heise PlusAbo
Anzeige

NIS-2 is getting closer: cybered away by the state or completely secured?

The Bundestag's summary of the NIS2 hearing is entitled "Expert criticism of the planned implementation of the NIS-2 Directive". Rightly so, says Manuel Atug.

listen Print view
Merere red projections of security locks in a row, a magnifying glass on the left

(Image: JLStock/Shutterstock.com, Bearbeitung: heise online)

9 min. read
Security
By
  • Manuel Atug

Following the Federal Chancellor's announcement that he would call a vote of confidence, many legislative projects have been put on ice. In the case of the EU NIS 2 Directive, however, there is still broad cross-party agreement that national implementation is urgently needed. In the Tagesspiegel Background, Daniela Kluckert – former State Secretary in the BMDV – assured the FDP of constructive cooperation despite the changed situation.

Even before the hearing on November 4, 2024, the high standards of the European NIS-2 Directive, which in its German implementation is called the "Act on the Implementation of the NIS-2 Directive and on the Regulation of Essential Principles of Information Security Management in the Federal Administration (NIS-2 Implementation and Cybersecurity Strengthening Act)" –, or NIS2UmsuCG – for short, was already presented as a "patchwork quilt" in an audit report by the Federal Audit Office. Nevertheless, the Bundesrat had nothing to say about this and wordlessly waved the bill through in 1 minute and 1 second. Many bodies signaled that they would push the bill through.

Manuel Atug
Manuel Atug

Manuel "HonkHase" Atug ist Cyber-Sicherheitsexperte mit dem Schwerpunkt Schutz kritischer Infrastrukturen und als Berater und Prüfer tätig. Er ist Gründer und Sprecher der unabhängigen AG KRITIS.

Both the hearing and the comments submitted are worthwhile if you want to get an overview of the desolate state of cyber security in Germany. But beware, it doesn't put you in a good mood. The experts also agreed in unison. However, they tended to agree that Germany is completely inadequately protected by this legislation. There was also unanimous agreement that the law should be passed quickly so that we can make any progress at all. At least those who were allowed to attend. Some experts noted that the Federal Commissioner for Data Protection and Freedom of Information, Louisa Specht-Riemenschneider, was not even invited to the hearing. Criticism, including from this side, is apparently unwelcome.

Videos by heise

Other sideshows such as so-called vulnerability management, i.e. managing vulnerabilities instead of closing them, were also addressed. This originates from the coalition agreement, was even debated in the "BSI working group" and should also be included in the law, but a solution is still pending. So the gamble for our cyber security continues behind the scenes. And if we are unlucky, the whole thing will only be integrated at the last minute and then quickly approved.

Above all, the experts criticized the extensive exemptions for state administrations and sectors at all levels. This criticism actually comes from all corners of the country, but continues to go unanswered by the Federal Government and the Federal Ministry of the Interior. The independent KRITIS working group has also explained this in detail in its statement:

As a result, the administration of the federal government in particular is again subject to numerous special regulations and the administrations at municipal and federal state level are completely left out and not addressed at all. This is no longer comprehensible in view of the many and sometimes very far-reaching cyber security incidents such as the district of Anhalt-Bitterfeld or SIT.NRW (over 100 municipalities were affected for months and were effectively unable to act! Obviously, the investment backlog that has been cultivated for decades is to be maintained.

Malicious tongues have already been wagging that this is not an investment backlog, as this would have required investments to be made in the first place.

Exceptions as the rule

In Section 37 of the exceptional decision, a large part of the functioning of a sovereign state is completely excluded. The Federal Ministry of the Interior, the Federal Chancellery, the Federal Ministry of Justice, the Ministry of Defense, the Federal Ministry of Finance and the interior ministries of the federal states can exempt particularly important facilities or important facilities from this law in whole or in part.

