NIS2 Directive: First insights into Germany's implementation of the EU cybersecurity act

Written By

natallia karniyevich module
Dr. Natallia Karniyevich

Associate
Germany

I am a seasoned attorney situated at the Bird & Bird Düsseldorf office, with a specialisation in cybersecurity and data protection law, and a co-head of the Bird & Bird International Cybersecurity Steering Group.

Like other Member States, Germany is now in the process of transposing the Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union (NIS2 Directive) into local law. This task must be completed by 17 October 2024.

To recall, with the NIS2 Directive, certain types of entities in critical sectors such as energy, transport, banking, financial markets, health, drinking water, wastewater, and digital infrastructure (e.g., cloud computing service providers, data centre service providers, providers of public electronic communications networks, providers of publicly available electronic communications services) need to comply with cybersecurity requirements.

The first drafts of the German local implementation of this important piece of cybersecurity legislation (the so-called ‘NIS2 Implementation and Cybersecurity Strengthening Act’) provide for its entry into force on 1 October 2024 and a fundamental revision of the Act on the Federal Office for Information Security (the so-called ‘BSI Act’, in German: Gesetz über das Bundesamt für Sicherheit in der Informationstechnik). The 15 sections of the BSI Act are planned to be expanded to 65 sections.

Key elements

The key elements of the German draft of the NIS2 Implementation and Cybersecurity Strengthening Act are as follows: 

  • New categorisation of entities in scope: Following the approach of the NIS2 Directive, the draft of the German NIS2 implementing act introduces two new categories of organisations in scope of the new cybersecurity requirements – important entities and essential entities. Apparently to avoid misunderstandings as to which category is the more critical one, the draft uses the term ‘particularly important entities’ for essential entities. Similar to the current German approach, the types of entities falling under these new categories should be specified by means of an ordinance, but with a much broader scope of application (see our newsletter on the current German approach).
  • Adaption of the currently used terms and entities in scope: ‘Operators of critical infrastructure’ will become a subcategory of the ‘particularly important entities’ and will be referred to in the future as ‘operators of critical facilities’. The newly introduced term ‘companies in the special public interest’ (see our newsletter on this type of company in the scope of the BSI Act) will be removed with certain types of 'companies in the special public interest' reappearing as a subcategory of 'important entities'.
  • Specification of cybersecurity risk-management measures: In a departure from the current rather general ‘appropriate organisational and technical measures’, a catalogue of minimum requirements will be introduced for all operators and entities in scope of the NIS2 Implementation and Cybersecurity Strengthening Act. These include, among others, incident handling and disaster recovery processes, crisis management, supply chain security, vulnerability handling, access controls, cybersecurity training, as well as policies and procedures regarding the use of cryptography and encryption.
  • Obligation to provide evidence: For ‘particularly important entities’ there will be an additional requirement to demonstrate the effectiveness of these measures through audits/certificates, although this will probably not have to be done for the first time until 2026/2027.
  • Reporting requirements: The draft follows a graduated approach with respect to notification of significant incidents to the German Federal Office for Information Security (in German “Bundesamt für Sicherheit in der Informationstechnik”, “BSI”). In certain cases, entities will also have to notify the recipients of their services.
  • Governance: Management of the entities in scope will need to approve the cybersecurity risk-management measures taken by those entities and oversee their implementation. Managers who violate the aforementioned duties are liable to the entity for the damage incurred.
  • BSI exchange platform and information obligations: The draft provides for an information exchange managed by the BSI. ‘Particularly important entities’ will be required to participate in this information exchange.
  • Enforcement: The powers of the BSI are graded according to the categories of entities in scope. As a particularly strong means of enforcement, the BSI is given the possibility to relieve managing directors of ‘particularly important entities’ of their management duties if they do not comply with orders.
  • Administrative fines: In case of infringements of certain obligations, organisations within the scope of the German NIS2 implementing act may be subject to administrative fines of up to €10,000,000 or of a maximum of at least 2% (in the case of ‘particularly important entities’) and of up to €7,000,000 or of a maximum of at least 1.4 % (in the case of ‘important entities’) of the total worldwide annual turnover in the preceding financial year of the undertaking, to which the respective entity belongs.

Do you have questions about the NIS2 Directive, its local implementation in Germany or the impact of this and other cybersecurity acts (e.g., RCE Directive, Cyber Resilience Act, Cyber Solidary Act) on your business? Bird & Bird is ready to help you to carry out an assessment of the impact of the incoming legislation on your business and assist in preparing your compliance plan. 

For more information, please contact Dr. Natallia Karniyevich.

Sign up for our Connected newsletter for a monthly round-up from our Regulatory & Public Affairs team.

Tracking cybersecurity legislation

 RCE Directive  NISD2 Directive

RCE Directive Implementation Tracker

On 16 January 2023, the Directive on the resilience of critical entities (RCE Directive) came into force. In parallel to the NIS2 Directive, Member States are now in the process of transposing this important piece of cybersecurity-related legislation into their national law. The Bird & Bird RCE Directive Implementation Tracker provides essential information to help businesses to monitor the status of implementation into national law.

NISD 2 Tracker

On 16 January 2023, the Network and Information Security 2 (NIS2) Directive came into force. Member States are now in the process of transposing this important piece of cybersecurity legislation into their national law. The Bird & Bird NIS2 Directive Implementation Tracker provides essential information to help businesses to monitor the status of implementation into national law. 

 

 

 

 

Latest insights

More Insights
Aeroplane on tarmac

Women in Tech: At the forefront of innovation - Key takeaways from Andrea Wu, Urban-Air Port

Nov 27 2024

Read More
trees

Legislative Traffic Jam after the German Traffic Light Coalition Goes Dark

Nov 26 2024

Read More
featured image

Singapore’s Workplace Fairness Legislation – Key Features and Commentary

3 minutes Nov 22 2024

Read More