NIS2 Implementation Act between German federalism and global politics

Contents

Like all EU member states, Germany must transpose the NIS2 directive "for a high common level of cybersecurity across the Union" into national law. However, it will still take some time before implementation. The new draft bill for the NIS2 Implementation and Cyber Strengthening Act from the Federal Ministry of the Interior will not go to the cabinet until the summer at the earliest. A hearing of associations by the BMI is planned for the beginning of June, with the deadline for comments running until the end of May. The final fine-tuning could then be carried out.

The current version, which has already been agreed in advance with the other ministries and is therefore intended as a template for a cabinet referral in the near future, will therefore not make it into the Bundestag's deliberations until shortly before the summer break at the earliest.

Criticism of the procedure comes from the IT industry association Bitkom: "In view of existing progress in other member states, we are currently risking the goal of a harmonized legal framework in the EU," says Felix Kuhlenkamp, spokesperson for security policy. Many EU member states are currently still behind schedule in terms of implementation, with only Hungary having already transposed NIS2 into law at the beginning of the year. Unlike a regulation at EU level, the NIS2 Directive only provides for a minimum level: Member States may go beyond this, provided that this does not conflict with other EU law - for example, more specific regulations such as those for the financial sector.

The further delay is also causing little enthusiasm in the Bundestag. Konstantin von Notz, the deputy leader of the Green parliamentary group and chairman of the parliamentary oversight committee for the intelligence services, says it is good that the new draft is available. The law was long overdue: "Unfortunately, the timetable for further parliamentary deliberations is now extremely ambitious considering the implementation deadlines set by the EU." FDP interior politician Manuel Höferlin is a little more cautious, pointing out that some of the regulatory content had already been agreed in the coalition agreement. Actually, all European transpositions and thus also the German transposition law should already be in force by October 17.

Clarifications for critical infrastructure

The German "NIS2UmsuCG" must above all be successfully transposed into German law, demands Bitkom spokesperson Kuhlenkamp: "The new draft must ensure that companies in Germany have the necessary legal certainty to implement the numerous new requirements and obligations." The new version does indeed contain some clarifications and delimitations in terms of definitions compared to previous proposals from the Federal Ministry of the Interior. For example, the definition of data centers has been adapted and narrowed in the updated draft. The BSI should only have to inform the data protection supervisory authorities about incidents if a breach of personal data protection is "obvious" according to the GDPR.

The current version clarifies that operators of critical facilities are always "particularly important facilities" within the meaning of NIS2 implementation according to the still pending Critical Infrastructure Umbrella Act, which contains regulations on the physical security of critical infrastructures. Here, the Federal Ministry of the Interior wants to avoid unintentional gaps in protection.

Public institutions: It remains complicated

While the professional associations are mainly looking at aspects that affect them, there have been some wild discussions between and within the ministries and at federal, state and municipal level in recent months. It was already made clear in earlier versions that local authorities would be explicitly excluded from the project. The federal states had raised constitutional concerns and therefore demanded the use of a corresponding clause in the EU directive. This is because NIS2 not only obliges operators of critical infrastructure, but also public institutions to improve IT security - in Germany, however, only the federal government will be obliged to do so in the next step. In future, they will have to protect their networks and IT in accordance with BSI baseline protection and minimum standards to be defined by the BSI. This will further specify what is already laid down in the existing BSI Act.

The new draft excludes the Gesellschaft für Telematik (Gematik) and data centers, cloud computing services and trust service providers from the scope of application of NIS2. In addition, others if they belong to regional authorities that are not the federal government, do not work for it in return for payment and are also regulated under state law. In other words, the federal government shifts regulation to the federal states if their IT service providers are also to work for the federal government.

The Federal Foreign Office, Federal Ministry of Defense and Federal Armed Forces, Federal Intelligence Service and Federal Office for the Protection of the Constitution are also largely exempt. For the Foreign Ministry, however, a separate security regulation is to be created that prescribes protection equivalent to the NIS2 regulations.

Yes to a federal CISO

To ensure that this is actually implemented at the federal level, not only should a responsible person be appointed in each department, but a Federal Information Security Officer (Federal CISO) should also be introduced. According to the draft, this person could also directly order IT measures in certain urgent situations. However, it is still unclear who would actually fill this role: Due to the far-reaching powers to also be able to act in the business areas of the respective ministries, this is also a politically sensitive task.

The same applies to the question of vulnerability management. It is highly controversial whether the reporting of security vulnerabilities to providers should also include reports from the security apparatus. The draft from the Federal Ministry of the Interior falls noticeably short of the requirements set out in the coalition agreement. FDP politician Manuel Höferlin is therefore calling for "effective vulnerability management in which vulnerabilities are closed as quickly as possible instead of being kept open and the IT systems of all government agencies are regularly subjected to external penetration tests." There would therefore still be room for improvement in the parliamentary process.

Critical components: More possibilities for prohibition – but also practicable?

However, it is foreseeable that paragraph 41, which has remained almost unchanged in the draft bills since December, will receive particular attention in the subsequent debate: Critical components. The prohibition of the use of critical components has been the subject of intense debate for years. The previous regulation in the BSI Act only applied to publicly accessible mobile networks - not to the fixed network, not to other communication infrastructures.

With the German NIS2 implementation, this regulation is to be extended to any first-time use of ICT products in critical infrastructures as a whole to protect against suppliers or countries of origin that are deemed politically unreliable. Manufacturers must make a declaration that they are not up to any mischief and do not serve any foreign powers. The Ministry of the Interior and its subordinate authorities will then check whether this is credible. In other words, a switch or an edge router of a 5G campus network could then also be banned by the Federal Ministry of the Interior.

It will be interesting to see how the Bundestag behaves here: While the German government is holding back somewhat on the politically slippery slope of dependence on China, MPs in the Bundestag are less bound by it. He wants to tighten up the law, says Green MP von Notz, "especially when it comes to dealing with critical components." The goal for him is clear: "The fewer components from providers from authoritarian states that are installed in our critical infrastructures, the better." The mistakes of the past of becoming overly dependent on authoritarian states should not be repeated.

The practice of the proposed path threatens to cause a number of problems: Operators of critical systems must wait two months to see whether the BMI prohibits them from using a component for the first time, according to the legal text. After that, it is automatically considered approved. It remains completely unclear how great the administrative effort will be in reality, and what depth of testing is then realistic. It is also unclear what happens if an operator refers to a possible lack of alternatives. What this should achieve in any case: A better overview of the components used and their manufacturers. The possible consequences of this remain primarily a political question - in extreme cases, however, a legal authority would be created to ban the components of a particular manufacturer nationwide in the critical infrastructure.

(jam)