1 September 2023
Publication series – 29 of 30 Insights
At the end of 2022, the EU has adopted important regulations to protect network and information security in "critical sectors" with the "NIS2" directive. The energy sector is also classified as a "critical sector". Thus, the protection of certain facilities and services against cyber threats is to be strengthened. In Germany, the directive is implemented by the NIS 2 Implementation and Cybersecurity Strengthening Act (German). In doing so, the draft law goes beyond the EU requirements and thus brings about numerous innovations in national cyber security law.
The NIS 2 Implementation and Cybersecurity Strengthening Act is to be adopted by mid-2024. The obligations it entails are to apply from 1 October 2024.
Significantly more companies than before will be included in the IT security regime through the core piece of the draft NIS 2 Implementation and Cybersecurity Strengthening Act - the amendment of the BSI Act. A distinction is made between "important" and "particularly important facilities" as well as "critical installations" (cf. section 28 (3), (6), (7) Draft BSI Act). All covered entities must fulfil a number of obligations.
Many companies operating in the energy sector will be covered by the new security regime (cf. section 57 (1) Draft BSI Act).
Which companies will be specifically covered can only be conclusively determined after the issuance of a supplementary regulation in which corresponding threshold values (e.g. company size, number of users) will be defined. However, it is expected that significantly more companies will fall within the scope of application of the Draft BSI Act than under previous laws. For the energy sector, for example, it is expected that in addition to companies that generate, supply or regulate energy, the wider supply chain will also be covered.
In any case, Annex I of the NIS 2 Directive already provides a list of "critical facilities", which must accordingly also be reflected in the legal ordinance. Annex I No. 1 of the Directive identifies the energy sector as a sector with high criticality. The scope of application extends to the subsectors of electricity, district heating and cooling, oil, natural gas and hydrogen. The entities covered by these sub-sectors include, inter alia, certain electricity undertakings, network operators, system operators and supply undertakings.
Under the Draft BSI Act, the companies covered and their management bodies are subject to a number of obligations. These depend in detail on whether the company operates a "critical installation" or an "important" or "especially important facility". Certain companies in the energy industry are exempted from the risk management measures under section 30 and the reporting obligations under section 31 Draft BSI Act and are subject to sector-specific regulations (section 28 (8) Draft BSI Act).
All institutions are required to implement technical and organisational measures to protect their IT systems and processes. These measures shall be state of the art and shall adequately address the risk of potential damage, considering factors such as the size of the institution and potential security incidents. The primary responsibility for implementing and monitoring cybersecurity measures lies with the managing directors. They are also liable for breaches and should regularly participate in training (section 38 Draft BSI Act).
In the event of a security incident, the institutions must submit various reports to the Federal Office for Information Security (BSI), including an initial report within 24 hours and a detailed report within 72 hours, as well as a final report. Security incidents are defined as events that affect the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of services offered or accessible via information technology systems, components and processes (Section 2 (1) no. 37 Draft BSI Act).
Compliance with the security requirements must be regularly demonstrated to the BSI. In the event of security deficiencies, the BSI can demand corrective measures (section 34 Draft BSI Act). In addition, all institutions are obliged to register with the BSI and provide relevant information (sections 32, 33 Draft BSI Act). In the event of significant security incidents, they may be obliged to inform their customers about them (sections 35, 36 Draft BSI Act).
Mandatory |
Operator of |
Particularly |
Important |
Measures Risk Management section 30 Draft BSI Act |
+ |
+ |
+ |
Higher standards according to section 30 (3) Draft BSI Act |
+ |
||
Attack detection system section 39 Draft BSI Act |
+ |
||
Registration with the Federal Office for |
+ |
+ |
+ |
Reporting obligations section 31 Draft BSI Act |
+ |
+ |
+ |
Provision of evidence section 34 Draft BSI Act |
+ |
+ |
|
Exchange of information sections 35, 36 Draft BSI Act |
+ |
+ |
+ |
Responsibility of the |
+ |
+ |
+ |
The Federal Office for Information Security is responsible for verifying compliance with and enforcement of the aforementioned obligations (sections 62-65 Draft BSI Act). In doing so, it can directly influence the companies and take measures. These remain in force until the institution has complied with the authority's orders.
Non-compliance can result in severe fines (section 64 Draft BSI Act). According to the wording of the draft law, these can amount to up to twenty million euros or two percent of the total worldwide turnover of the company concerned in the previous business year.
The covered energy sector operators must, inter alia, take appropriate, proportionate and effective technical and organisational measures to prevent disruptions to the availability, integrity, authenticity and confidentiality of the information technology systems, components and processes they use to provide their services and to prevent or minimise the impact of security incidents on their services or on other services. The draft law is not yet final. However, the requirements are not expected to change fundamentally. Companies should therefore address the following topics:
11 December 2024
28 November 2024
by Dr. Christian Ertel, Dr. Markus Böhme, LL.M. (Nottingham)
11 November 2024
by Multiple authors
18 July 2024
by Dr. Patrick Vincent Zurheide, LL.M. (Aberdeen), Dr. Julia Wulff
11 July 2024
by Multiple authors
27 May 2024
Power Play: Renewable Energy Update
26 January 2024
Power Play: Renewable Energy Update
16 August 2023
Power Play: Renewable Energy Update
12 July 2021
Power Play: Renewable Energy Update
23 March 2021
Power Play: Renewable Energy Update
6 April 2021
Power Play: Renewable Energy Update
25 May 2021
Power Play: Renewable Energy Update
8 June 2021
Power Play: Renewable Energy Update
18 August 2021
Power Play: Renewable Energy Update
21 September 2021
by Olav Nemling
Power Play: Renewable Energy Update
2 December 2021
Power Play: Renewable Energy Update
11 January 2022
Power Play: Renewable Energy Update
14 February 2022
Power Play: Renewable Energy Update
15 March 2022
Power Play: Renewable Energy Update
27 April 2022
Power Play: Renewable Energy Update
5 May 2022
Power Play: Renewable Energy Update
12 July 2022
by Dr. Paul Voigt, Lic. en Derecho, CIPP/E, Dr. Markus Böhme, LL.M. (Nottingham)
Power Play: Renewable Energy Update
12 April 2023
by Multiple authors
Power Play: Renewable Energy Update
6 July 2023
Power Play: Renewable Energy Update
1 September 2023
by Dr. Paul Voigt, Lic. en Derecho, CIPP/E, Alexander Schmalenberger, LL.B.
Power Play: Renewable Energy Update
3 November 2023