NIS2 Directive: Update on the German Implementation Act

Following the publication of various draft bills for the NIS2 Implementation and Cyber Security Strengthening Act (“NIS2UmsuCG”) by the Federal Ministry of the Interior and for Home Affairs (“BMI”) in recent months, the first cabinet version of the NIS2UmsuCG was finally adopted on July 24, 2024 (available here). Although the legislative process has now picked up speed again, the implementation into national law by October 17, 2024 still seems questionable. The main changes to the government draft and corresponding recommendations for action are presented below.

1. The main innovations in the government draft of the NIS2UmsuCG

Like the BMI's fourth draft bill from June 24, 2024 (available here), the new government draft contains mainly editorial and linguistic adjustments. The relevant provisions in the planned BSI Act (“BSIG-new”), in particular on IT risk management and the reporting of significant security incidents, remain unchanged in terms of content. The regulations on the scope of duties and liability of the management of the companies concerned, which have been the subject of much controversy and have been amended several times to date, also remain unchanged.

However, there are changes to the content for operators of energy supply networks and energy systems as well as operators of public telecommunications networks and providers of publicly accessible telecommunications services. Insofar as these, as important or particularly important facilities, are generally covered by the BSIG-new, the already extensive exemptions have been extended once again. For example, the aforementioned companies in the telecommunications and energy sectors are now also explicitly excluded from the supervisory and enforcement powers of the BSI in Sections 61 and 62 BSIG-new. This means that only a very narrow scope of application of the BSIG-new remains with regard to these companies (including the registration obligations with the BSI).

Instead, the main regulatory content is contained in the Telecommunications Act (“TKG-new”) and Energy Industry Act (“EnWG-new”), which were amended in connection with the NIS2UmsuCG. Following on from the broad exemptions in the BSIG-new, the government draft provides for various adjustments in these two laws. For example, the content of both the new TKG and the new EnWG primarily supplements the duties and liability requirements of the management in line with the provisions of the new BSIG (see Section 165 (2b)-(2d) TKG-new and Section 5c (9-11) EnWG-new). Accordingly, the management is also obliged to implement and monitor the safety requirements and to participate in training courses and is liable to its institution for any culpably caused damage in accordance with company law.  As already outlined in our last update (see here), the regulations on the scope of duties and liability of the management in the BSIG-new were significantly amended again in the latest draft bill. These changes have now also found their way into the TKG-new and EnWG-new. They now also explicitly refer to a “duty of implementation” on the part of the management, which in case of doubt requires that the IT risk management measures be carried out by the company itself and not approved by specialists. The hoped-for adjustment of the wording in order to avoid risking the quality of IT risk management measures through an implementation obligation on the part of management has therefore not only failed to materialize, but has also been driven forward by the expansion of the TKG and EnWG.

The government draft also contains minor innovations, such as the adjustment of the content of the requirements for the Federal Office's facilities in accordance with Section 44 BSGI-new and an exemption for hospitals in accordance with Section 108 SGB V, according to which they can only be required to submit proof of compliance with IT security obligations after five years instead of three.

Otherwise, there will be no major changes and existing uncertainties will remain. Business associations criticize the fact that different rules would continue to apply to the companies concerned in the individual EU member states. In practice, this is a particular problem for international companies whose subsidiaries operate in different EU member states.

The obligation under Section 41 BSGI-new to notify the Federal Ministry of the Interior and Home Affairs of the first use of a critical component prior to its use also remains unchanged. Business associations see this procedure as overburdening the Federal Ministry of the Interior (in terms of personnel) on the one hand and a legal and economic risk due to increased bureaucracy on the other.

2. Outlook and recommendations for action

It remains to be seen whether and to what extent further changes will be made to the current government draft in the subsequent legislative process. However, in view of the minimal changes in the government draft compared to the last draft bill, this is rather doubtful. It is therefore likely that any ambiguities will only be clarified by case law.

Before the NIS2UmsuCG can come into force, it must first go through the parliamentary legislative process. Due to the ongoing summer break, the Bundesrat and Bundestag are not expected to deal with the content until September. In addition, initial requests for amendments to the government draft have already been expressed by members of parliament. As things stand at present, it is therefore unlikely that the NIS2UmsuCG will be adopted by October 17, 2024. Adoption in the first quarter of 2025 seems more realistic.

Nevertheless, companies should start looking at the NIS2UmsuCG now. The NIS2UmsuCG does not provide for a transition phase after it comes into force. As a first step, companies should therefore check whether they are affected by the NIS2UmsuCG.

To help with this, the BSI offers a tool for checking whether companies are affected by NIS 2 and an FAQ with answers to frequently asked questions (available here). These provide an initial overview of the upcoming obligations. At the same time, it should be noted that, depending on a company's business activities, a detailed assessment of the extent to which it is affected may be necessary. A precise assessment of the (potentially) relevant sectors is particularly necessary for companies with a broad range of business activities. Great care should also be taken when calculating the relevant company key figures, namely the number of employees, annual turnover and annual balance sheet total, especially in group relationships (more on this here).

After completing the impact assessment, companies should carry out an inventory of the existing network and IT infrastructure, including the existing security infrastructure, and compare it with the requirements in the NIS2UmsuCG. If gaps are identified during this assessment, these must be closed promptly due to the lack of a transition period. Depending on the maturity of the existing security infrastructure, closing these gaps can be a considerable challenge.

We support companies with both the impact analysis and the implementation of the requirements in the NIS2UmsuCG. Our experts are always available for an exchange.