NIS2 not implemented: EU fine for Germany moves one step closer
The EU Commission has initiated the second stage of infringement proceedings against Germany because it has not yet implemented the NIS2 Directive.
(Image: Marian Weyo/Shutterstock.com)
A fine against Germany is approaching because the federal government is lagging behind in protecting critical infrastructures (Kritis) and increasing cyber security. On Wednesday, the EU Commission raised the infringement proceedings, which have been ongoing since the end of November, to the second stage because Germany has still not transposed the EU directive on network and information security, known as NIS2, into national law. It has now sent the Federal Government a reasoned opinion on the matter with further questions, to which it must respond promptly.
The NIS2 is intended to ensure a high level of cyber security throughout the EU in sectors such as information and communication technologies (ICT), energy and water supply, transport, finance and media. EU countries should have implemented the directive by October 17. In late fall, the Commission sent an initial request for information on the state of play to a total of 24 member states. The Brussels government institution has now sent the second blue letter to 18 other nations in addition to Germany. These are Bulgaria, the Czech Republic, Denmark, Estonia, Ireland, Spain, France, Cyprus, Latvia, Luxembourg, Hungary, the Netherlands, Austria, Poland, Portugal, Slovenia, Finland and Sweden.
Two months for NIS2 implementation
Full implementation of the relevant legislation is "crucial for further improving the resilience and incident response capacity" of public and private companies operating in the critical sectors and the EU as a whole, the Commission warns. The 19 EU states that have been contacted now have two months to react and take the necessary measures. Otherwise, the executive body threatens to refer the cases to the European Court of Justice. This could then impose fines, for example.
Videos by heise
The SPD and the Greens were only able to agree on a bill for the implementation of NIS2 and the introduction of vulnerability management to close IT security loopholes after the "traffic light" government's exit in December. State and municipal administrations were not to be exempt from the stricter cyber security requirements and the handling of "critical components" in critical areas was to be tightened. At the end of January, however, the responsible rapporteurs gave up due to renewed irreconcilable differences, especially with the FDP.
The new black-red coalition has stated in its roadmap for the coming years: "We will amend the BSI Act as part of the implementation of the NIS 2 Directive." Experts warn that potentially affected companies and authorities should already take action despite the delays.
(vbr)
