NIS2 implementation: New draft law from the German Ministry of the Interior
Strengthening IT security is the aim of the EU NIS2 Directive. Germany is starting to implement it – with delays and exceptions.
The proposed law is intended to better protect critical infrastructure and its surroundings.
(Bild: heise online / anw)
There is a new draft bill from the Federal Ministry of the Interior for the so-called Adaptation Act to the EU Network and Information Security Directive (NIS2) and to strengthen IT security. The main part of the "NIS-2 Implementation and Cybersecurity Strengthening Act" is the implementation of NIS2 into German administrative law. These regulations significantly expand the scope of application, i.e. the circle of those affected, to around 29,500 bodies in Germany, the ministry estimates.
The main difference to the previous regulations for critical infrastructures (Kritis) is a holistic approach: all IT systems of facilities classified as critical are generally subject to regulation - including accounting, for example. With NIS2, reporting obligations in particular have been extended: initial notification of incidents within 24 hours, more comprehensive notification after 72 hours at the latest.
Local authorities remain outside
The supervisory authority is to be the Federal Office for Information Security (BSI) in Bonn; the amendment also restructures the BSI Act accordingly. In addition, the NIS2UmsCG sets regulations in other sectors. If obligated companies do not comply with these regulations, they must expect fines, some of which can be severe. Company management is to be fundamentally responsible.
According to the draft bill, the BSI should also be able to actively intervene with almost all federal institutions in acute cases - up to and including network disconnection, which is described in the draft as an extreme case. As requested by the federal states, the municipalities in Germany that have been hit by IT security incidents are not to be obliged to improve their own protection via the NIS2. EU legislation has made an exception possible here, although its use is controversial.
NIS2 implementation delayed
The consultation of associations and federal states is now beginning for the so-called NIS2UmsCG. The draft bill is the preliminary stage to the cabinet version, which will then be submitted to the German Bundestag and Bundesrat for consultation and, if necessary, amendment and adoption following a decision by the Federal Government.
The Federal Ministry of the Interior already sent a discussion version to the federal states and associations last summer, so that a shorter consultation period now seems possible. Despite the long lead time, the law will be delayed in any case: the NIS2 Directive was supposed to be implemented in all EU member states by October 17, 2024. Germany can no longer meet this deadline. Germany is in the company of other EU member states that will also not implement the directive on time.
(ds)