Back to the overview
10-30-2024

The NIS2 Directive and its implementation in Germany

NIS2 Directive

The 2nd Directive on Security of Network and Information Systems (NIS2 Directive) is a central component of the European cyber security strategy and serves to increase the level of cyber security in certain important sectors. The affected companies and organizations must implement extensive requirements to protect their network and IT infrastructure. In particular, this includes implementing measures in the area of IT risk management and complying with legal reporting requirements.

Key Facts:

  • Subject-Matter and Objective: The NIS2 Directive contains far-reaching provisions for the security of information technology systems. The aim is to create a high common level of cybersecurity within the entire EU. The NIS2 Directive was adopted in December 2022 and is to be transposed into national law by October 17, 2024.
  • Implementation in Germany: The NIS2 Directive is being implemented into German law by means of the so-called NIS2 Implementation Act (NIS2-Umsetzungs- und Cybersicherheitsstärkungsgesetz; see here for more information) and will result in a comprehensive adaptation and replacement of various laws, including the BSI Act (BSIG), the Energy Industry Act (EnWG) and the Telecommunications Act (TKG). The NIS2 Implementation Act is currently still in the legislative process. It is not expected to come into force until March 2025. The law is expected to apply immediately upon coming into force, i.e. no transitional period will be granted.
  • Addressees: The new legal requirements apply tocompanies and organizations whose business activities fall within the legally defined sectors and that, depending on their business activities, meet the required key figures in terms of number of employees or annual turnover and annual balance sheet. Various types of institutions are covered in certain important and essential sectors, including energy, transport and traffic, health, water supply, digital infrastructure and services, space, waste management, food production and processing, and research. Various companies in the manufacturing sector (e.g. mechanical engineering) are also included. In addition, certain types of entity are included regardless of their size (e.g. qualified trust service providers, DNS service providers, top level domain name registries).
  • IT-Risk Management: The affected addressees must implement various IT risk management measures. To this end, the legal requirements provide a catalog of minimum measures that must be adhered to. This includes measures in the following areas: backup management, emergency management, encryption, secure communication, access management, handling of vulnerabilities, and training. Certain providers of digital infrastructure and digital services (including DNS service providers, cloud computing service providers, data center service providers, managed services providers and managed security services providers, as well as providers of online marketplaces, online search engines and social networks) are subject to special requirements for ICT risk management, which are set out in a separate detailed implementing regulation (see here for more information).
  • Supply Chain Security: A central requirement of the IT risk management is the obligation to ensure security in the supply chain. The background to this requirement are frequent attacks on companies and organizations due to vulnerabilities in existing supply chains (so-called supply chain attacks). An essential element in ensuring security in the supply chain is contractual agreements that regulate the security-related aspects of the relationships with the respective service providers.
  • Incident Management and Notification: The affected addressees must take measures to manage significant security incidents. They are also subject to strict legal requirements to report to the relevant supervisory authorities based on a phased reporting regime: an initial status report must be made within 24 hours, the main report within 72 hours and the final report after one month or after completion of the incident.
  • Critical Entities Regulation: The new BSI Act will also regulate the operators of so-called critical entities. The term “critical entities” replaces the current terminology of “critical infrastructures”. Operators of critical entities are subject to even stricter requirements, including the implementation of systems for detecting attacks. Complementing the new BSI Act, the new KRITIS umbrella law (KRITIS-Dachgesetz, for more information, see here), which is based on the CER Directive which was adopted at the same time as the NIS2 Directive, regulates the physical security of certain critical entities.
  • Management Responsibilities: The management of affected companies and organizations is responsible for ensuring compliance with the legal requirements stipulated in the NIS2 Directive, i.e. in particular the implementation of IT risk management measures. If this duty is violated, there is a risk of personal liability towards one's own company. Likewise, management must regularly participate in cybersecurity training.
  • Supervision and Sanctions: The competent supervisory authorities can take far-reaching supervisory and enforcement measures in the event of violations, such as conducting audits and on-site inspections. They can also impose fines of up to EUR 10 million or 2% of the previous year's global revenue.

 

Our Services include:

  • Assessing whether your company falls within the scope of the new NIS2 Implementation Act, including the new BSI Act and the other sector-specific legal acts (impact analysis).
  • Determining the need for implementation by comparing the applicable requirements with existing concepts, measures, processes and responsibilities within your company (GAP analysis).
  • Supporting the implementation of the new legal requirements, in particular the implementation of concepts, measures, processes and responsibilities.
  • Advising on conducting risk analysis and implementing IT risk management measures, including the implementation of information security management systems (ISMS).
  • Advising and training for management and IT security officers (e.g. ISO, CISO) in dealing with the new legal requirements of the NIS2 Directive and its implementation.
  • Advising on drafting and negotiating agreements with service providers and suppliers to ensure IT security within the supply chain.
Download as PDF
Download as PDF

You are currently using an outdated and no longer supported browser (Internet Explorer). To ensure the best user experience and save you from possible problems, we recommend that you use a more modern browser.