heise PlusAbo
Anzeige

NIS2: New leak of the draft bill

The new draft of the NIS2 Implementation Act provides for other areas of application and less influence from industry.

listen Print view
NIS2 symbol image
5 min. read
iX Magazin
By
  • Manuel "HonkHase" Atug
Contents

The now leaked draft bill of the NIS2 Implementation Act of June 2 appears to be the version that is currently being coordinated between the Federal Ministry of the Interior (BMI), the Federal Chancellery (BKAmt) and the Federal Ministry of Finance (BMF). The current NIS2 draft, like all previous versions that have become public, is publicly available from the independent interest group AG KRITIS, of which the author is the founder and spokesperson.

What's new? An analysis of the differences to the previous leak of the draft bill from 26.5.2025 reveals some interesting points.

Scope of application reduced

Probably the most important change for all those affected has been made in Section 28 (Particularly important facilities and important facilities) paragraph 3 to determine the type of facility, as the paragraph has been rewritten:

"When assigning a facility to one of the facility types in accordance with Annexes 1 and 2, business activities that are negligible regarding the overall business activities of the facility may be disregarded."

The explanatory memorandum to the law explains this change as follows

"This avoids, in individual cases, that only a minor secondary activity leads to a disproportionate identification as an important or particularly important institution."

Less influence from industry

In Section 56 (Authorization to issue ordinances) (4), it was deleted that science, KRITIS operators and their associations must be consulted if the Criticality Ordinance defines which services are considered KRITIS and which facilities are considered critical facilities within the meaning of the Act.

Videos by heise

What is a significant security incident?

In section 56 (Authorization to issue statutory instruments), paragraph 5, it has also been deleted that the scientific community and the trade associations concerned must be consulted when determining by statutory instrument when and why it is a significant security incident. Why this change is so exciting is due to a number of legal requirements that must be taken into account in future.

According to Section 2 (Definitions) Number 11, a "significant safety incident" is a safety incident that:

  1. (a) has caused or is likely to cause serious disruption to the operation of services or financial loss to the entity concerned; or
  2. b) has adversely affected or may adversely affect other natural or legal persons through significant material or immaterial damage,

unless the statutory order pursuant to Section 56 (5) contains a more specific definition.

Operators of critical facilities are obliged under Section 32 (Reporting obligations) (3) to "provide information on the type of facility and critical service affected and the impact of the security incident on this service if a significant security incident has or could have an impact on the critical facility they operate."

According to Section 35 (Duty to inform) (1), the recipients of the services of affected facilities - and thus not only KRITIS operators - must be informed immediately in the event of a significant security incident and an order by the BSI. According to Section 36 (feedback from the Federal Office to reporting institutions) (2), the BSI can oblige the affected institution to inform the public about the significant security incident or even do so itself.

BSI together with BnetzA

The explanatory memorandum to Section 5c (IT security in system and network operation, determination competence) Paragraph 2 has been expanded to include the following and very welcome sections on cooperation between the BSI and the Federal Network Agency (BnetzA):

"In addition, the new regulation consolidates the previous responsibilities of the BNetzA and BSI with regard to conventional and digital service providers in the energy sector."

Previously, the BNetzA was mainly responsible for supervising KRITIS operators in the electricity sector with regard to compliance with cybersecurity measures. The agreement regulation now envisaged will give the BSI greater influence over IT security requirements in the energy sector. The BSI can thus ensure a uniform level of security across all KRITIS sectors, which strengthens its role as the central cyber security authority.

IT baseline protection receives legal status

The explanatory memorandum to section 44 (requirements of the Federal Office) paragraph 1 has been amended. Previously, IT baseline protection only had indirect legal status for the federal ministries and the Federal Chancellery. Now it applies to all federal administration institutions.

In addition, there were some minor changes in various places, including the role of the BSI and the information security officers of the federal administration institutions. Overall, the main points of criticism of the KRITIS working group from the written statement on the draft bill of the NIS2UmsuCG of 2.10.2024 remain unchanged.

(nie)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten