NIS2: What the Federal Council pushed through without a word

Four committees have made several recommendations on NIS2 to the Federal Council. Manuel Atug explains what was wordlessly waved through in about a minute.

Save to Pocket listen Print view
Security lock on an outstretched hand, a magnifying glass at the top left

(Image: FON's Fasai/Shutterstock.com)

6 min. read
By
  • Manuel Atug
Contents

As there were apparently no requests to speak on the total of 20 recommendations from the Committee on Home Affairs, the Committee on Health, the Committee on the Environment, Nature Conservation and Nuclear Safety and the Committee on Transport on NIS2, the votes on the committee recommendations were taken directly. All were adopted by a majority without exception.

An analysis by Manuel Atug

Manuel Atug is an IT security expert for critical infrastructures and active online as @HonkHase.

The Federal Court of Auditors was recently much more critical and sensible. As part of NIS2, the support provided by the Federal Office for Information Security (BSI) to police authorities and the Office for the Protection of the Constitution would have been restricted to federal authorities in future. Within the scope of administrative assistance, it would then have been easier to reject these in individual cases. However, the legal implementation of a support service by the BSI is now being implemented.

It is to have a digitalized reporting procedure without media discontinuity in the online platform for the voluntary exchange of relevant cyber security information. To this end, the EU's electronic proof of identity with a "high" security level is required. At the same time, access to information on the physical security and resilience of critical infrastructures is to be provided by the Federal Office of Civil Protection and Disaster Assistance. The whole thing is also to be implemented in an end-to-end digitized process.

The BSI must already inform the competent data protection supervisory authorities if the breach of risk management measures or reporting obligations may result in a breach of personal data protection and not if it "has obvious consequences". An obligation to notify exists if the competent IT security authorities determine in the course of their duties that the breach of risk management measures or reporting obligations may result in a personal data breach under the GDPR.

With the wording "by comparable provisions under federal state law", various regional authorities in the federal states would have to use the BSI Act as a benchmark in future, even if it goes beyond the minimum NIS2 measures required by the EU. To prevent this from happening, this wording should be changed to "state regulations implementing the NIS 2 Directive". Otherwise, the 16 federal states would have to implement too many and, above all, uniform cybersecurity measures across the country.

The management boards should not only be trained themselves, but must also explicitly work towards training for all employees. The administrative burden for institutions subject to the NIS2 should be reduced in order to reduce bureaucracy by using the BSI as a central point of contact via online forms, including for notifications required under the GDPR.

Model contracts, comparable to the EVB-IT, are to be provided so that the IT service providers of the federal states are informed at an early stage about the expectations and requirements of the client "federal administration". IT service providers of the federal states may also be affected via the German Administration Cloud and the marketplace, via which the federal administration will also be able to access services in future.

It is to be welcomed that the BSI is to provide technical guidelines and reference architectures not only to the federal administration institutions, but also to the federal states in the sense of a holistic architecture.

It should be examined whether not only the threshold value of around 500,000 people should lead to classification as KRITIS, but whether other criteria should also be included in the KRITIS regulation. This is because there is a risk that, according to the current NIS2 draft, the vast majority of hospitals – at least in North Rhine-Westphalia – are not relevant and therefore "the existing security threat would not be taken into account". Above all, this would not adequately reflect the importance of hospitals in rural areas in particular.

As in the NIS2 draft, the threshold values in the draft KRITIS umbrella law should also be fundamentally questioned due to the special position of services of general interest in the healthcare sector. The meaningfulness of the sole decisive thresholds should therefore be re-examined against this background. The KRITIS working group has taken the same view on this point for many years in almost all KRITIS sectors and industries and would welcome it if this were finally adjusted in line with the actual situation.

In the healthcare sector, large practices, professional practice groups and medical care centers could become operators of critical facilities in the future. Furthermore, large outpatient facilities, high-turnover practices in radiology and nuclear medicine, nephrology or laboratory medicine could become relevant as important facilities.

As hospitals only have to submit evidence after a transitional period of five years in accordance with Section 108 SGB V, a correspondingly extended transitional period was also required for the important facilities. The first certificates will therefore not be available until 2030 at the earliest.

All in all, many sensible measures to reduce bureaucracy and deal with many marginal issues, but no great leaps forward, as envisaged by the Federal Audit Office. There are also no discussions about the issues. Both the federal states and the healthcare system are only to tackle cybersecurity in accordance with the minimum principle, which does absolutely no justice to the current threat situation or the health situation.

(nen)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.