procedures for evaluating the effectiveness of risk management measures in the area of information technology security,
    • basic cyber hygiene procedures and information technology security training,
    • concepts and procedures for the use of cryptography and encryption,
    • personnel security, access control concepts and asset management,
    • Use of multi-factor authentication or continuous authentication solutions, secure voice, video and text communications, and secure emergency communications systems within the entity where appropriate
      (§30)

  2. The concept of sector-specific security standards (B3S) known from the context of critical infrastructures (KRITIS) is being pursued further and is also to be applied to important and essential entities.
    (§30)

  3. The well-known restriction on risk acceptance for operators of critical infrastructures (KRITIS) and the obligation to use attack detection systems still only affects KRITIS operators. Important and essential entities are not affected by this.  
    (§31)

  4. The management is obliged to approve the ISMS in the company and monitor its implementation. To this end, the management must complete regular risk management training in the area of “Information Security”.
    (§38)

  5. In the event of a breach of duty by the management, the entity is obliged to assert claims for compensation against the management. The management also has the option of minimizing the liability risk by taking out insurance.
    (§38)

Reporting + Assessments

  1. Important and essential entities must register with the BSI within 3 months of reaching a threshold and remain in contact with the BSI. This also applies to companies that fall under DORA.
    (§33)

  2. Security incidents must be reported to the BSI within 24 hours (initial report) and 72 hours with a more detailed follow-up report. A final report must be submitted after one month at the latest. If the case has not yet been closed, a progress report must be submitted.
    (§32)

  3. In the event of a significant security incident, the BSI may instruct entities to immediately inform the recipients of their services of this significant security incident (e.g. by publishing it on the website).
    (§35)

  4. Operators of critical facilities (KRITIS) must provide proof of compliance with the requirements every three years. The date of the last verification marks the start of the new three-year cycle. This means, for example: Anyone who has provided proof in 2023 does not have to do so until 2026.
    (§39)

  5. Essential entities must provide evidence of compliance with the requirements following a prior request by the BSI. This request can be made without cause. An external audit can be ordered for this purpose. If no external audit is carried out, the BSI can also directly request system and documentary evidence and also carry out an on-site audit itself.
    (§65)

  6. Important entities must provide evidence of compliance with the requirements after prior request by the BSI. This request is only made if there are fact-based indications that the entity does not meet the requirements.
    (§66)

Fines

Failure to comply with the requirements of the NIS-2 Implementation Act can result in severe fines. Depending on the severity of the breach, these can amount to up to 10 million euros or 2% of a company's annual turnover.
(§61)

International groups

Internationally operating groups in the following sectors only have to report to the BSI if their head office is located in Germany. Irrespective of this, they must register with the BSI.
(§34 + §64)

  1. DNS service providers,
  2. Top Level Domain Name Registries,
  3. Domain name registry service providers,
  4. Providers of cloud computing services,
  5. Providers of data center services,
  6. Operators of content delivery networks,
  7. Managed service providers,
  8. Managed security service providers,
  9. Providers of online marketplaces,
  10. Online search engines

All other internationally operating companies must familiarize themselves with the national legislation that applies to them.

Outlook

Now that it is clear that the new draft bill for the NIS-2 Implementation Act does not contain any surprises, it is important to review the implementation of the security requirements as soon as possible and to secure external help in good time if necessary. The time pressure for affected companies is great, as the BSI may request evidence for the first time no later than three years after the NIS-2 Implementation Act comes into force. So don't waste any time and prepare yourself for the event that you have to provide evidence of security measures under NIS-2. Regular monitoring audits by independent auditors can also ensure that you can comply with a request for evidence at any time and avoid any nasty surprises. Regularly addressing information security issues is not only good preparation for NIS-2, but also strengthens the security level and thus the resilience of your company as a whole.



We will continue to monitor the development of the Nis2umsuCG and keep you informed on relevant news.

In the meantime, do you have questions or need assistance? Contact us, our experts are happy to help.

Also interesting:

DORA Countdown: One Month Left Until the Deadline

DORA Countdown: One Month Left Until the Deadline

DORA, the Digital Operational Resilience Act, will fully apply as of 17 January 2025. We have summarized everything you need to know about the EU regulation, preparation and best practices from our news blog.

Sunset of PCI DSS v4.0 on 31 December 2024: Get Ready!

Sunset of PCI DSS v4.0 on 31 December 2024: Get Ready!

PCI DSS v4.0: In March 2024, version 4.0 of the Payment Card Industry Data Security Standard became mandatory after a two-year transition phase. Just a few months later, version 4.0.1 was released as a minor update of the standard, which will become mandatory on...

Top 3 Vulnerabilities in SSO Pentests

Top 3 Vulnerabilities in SSO Pentests

During their penetration tests (pentests), our security analysts at usd HeroLab repeatedly uncover vulnerabilities that pose significant risks to corporate security. They increasingly encounter the same vulnerabilities. Our blog series "Top 3 Vulnerabilities" presents...

Categories

Categories