What's next for NIS-2? Due to the early elections in Germany, the parliamentary procedure for the NIS-2 implementation law NIS2UmsuCG could not be completed. This means that, for now, there is no legal basis for many of the new cyber security requirements for companies.
But which legal framework applies now? For operators of critical infrastructures (KRITIS) in particular, the question arises as to whether the existing obligation to provide proof of compliance every two years will remain.
Our colleague Vinzent Ratermann, Managing Consultant and expert for IT security of critical infrastructures, explains:
Yes, the 2-year frequency will continue to apply for the present! As long as there is no legislation to implement the NIS-2 Directive in Germany, the BSI Act, which requires a two-year audit cycle, will continue to apply. Experience shows that the new government will also draw up a new law on NIS-2 implementation, which means that the times from the current draft of the NIS2UmsuCG may be changed again. The audit frequency may therefore remain unchanged, be increased to 3 or more years, or even be reduced to 1 year. This remains to be seen. The verification obligations for important and very important companies could also change, meaning that even very important companies will have to provide regular verification.
I stand by my recommendation: All KRITIS companies should also undergo an audit in accordance with the new NIS 2 requirements in the next audit cycle. This is only a minor additional effort in the audit process, but can be very useful for further planning.
If you need support with your KRITIS audit, get in touch. We are happy to help.
