Bundestag: Coalition agrees on NIS2 directive implementation

Members of the Union and SPD parliamentary groups have agreed on the revision of cybersecurity requirements for critical infrastructures. Shortly before the deadline, there was significant movement in the discussions between the parties involved: How exactly can the operation of a business-critical component in critical facilities be prohibited in case of an incident? Even today, the BSI Act provides for the possibility that the use of critical components can be prohibited by the Federal Ministry of the Interior. With the expansion of those affected by the then revised BSI Act to an estimated 30,000 operators, this will become significantly more relevant.

In the future, a cabinet ordinance will list the components considered critical, for which a ban would then be possible if the manufacturers are not considered trustworthy.

At the same time, however, the order is changed: from an ex-ante, i.e., a prior check, it will be switched to ex-post – operators can therefore use components at their own risk but must report their use to the BSI and, in the event of a ban, dismantle them again. However, since the decision on a ban always has a political dimension, it must be issued by the head of the Federal Ministry of the Interior. Its State Secretary Hans-Georg Engelke expressed himself “quite satisfied” with the solution found on Wednesday evening.

Telecommunications providers fear uncertainty

The telecommunications industry in particular demands planning security. “We need planning security at this point and not a reopening of this topic on an annual basis,” demanded Telefonica Deutschland CEO Valentina Daiber at an event of the CDU-affiliated Wirtschaftsrat on Wednesday in Berlin.

While this is an absolutely legitimate wish, replied Klaus Müller, President of the Federal Network Agency. However, a rapidly changing world stands in his way. The Federal Network Agency had only published the draft of new security guidelines in the telecommunications sector on Monday – anticipating the NIS2 regulations.

He is regularly in dialogue with the President of the Federal Office for Information Security, Claudia Plattner, about the necessities, Müller said at the event: “These are not pleasant conversations.” In fact, the regulations are likely to have an impact primarily in other critical sectors – the telecommunications sector already has comparatively a lot of experience thanks to the Huawei debate and the previous §9b BSI Act.

CISO Federal moves to BSI

Plattner's authority now faces further tasks: The role of “Chief Information Security Officer” (CISO), i.e., the IT security officer of the federal administration, will now go to the Bonn authority after the agreement in the parliamentary procedure – the position will be located there. Another relevant change affects not only the BSI but also the other subordinate federal authorities: They will also have to fulfill at least certain security obligations in the future. A demand that the Federal Court of Auditors has also raised.

With the agreement in the Bundestag, the probability of penalty payments to the EU for non-implementation of EU law is significantly reduced. The EU Commission had recently announced that it would initiate infringement proceedings against those states that have not implemented the NIS2 directive into national law. So far, only 15 out of 27 member states have implemented the requirements for more cybersecurity in critical infrastructures.

The penalty would have had to be paid from the budget of the Ministry of the Interior, which is responsible for it and which handed over the draft to the members of the Bundestag shortly before the summer break with some open issues. The Ministry is to quickly pass the implementation law after the agreement due to the manifold urgency – next week the law should pass the Bundestag.

(dahe)