NIS2 Implementation Act passes Federal Cabinet

Contents

The law to implement the revision of the European Union's Network and Information Security Directive (NIS2) has cleared an important hurdle on the way to becoming an effective law: On Wednesday, the Federal Cabinet agreed on a draft bill. It is comprehensive, as the government is not only implementing the new EU requirements, but also adding some German amendments.

At the heart of the "NIS2UmsuCG" are extensive new regulations for the cyber security of operators of critical infrastructures and facilities (KRITIS). In future, significantly more companies and public bodies will be subject to the cyber security requirements. The NIS2UmsuCG was actually intended to be supplemented by the KRITIS umbrella law as a counterpart with regulations for improved physical protection - but this law is still not ready for the cabinet.

The NIS2 implementation will tighten a large number of existing regulations or at least significantly expand the target group. The German government expects 29,500 jobs to be subject to the NIS2 regime in future. "In future, more companies in more sectors will have to meet minimum requirements for cyber security and reporting obligations in the event of cyber incidents," explained Federal Minister of the Interior Nancy Faeser (SPD) on Wednesday regarding the cabinet decision. "We are increasing the level of security - and thus reducing the risk of companies becoming victims of cyber attacks."

"Important" and "particularly important"

The NIS2 requirements differentiate between two main areas: "Important facilities" and "Particularly important facilities". The catalog of facilities considered to be particularly important is defined at EU level and will be transposed into German law with the German law.

The criteria are described in Section 28 of the cabinet version - including, for example, all operators of supply-critical facilities above a certain supply size, qualified trust service providers, TLD registries and DNS service providers as well as larger telecommunications network operators and parts of the federal administration. These particularly important facilities are subject to particularly strict requirements - subject to amendments by the Bundestag in the further procedure.

In addition to smaller telecommunications providers, the second category of "important institutions" includes all entities that are not already considered "particularly important" but have a certain minimum size (turnover and number of employees count here) and are active in the energy, transport and traffic, finance, health, water, digital infrastructure or space sectors.

However, companies in waste management, the chemical industry, the food industry, certain product manufacturers such as medical devices or data processing equipment, machine and vehicle manufacturers and research institutions are also considered important.

This is described in more detail in Annex 2 of the law - the interlocking logic is somewhat complicated. For example, a company that is actually only "important" because it operates critical systems can still be a "particularly important facility" and have to take appropriate measures. The BSI provides a tool on its website to help affected companies with the classification.

This means that the previous system of the BSI Act should continue to work in the future - but not to everyone's satisfaction. "In particular, the classification as an 'operator of critical systems' creates uncertainty for internationally active companies, which would have to follow different rules in the individual EU member states," criticizes Klaus Landefeld from the IT industry association Eco. At the same time, there are sectors that are partially exempt again due to special laws - such as DORA in the financial sector.

Not only IT needs to be secured

One significant change compared to the previous BSI Act, which was largely shaped by the IT security laws of recent years, is the scope of the systems affected. The explanatory memorandum to the law clarifies that it is not just business-critical IT in the narrower sense that is meant, but "all activities of the institution for which IT systems are used, including, for example, office IT or other IT systems operated by the institution." In other words: federal authorities must protect their fax machines, utility service providers must protect their accounting systems if these are absolutely necessary to maintain operations.

Politicians have particularly high hopes of gaining greater insight into IT security activities. To this end, a reporting obligation is now being introduced: At the latest 24 hours after a significant security incident, a report is to be made to a central reporting office to be set up jointly by the Federal Office for Information Security (BSI) and the Federal Office of Civil Protection and Disaster Assistance (BBK); this must be updated after 72 hours at the latest. A final report must then be created no later than one month later if the incident has been mitigated by then.

However, there is currently still a lack of clarity as to what exactly constitutes a "significant security incident": this is to be clarified by an implementing act of the EU Commission on NIS2. It is conducting a public consultation on this until tomorrow. Entities classified in both categories must register with the reporting office within three months at the latest and provide contact details. In certain areas, even more extensive information may be required - including the IP range used.

Management is liable

A significant clarification compared to the previous law should particularly please those responsible for cyber security in companies: in future, the management will be liable in accordance with the applicable rules of company law and will be obliged to provide training. The IT industry association Bitkom considers this to be impractical: although it is "fundamentally of the opinion that IT security should be imposed at this level, it does not seem realistic for CEOs to assume all practical obligations", says security policy expert Felix Kuhlenkamp. It makes more sense if the ultimate responsibility remains clearly with the management - but the management can also commission third parties. The regulations on CEO liability have been one of the points of contention surrounding the draft NIS2UmsuCG in recent weeks.

The new law will also require regular "security audits, inspections or certifications" for operators of critical systems. If operators do not comply with the regulations, the NIS2 implementation now threatens to impose severe fines, which, similar to the GDPR, will only be limited to the annual turnover of the companies concerned.

As the supervisory authority, the BSI is responsible for both compliance and enforcement. It can issue orders and oblige companies and public bodies to take measures. The appointment of a federal Chief Information Security Officer (CISO) should also be seen in this context: This person is also given authority to issue instructions to federal institutions in order to avert or rectify security incidents - and to use the appropriate resources to do so.

"Critical components"

The question of how to deal with so-called "critical components" is likely to be particularly tricky in practice. Section 41 of the cabinet version stipulates that the first use of such components must be reported to the Federal Ministry of the Interior. This is not just a technical check - but also a check of supplier reliability based on political assessments. This extends the regulation for Huawei components in German 5G mobile networks to other areas and requires a guarantee declaration from the manufacturers.

Ingbert Liebing from the Association of Municipal Enterprises (VKU), for example, doubts whether this is practicable: "Hundreds of companies, thousands of individual case reviews: We highly doubt that such a procedure is feasible for the Federal Ministry of the Interior in terms of personnel, especially as regular procurement processes would be delayed and defective components could no longer be replaced as quickly." If the BMI prohibits its use, the component in question may not be used - and may be completely banned for the future. The documents relating to the test are not made accessible.
4617803

The NIS2 Implementation Act was actually supposed to come into force in October - the Federal Ministry of the Interior freely admitted months ago that this would probably not happen. This is another reason why business associations are calling for longer transition periods to be included in the law - the slow legislative process has shortened the time required for the changes too much to be able to comply with them.

Konstantin von Notz, deputy leader of the Green parliamentary group, criticized the draft and announced that parliament would now "very intensively" deal with the law: "Overall, the approach of the lead ministry means that the parliamentary groups still have a lot of work ahead of them to make the law a good law and to establish the long-requested coherence with other EU requirements and the umbrella law as a guarantor of uniform Critis protection."

(vbr)