All entities that are active or provide services in the areas of national security, public security, defense or law enforcement, including the prevention, investigation, detection and prosecution of criminal offenses (relevant areas) may also be exempted from the risk management measures under Section 30 and the reporting obligations under Section 32.

And all entities that work or provide services exclusively for authorities that perform tasks in relevant areas can also be exempted from the risk management measures under Section 30 and the reporting obligations under Section 32.

In keeping with tradition (IT-SiG 1.0 and IT-SiG 2.0), large parts of the state and administration sector (including all 11,500 local authorities and around 300 districts) will continue to be kept out of the loop when it comes to cyber security.

Physical (in)security

The Kritis-Dachgesetz (KritisDG) for the physical protection of critical infrastructures is consistent with the current draft legislation and has not been harmonized well with the draft legislation of the NIS2UmsuCG. For example, Section 22 of the KritisDG currently excludes pretty much everything that can be excluded:

"Operators of critical facilities that

  1. are active in the areas of national security, public security, defense or law enforcement, including the investigation, detection and prosecution of criminal offenses, or
  2. working for authorities performing tasks in the areas referred to in point 1,

may be exempted from the obligations [...] for these activities."

Incidentally, the KritisDG currently only defines "federal administrative bodies" as "the Federal Chancellery, the federal ministries and the Federal Government Commissioner for Culture and the Media". That will have to do.

The proposed legislation on the physical security of critical infrastructures therefore also requires a comprehensive revision.

But back to the NIS2UmsuCG. We note that, according to the current draft version, we are apparently only implementing the cyber security measures enforced by the EU for Germany in a minimalist manner (1:1 implementation) and avoiding any further possibility of cyber resilience or cyber security strengthening.

In general, the role of the Federal Office for Information Security (BSI) remains a contentious issue. The BSI is gradually being torn apart by conflicts of interest. On the one hand, the coalition agreement states that the BSI should become more independent. On the other hand, the BMI apparently does not want to budge on this point and relinquish power. The Federal CISO could be placed within the BSI. Ideally, however, this would also be independent of the Federal Ministry of the Interior and Home Affairs (BMI) and would therefore be better anchored in the Federal Chancellery as a staff unit, for example. However, this is currently irrelevant. This is because the current draft law does not provide this office with appropriate tasks or powers. As a result, there is currently no supervisory body with the ability to actually take action.

Incidentally, the "management boards" of the federal administration are relieved of their responsibilities by the nesting of laws from the approval, monitoring and training obligations introduced with the NIS2 regulation. Although they are given duties, no liability regulations are provided for. However, without the threat of negative consequences, the pressure to act is limited for the persons involved.

This fits in with the provisions that the BSI should not have sufficient enforcement powers vis-Ă -vis the federal authorities. In principle, the BSI is allowed to carry out audits and inspections and derive measures and instructions from them. However, this depends on the actual audit and inspection density. It is already foreseeable that the BSI will not have sufficient resources for all supervisory tasks. Therefore, regular inspections of these institutions should not only be part of the BSI's powers, but should also be a mandatory task. In addition, the BSI should provide clarity to both the public and parliament by reporting on this regularly. But even these measures for the protection of federal agencies are not provided for.

The NIS2UmsuCG continues to lack clear, uniform federal regulations for public IT service providers at all levels. At the federal level, the federal state level and the municipal level. This is because cyber attacks and data packets do not stop at any level differentiation in cyberspace or at jurisdictional boundaries. The cyber-sphere of diffusion of responsibility sends its regards here and continues to grow and flourish. The Basic Law clearly states that the federal government has a duty to guarantee uniform standards of living and security for public services of general interest. A differentiation according to responsibilities, levels or thresholds would therefore place citizens in different service classes, which is in clear contradiction to the principle of equality and services of general interest.

In this respect, NIS2UmsuCG unfortunately joins the desolate cybersecurity agenda and the non-strategic cybersecurity strategy for Germany. The urgently needed turnaround is at the digital competence level of a fax machine.

(dahe)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten