Cyber Resilience Act passed and NIS2 implementation in Germany on the home straight

The Cyber Resilience Act and the NIS2 Directive are two key legislative proposals for strengthening IT security in Germany and the EU.

Although the implementation of the NIS2 directive in Germany is still pending, its adoption by the German legislature is expected in the near future. Furthermore, the NIS2 implementing regulation was adopted by the EU Commission last week. The Cyber Resilience Act was also adopted last week.

In this update, we will provide you with information on when the respective legal acts will come into force, who they will affect and what they will regulate.

The European Council adopts the Cyber Resilience Act

The Cyber Resilience Act (“CRA”) is the first European regulation to set minimum cybersecurity requirements for all connected products available on the EU market. The aim is to increase cybersecurity within the European Union. The new rules apply in all EU member states and are to be implemented by the addressees in stages.

Which products are covered by the CRA?

All products sold in the EU that contain “digital elements” must meet the requirements of the CRA. This includes low-priced consumer products, B2B software and complex high-end industrial systems. The CRA defines “products with digital elements” as products that can be connected to a device or a network. This includes both hardware products with networked functions (e.g. smartphones, laptops, smart home products, smartwatches, networked toys, but also microprocessors, firewalls and smart meters) and pure software products (e.g. accounting software, computer games, mobile apps). Non-commercial open-source software products are exempt from the CRA and therefore do not have to meet the requirements of the CRA.

What does the CRA regulate?

With the entry into force of the CRA, manufacturers of products with digital components are facing a new challenge: each of these products must now meet certain minimum cybersecurity requirements. Although this may initially seem complex, affected companies can build on what they already know. The CRA is based on the principles of the well-established CE marking. This is a considerable advantage for those manufacturers who are already familiar with the relevant verification procedures and apply them in their daily practice. They can use their experience to efficiently integrate the new requirements into their existing processes, thus facilitating the implementation of the CRA.

The main requirements of the CRA for manufacturers include:

• Cybersecurity in product development: A central aspect of the CRA is the integration of cybersecurity into the entire product development process. Manufacturers are now required to conduct a comprehensive risk assessment and actively address potential cybersecurity risks. The concept of “Secure by Design” is coming to the fore: connected products must be designed to be secure from the ground up. This means, for example, that data stored or transmitted must be encrypted and the attack surfaces minimized. Equally important is the “secure by default” approach. This means that the default settings of the products already ensure a high level of security. Weak default passwords are prohibited, and automatic security updates should be part of the basic configuration.
• SBOM: A new, important element is the creation of a Software Bill of Materials (SBOM). This detailed list of all software components used is mandatory to create, but does not have to be published.
• Conformity assessment: A declaration of conformity is required to demonstrate compliance with the CRA requirements. The exact assessment procedure depends on the respective product category, with a self-assessment by the manufacturer being sufficient for most products. It is important to note that most products affected by the CRA are considered standard products. Only particularly sensitive products such as password managers or firewalls are classified as “important” or “critical” products and are subject to stricter requirements.
• Vulnerability management and reporting requirements: Another key point of the CRA is proactive vulnerability management. A central reporting platform will be set up for this purpose, through which information on active vulnerabilities and serious security incidents can be shared. This should enable a quick and efficient response to potential threats.
• Product monitoring obligation: The responsibility of the manufacturer does not end with the sale of the product. Security updates must be provided and vulnerability management must be carried out throughout the entire support period, which is usually five years.
• Support measures for SMEs: Fortunately, the CRA provides for special support measures for small and medium-sized enterprises, micro-enterprises and start-ups. These include guidelines for implementation, helpdesks for reporting requirements, simplified technical documentation and the establishment of regulatory sandboxes to review products with digital elements.

In addition, other economic operators fall within the scope of the CRA, including distributors and importers. However, under the applicable regulatory system in product liability law, these operators are subject to different (lesser) obligations, including obligations to verify.

What are the next steps and when will the CRA apply?

