4 septembre 2023
Cyber security – weathering the cyber storms – 6 de 6 Publications
At the end of 2022, the EU has adopted important regulations to protect network and information security in so-called "critical sectors" with the "NIS2" directive. Thus, the protection of certain facilities and services against cyber threats is to be strengthened. In Germany, the directive is implemented by the NIS 2 Implementation and Cybersecurity Strengthening Act (German). In doing so, the draft law goes beyond the EU requirements and thus brings about numerous innovations in national cyber security law.
The draft NIS 2 Implementation and Cybersecurity Strengthening Act is to be adopted by mid-2024. The obligations it entails are to apply from 1 October 2024.
Significantly more companies than before will be included in the IT security regime through the core piece of the draft NIS 2 Implementation and Cybersecurity Strengthening Act - the amendment of the BSI Act. A distinction is made between "important" and "particularly important facilities" as well as "critical installations" (cf. section 28 (3), (6), (7) Draft BSI Act). All covered entities must fulfil a number of obligations.
All companies operating in the following sectors must expect to be included in the new security regime (cf. section 57 (1) Draft BSI Act):
Which companies will be specifically covered can only be conclusively determined after the issuance of a supplementary regulation in which corresponding threshold values (e.g. company size, number of users) are defined.
However, Annex I of the NIS 2 Directive already provides a list of entities which will definitely be covered.
Category |
Company size |
Activity sectors |
Particularly important (section 28 (6) Draft BSI Act) |
Large companies (>250 employees or > EUR 50 million turnover and > EUR 43 million annual balance sheet total) |
Energy, transport and traffic, finance and insurance, health care, drinking water, waste water, information technology and telecommunications, ICT services, space |
Large or medium-sized enterprises (50-249 employees and < EUR 50 million turnover or < EUR 43 million annual balance sheet total or up to 49 employees and EUR 10-50 million turnover and EUR 10-43 million balance sheet total) |
Providers of public TC networks and TC services |
|
irrelevant |
Qualified trust services, TLD registries, DNS services |
|
irrelevant |
Operators of critical installations yet to be defined via the upcoming Regulation |
|
irrelevant |
Central government (federal ministries and Federal Chancellery) |
|
Important (section 28 (7) Draft BSI Act) |
Medium-sized companies |
Energy, transport and traffic, finance and insurance, health care, drinking water, waste water, information technology and telecommunications, ICT services, space |
Large or medium-sized enterprises |
Logistics, municipal waste management, production, chemicals, food, manufacturing, digital services, research |
|
irrelevant |
Trust services |
|
irrelevant |
Manufacturer Defence Equipment and Security IT for Classified Information |
|
irrelevant |
Companies that produce, process and store certain especially hazardous substances in an operational area - i.e. chemical groups, manufacturing companies, warehouses and storage facilities, etc. |
Under the Draft BSI Act, the companies covered and their management bodies are subject to a number of obligations. These depend in detail on whether the company is a "critical installation" or an "important" or "especially important facility".
All institutions are required to implement technical and organisational measures to protect their IT systems and processes. These measures shall be state of the art and shall adequately address the risk of potential damage, considering factors such as the size of the institution and potential security incidents. The primary responsibility for implementing and monitoring cybersecurity measures lies with the managing directors. They are also liable for breaches and should regularly participate in training (section 38 Draft BSI Act).
In the event of a security incident, the institutions must submit various reports to the Federal Office for Information Security, including an initial report within 24 hours and a detailed report within 72 hours, as well as a final report. Security incidents are defined as events that impair the availability, authenticity, integrity or confidentiality of data stored, transmitted or processed or of services offered or accessible via information technology systems, components and processes (section 2 (1) no. 37 Draft BSI Act).
Compliance with the security requirements must be regularly demonstrated to the Federal Office for Information Security. In the event of security deficiencies, the Office may require operators of critical facilities and particularly important facilities to take corrective measures (section 34 Draft BSI Act). In addition, all facilities are required to register with the Office and provide relevant information (sections 32, 33 Draft BSI Act). In the event of significant security incidents, they may be obliged to inform their customers about them (sections 35, 36 Draft BSI Act).
Mandatory |
Operators of critical |
Particularly important facilities |
Important facilities |
Measures Risk Management section 30 Draft BSI Act |
+ |
+ |
+ |
Higher standards according to section 30 (3) Draft BSI Act |
+ |
||
Attack detection system section 39 Draft BSI Act |
+ |
||
Registration with the Federal Office for Information Security sections 32, 33 Draft BSI Act |
+ |
+ |
+ |
Reporting obligations section 31 Draft BSI Act |
+ |
+ |
+ |
Provision of evidence section 34 Draft BSI Act |
+ |
+ |
|
Exchange of information sections 35, 36 Draft BSI Act |
+ |
+ |
+ |
Responsibility of the management bodies sections 38 Draft BSI Act |
+ |
+ |
+ |
The Federal Office for Information Security is responsible for verifying compliance with and enforcement of the aforementioned obligations (sections 62-65 Draft BSI Act). In doing so, it can directly influence the companies and take measures. These remain in force until the institution has complied with the authority's orders.
Non-compliance can result in severe fines (section 64 Draft BSI Act). According to the wording of the draft law, these can amount to up to twenty million euros or two percent of the total worldwide turnover of the company concerned in the previous business year.
Important, particularly important institutions and operators of critical facilities must, among other things, take appropriate, proportionate and effective technical and organisational measures to prevent disruptions to the availability, integrity, authenticity and confidentiality of the information technology systems, components and processes they use to provide their services and to prevent or minimise the impact of security incidents on their services or on other services. The draft law is not yet final. However, the requirements are not expected to change fundamentally. Companies should therefore address the following topics:
Disclaimer: This article was written with the help of AI but also by Michael Yates, Andi Terziu and Alisha Persaud.
18 April 2024
par Michael Yates, Andi Terziu
Jo Joyce provides legal and emotional counsel to those who've suffered or may suffer a cyber attack.
18 April 2024
Martijn Loth and Dominique Lensink look at incoming EU cyber security rules for connected devices.
18 April 2024
Prachi Vasisht and Debbie Heywood compare the UK's Product Security and Telecommunications Infrastructure Act with the EU's draft Cyber Resilience Act.
18 April 2024
Nicholas Crossland and Charlotte Witherington look at what the EU's Digital Operational Resilience Act means for UK businesses and at similar UK initiatives.
18 April 2024
Paul Voigt and Alexander Schmalenberger look at Germany's progress on NIS2 implementation.
4 September 2023
par Dr. Paul Voigt, Lic. en Derecho, CIPP/E, Alexander Schmalenberger, LL.B.
par plusieurs auteurs
par plusieurs auteurs
par Dr. Nicolai Wiegand, LL.M. (NYU) et Alexander Schmalenberger, LL.B.