NIS2: Few changes in leaked government draft
Most of the implementation plans for greater cyber security of critical infrastructures have survived the change of government.
(Image: Shutterstock.com/PeopleImages.com - Yuri A)
The Federal Ministry of the Interior (Bundesministerium des Innern, BMI) is currently working on the implementation law for the European Union's revised Network and Information Security Directive (NIS2). The transposition into German federal law should actually have taken place by October 17, 2024, but due to the end of the traffic light, the old Bundestag did not pass the law. An interim status report from the end of May, which has now become public, shows that large parts of the traffic light draft have survived the change of government. Minor changes compared to the last draft are nevertheless included.
The changes in the von published by AG Kritis interim version affect the telecommunications sector, among others. Previously, companies had to have an annual turnover of at least 10 million euros and an equally high balance sheet total to fall under NIS2; in the new draft, the "and" becomes an "or". This means that more of the smaller telecommunications providers are likely to fall under the regulations.
Videos by heise
The recommendations from the previous Bundestag's Committee on Internal Affairs have also been partially incorporated. A paragraph that would have meant that no additional measures would have had to be taken if an operator reported an incident itself was also deleted.
Federal administration gets less time
The federal administration in particular is taking a stricter approach to the updated draft version: Instead of after five years as previously planned, they now have to prove that they meet the requirements after three years. And adjustments are also being made here: the federal administration, i.e. ministries and subordinate authorities, must also adhere to the standards of the Federal Office for Information Security and the IT baseline protection -- which is to be "modernized and further developed" by the BSI by 1 January 2026.
The problem that the federal government cannot issue regulations for federal states and local authorities remains unresolved. The latter in particular have often been the target of attacks recently. However, the regulations for this are exclusively in the hands of the federal states due to the so-called mixed administration ban.
Another change is likely to raise some eyebrows: Operators of important, not just critical, systems are also to use automated attack detection systems in the future. However, the responsibility for checking these systems will no longer lie with the BSI -- but with the Federal Network Agency, which is also jointly or primarily responsible for IT security in certain areas today.
The black-red federal government now wants to finalize its version before the parliamentary summer break at the beginning of July and pass it through the federal cabinet to the Bundestag and then the Bundesrat. Numerous business associations had called for the federal government to quickly create legal certainty for operators of critical infrastructures – and for the EU Commission to urge Germany and other member states to swiftly adopt the overdue legislation.
(dahe)