After the adoption of the CRA, the formal execution and publication in the Official Journal of the EU will now follow in the next few weeks. 20 days after publication in the Official Journal, the CRA will then officially come into force. In terms of content, the CRA provides for a phased application of the individual requirements. While the CRA will become fully applicable after 36 months, i.e. probably at the end of 2027, some of the requirements will be applicable earlier.

Overall, it should be noted that while the CRA places a variety of new demands on companies, it also offers an opportunity to strengthen consumer trust in digital products and improve overall cybersecurity. With the right preparation and implementation, companies can meet this challenge while also strengthening their competitiveness in an increasingly digitalized world.

The current status of the implementation of the NIS2 Directive

Although the official deadline for implementing the NIS2 Directive has already passed on October 17, 2024, the German legislature has not yet managed to pass the corresponding implementation law, the so-called NIS2 Implementation and Cybersecurity Strengthening Act (“NIS2 Implementation Act”). However, after several draft bills and government drafts, this is now also on the verge of finalization and adoption.

At the EU level, the NIS2 implementing regulation was officially adopted this week. This specifies the risk management requirements and the cases in which a significant security incident exists for certain service providers (including DNS service providers, TLD name registries, cloud computing service providers, data center service providers, managed service providers, online marketplace providers, online search engines, and social network service platforms).

What does the NIS2 Implementation Act regulate?

The NIS2 Implementation Act transposes the EU-wide requirements of the NIS2 Directive into German law. It aims to significantly increase IT security in Germany by:

• defining the group of companies and organizations affected, by: Not only critical infrastructures, but also many other companies will have to meet stricter security standards in the future.

• high IT security requirements: Companies must protect their IT systems better by implementing various technical and organizational measures and regularly review them.

• stricter reporting requirements: Significant security incidents must be reported to the relevant authorities more quickly and in greater detail. In addition, there are further notification and information requirements in certain cases.

• strengthens the responsibility of management: Management bears greater responsibility for implementing the new regulations and must regularly undergo training in the area of IT security.

In short, the NIS2 Implementation Act makes IT security mandatory for a large number of companies and organizations and ensures that Germany is better prepared to withstand cyberattacks in international comparison.

What are the requirements of the NIS2 Implementing Regulation?

As already outlined in our previous update (see here), the NIS2 implementing regulation contains, on the one hand, specifications as to when a significant – and thus notifiable – security incident exists for the individual service providers and, on the other hand, specifications of the risk management measures to be implemented to ensure IT security.

The requirements set out in the regulation can sometimes mean a great deal of work for the service providers concerned. For example, they must ensure that the defined thresholds are met when assessing a significant security incident. This requires that the affected service providers strictly monitor their IT systems and service levels. Otherwise, there is a risk of violating the reporting requirements.

Adherence to the prescribed risk management measures can also pose challenges for the service providers concerned: the NIS2 Implementing Ordinance contains a comprehensive catalog of technical and organizational measures that is based on measures from common international standards (e.g. ISO 27001), but sometimes contains different or additional requirements. This applies in particular to crisis management and business continuity).

Where do we currently stand and what needs to be done?

The NIS2 Implementation Act has already been introduced to the Bundestag. The first reading of the bill has also since taken place. The deliberations are in full swing. Further important milestones in the legislative process are planned with the hearing of the interior committee for early November and the further readings at the beginning of December 2024. As things stand, the NIS2 Implementation Act is then scheduled to come into force in March 2025.

What does this mean for your company?

For affected companies and organizations, this means that they should now take a close look at the new requirements of the NIS2 Implementation Act and initiate appropriate implementation. Companies and organizations that also fall within the scope of the NIS2 Implementing Ordinance must also comply with the special requirements set out therein.

The first step is to clarify whether the respective company or organization is subject to the NIS2 Implementation Act at all. The second step is to determine which obligations need to be implemented and which compliance gaps may exist. Any compliance gaps should be addressed and closed in a timely manner. The relevant requirements must be implemented by the time the NIS2 Implementation Act is expected to come into force in March 2025.

We would be happy to support you in this!