Update Data Protection No. 180
NIS2 Directive: Update on the German Implementation Act and the new EU Implementing Regulation
The NIS2 Directive continues to cast its shadow: the directive must be transposed into national law by October 17, 2024. It is currently uncertain whether the German legislator will be able to meet this transposition deadline. As of June 24, 2024, the Ministry of the Interior has now at least published a current draft bill for the German NIS2 Implementation Act (accessible here). The EU Commission has also published a first draft of an NIS2 implementing regulation, which sets out specific requirements for certain service providers (accessible here).
1. The current draft of the NIS2 Implementation Act: Only a few innovations
The current draft bill contains a large number of editorial and linguistic adjustments, particularly in the new BSI Act ("BSIG-new"). For example, the scope of the new BSIG-new for telecommunications providers and operators of energy supply networks and energy systems has been clarified. These are now primarily subject to the requirements for IT risk management and the reporting obligations in the German Telecommunications Act (TKG) and German Energy Industry Act (EnWG).
Significant changes primarily concern the responsibility and liability of the management bodies of affected companies. In this respect, the draft bill now stipulates that the management bodies must "implement" the legally prescribed IT risk management measures. According to the wording, such an implementation obligation would, in case of doubt, mean that the management bodies must not only approve the implementation of the risk management measures, but must directly implement them itself. The task and function of the management naturally includes the strategic planning, management and control of the company's activities. In practice, the implementation of IT risk management measures is therefore largely driven forward by those responsible for security matters (e.g. information security officers). In practice, it can also be assumed that the quality of risk management measures in the company will decrease, rather than increase, if management is directly obliged to implement the standard in the current draft version. It is therefore to be hoped that this change will be reversed in the current draft and that management bodies will only be obliged to approve and monitor the implementation of the IT risk management measures to be taken.
The new obligations of management bodies to regularly participate in training courses to acquire knowledge and skills to identify and assess risks as well as information security risk management practices (Section 38 (3) BSIG-new) remain unaffected. Infringements should not be directly subject to fines. However, in accordance with Section 64 BSIG-new, the authorities can order external audits of particularly important institutions to determine whether the management has regularly participated in training. If the management refuses to take part in training despite being given a deadline, the authorities may even temporarily prohibit them from carrying out their activities in accordance with Section 63 (9) BSIG-new.
In contrast, the existing liability provisions have been completely revised. The previous provisions, according to which a settlement or waiver of any recourse claims against the management was generally inadmissible, have been completely deleted. Instead, it is now expressly regulated that the management is liable to the company with its private assets in the event of a culpable breach of its duties in accordance with the applicable provisions of company law (e.g. in accordance with Section 43 GmbHG or Section 93 AktG). If the provisions of company law do not provide for liability regulations, liability is governed by the BSIG-new itself. However, the BSIG-new does not contain any explicit liability provisions for management bodies. The currently envisaged regulation is therefore likely to come to nothing or, in case of doubt, will require clarification by the courts. Here, too, it is to be hoped that the legislator will make improvements.
2. The new NIS2 Implementing Regulation: Extensive requirements for certain service providers
The draft NIS2 Implementing Regulation ("NIS2 IR") is aimed at providers of DNS services, TLD name registries, providers of cloud computing services, providers of data center services, providers of content delivery networks, managed services providers and managed security services providers, providers of online marketplaces, online search engines and platforms for social network services as well as providers of trust services.
In terms of content, the NIS2-IR contains, on the one hand, specifications as to when a significant - and therefore reportable - security incident exists for the individual service providers and, on the other hand, specifics on the IT risk management measures to be implemented.
With regard to the specifications for the materiality of a security incident, the NIS2-IR contains some very far-reaching requirements. For example, materiality is assumed if the incident has caused or may cause financial damage to the institution concerned that exceeds EUR 100,000 or 5% of the annual turnover of the institution concerned (whichever is lower).
However, there are also specific materiality thresholds for the individual service providers. In the case of cloud computing providers in particular, for example, a security incident is deemed to be significant if the cloud computing service is completely unavailable for more than 10 minutes or if the agreed service level of the cloud computing service is not maintained for more than 5% of users for a period of more than one hour. Comparably strict requirements also exist for other service providers, such as providers of data center services and managed service providers.
In practice, this means that the service providers covered must ensure that they strictly monitor their IT systems and service levels in order to comply with the materiality thresholds set out in the NIS2 Regulation. Failure to do so could result in a breach of the statutory reporting obligations, which require initial notification within 24 hours of becoming aware of a significant security incident.
With regard to the specifics of the IT risk management measures, the NIS2-IR contains a comprehensive catalog of technical and organizational measures. In terms of content, the catalog of measures is based on common international standards (e.g. ISO 27001), but sometimes focuses on other aspects (e.g. primarily in the area of crisis management and business continuity) and in some cases even goes beyond the requirements of the respective standards. The topic of cyber hygiene is still not specified in detail. In this respect, the NIS2-IR is very concise. Overall, the NIS2-IR contains useful specifications. Against this background, it is generally advisable for companies that are not directly covered by the NIS2-IR to use the catalog of measures in the NIS2-IR as a benchmark for the implementation of the (general) requirements for IT risk management (see Section 30 BSIG-neu).
3. Outlook and recommendations for action
The Ministry of the Interior has asked the associations to comment on the current draft bill of the NIS2 Implementation Act by mid-July. The Ministry of the Interior is then expected to finalize the draft and refer it to parliament. As part of our activities in the German Federal Association for IT Security (TeleTrusT), our experts are directly involved in the legislative process at association level and keep our readers up to date.
The draft of the NIS2-IR also still open for public consultation until July 25, 2024. Unlike the NIS2 Implementation Act, the NIS2-IR is currently expected to be adopted by the EU Commission in the near future.
In view of the fact that the NIS2 Implementation Act has not yet been finally adopted, many companies are wondering to what extent they should already be dealing with the implementation of the legal requirements. A recently published survey of 875 European IT managers by the US company Zscaler Inc. shows that currently only around 14% of the companies concerned say they already comply with the NIS 2 requirements. In any case, further changes in the legislative process cannot be ruled out. However, in view of the minimal changes in the current draft bill, it is unlikely that there will be comprehensive changes in the future, but rather selective adjustments. One issue that is still the subject of controversy is certainly the responsibility and liability of the management. On the other hand, the central requirements of the NIS2 Implementation Act - the implementation of IT risk management measures and the reporting of security incidents - are unlikely to change much.
For this reason, the affected companies should not sit back and relax. On the contrary: it is recommended that companies already deal intensively with the NIS2 Directive and the NIS2 Implementation Act as well as the NIS2-IR by checking how they are affected and taking stock of their current IT security organization. This primarily concerns existing security measures and processes. Gaps identified as part of the inventory should then be rectified quickly. Depending on the maturity level of the IT security organization, this can sometimes involve considerable effort.