heise PlusAbo
Anzeige

NIS2 implementation delayed – Companies must act nonetheless

Even if the EU Cyber Security Directive NIS2 has not yet been transposed into national law, companies will not be able to avoid taking action now.

listen Print view
Smartphone with combination lock on it

(Image: Ivan Marc/Shutterstock.com)

5 min. read
iX Magazin
By
  • Christopher Hock
  • Christian Kirchberger
  • Roman Krepki
Contents

NIS2 is structured as an EU directive. Unlike EU regulations – such as the General Data Protection Regulation (GDPR) – directives do not apply directly to the legal and natural persons and other entities they are intended to affect. Rather, EU directives oblige the EU member states to specify the framework set by the respective directive and to transpose it into national laws. EU directives are intended to give member states more leeway than EU regulations. Regulations create uniform law and directives for legal harmonization in the EU.

NIS2 should actually have been implemented by October 2024 in accordance with EU requirements. The previous governing coalition had planned to transform the NIS2 Directive into German law by March 2025 with the NIS2 Implementation and Cybersecurity Strengthening Act. This was intended to make cybersecurity a legal obligation for many thousands of companies in Germany for the first time. Even after the end of the traffic light government in November, negotiations on implementation continued until the final failure at the end of January.

With the constitution of the new Bundestag, all bills not yet passed by the old Bundestag must be reintroduced and renegotiated in accordance with the so-called discontinuity principle. The interruption of the legislative process gives the private and public institutions affected by the NIS2 Directive the opportunity to deal with the requirements of the EU Directive and its national implementation for the first time or more intensively. At the heart of the draft NIS2 Implementation and Cybersecurity Strengthening Act is the draft amendment to the BSI Act (BSIG-E).

From infrastructure protection to comprehensive economic protection

The scope of application of the NIS2 Directive and the BSIG-E has been significantly expanded compared to its predecessors in order to ensure comprehensive coverage of the sectors and services that are of crucial importance for basic social and economic activities in the internal market. The group of companies affected by the BSIG in the future will thus grow to several tens of thousands.

The BSIG-E addresses the following private and public entities:

Focus on the management

The management is obliged to implement risk management measures and monitor their implementation. An earlier draft of the BSIG still stipulated that the management was not allowed to delegate these duties. The current draft version no longer contains this prohibition. However, this does not change the training obligations. The draft BSIG still provides for mandatory training for management in the field of cybersecurity.

The current draft regulation on the liability of management bodies stipulates that management boards are liable to their companies for damages that they culpably cause through breaches of duty in accordance with the provisions of company law.

Considering the importance of IT for companies, directors are liable for their active cybersecurity management, although directors are entitled to entrepreneurial discretion (“business judgment rule”). However, considering the current threat situation, this is not exercised in accordance with duty if the management decides against appropriate IT security management. Mere inaction does not generally qualify as a breach of the business judgment rule. However, the BISG-E contains a catalog of duties to act and forces management to take concrete action. If the management ignores the list of measures, it is acting in breach of duty.

No time to rest on your laurels

NIS2 forces companies and public bodies to act, as there is no transitional period. Institutions must therefore be able to fulfill the obligations formulated by the BSIG-E as soon as the law applies. Affected facilities therefore have no choice. They must deal with the contents of the latest draft and work through the list of obligations formulated therein with high priority. To give cybersecurity the necessary weight through NIS2, the BSIG-E links violations with severe fines.

Private and public institutions should already know whether they are subject to the BSIG-E. They should note that even the operation of a group's IT infrastructure by its own IT service company falls within the material scope of application. Anyone affected by the new law must familiarize themselves with the individual obligations. The core provision obliges institutions to take suitable and proportionate technical, operational and organizational measures to manage the risks to the security of network and information systems and to prevent or minimize the impact of security incidents.

Videos by heise

Consequently, companies are also obliged to implement security requirements throughout the entire supply chain. Knowledge of their own IT, processes, and suppliers is therefore essential. In terms of the IT security measures to be implemented, organizations can use the international ISO/IEC 27001 standards as a guide to achieve and maintain the statutory level of cybersecurity.

It remains to be hoped that the limbo surrounding the long-overdue implementation of the NIS2 Directive will be ended quickly to create legal certainty. It would also be desirable for the legislator to take the opportunity to eliminate the final shortcomings of the draft law.

(olb)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten