The Federal Government has decided on comprehensive changes to the IT Security Act. The draft law for the implementation of NIS2 and for strengthening cybersecurity (NIS2UmstG) is now going to the Bundestag. It is time to take a closer look at the new cybersecurity requirements if they are relevant to you. But who falls under NIS2?
Hardly any other topic is currently as often the focus of current security conferences and takes up so much space in reporting on IT security as the new NIS2 cybersecurity directive. However, until now, all presentations and reports had to end with the note that the German implementation of NIS2 is still pending, which means that the exact requirements for affected companies and institutions are not yet fully known.
Since the NIS2 directive is an EU directive, it must first be transposed into national law before it can be applied. In contrast, for example, the General Data Protection Regulation (GDPR) is an EU regulation and therefore applies directly.
Now, the federal government has approved the draft for strengthening cybersecurity presented by Federal Interior Minister Nancy Faeser. This means that the second EU directive on the security of network and information systems (NIS2) will be implemented into German law.
The draft law must now go to the Bundestag. Bitkom President Dr. Ralf Wintergerst emphasizes: "Important details still need to be clarified in the upcoming parliamentary process. There is a lack of coordination with the KRITIS umbrella law, whose implementation is also currently stalled. The President of Bitkom highlights specific needs for changes: "Physical security and cybersecurity must be considered and addressed together; companies should be able to use uniform term definitions and reporting channels. Necessary clarifications are also missing in some areas. During the planned testing of products and systems by the Federal Office for Information Security, the interest of manufacturers in protecting sensitive business secrets should also be preserved."
There are still uncertainties regarding the specific requirements of NIS2. In Germany, companies are lacking the urgently needed legal certainty due to delays in the coordination process of the draft law, according to Bitkom. It is now clear that the planned implementation deadline in October cannot be met. Therefore, it is even more important that the law is implemented promptly and comes into effect no later than early 2025, emphasizes the digital association.
In particular, small and medium-sized enterprises need support to determine if and how they are affected by the law and what measures they need to take, says Bitkom. The eco – Association of the Internet Industry e.V. also warns that many companies are still not adequately prepared and calls for an extension of the implementation deadlines.
Eco board member Klaus Landefeld says: “It would be beneficial for the federal government to align more closely with the European requirements when implementing the NIS2 directive at the national level. There is a high risk that the regulatory framework will diverge, leading to different rules in Germany compared to the rest of Europe. In particular, the classification as a ‘critical infrastructure operator’ creates uncertainty for internationally active companies that would have to comply with varying rules in different EU member states.”
Also, the short implementation period is causing concern for eco. “Many companies are still unaware that they fall within the scope of the directive and the resulting laws in Germany. They have not yet prepared for the future requirements of the NIS2 directive and are sometimes still unsure how these requirements apply to them,” says Landefeld.
The BSI (Federal Office for Information Security) is now offering support. BSI President Claudia Plattner stated: “In the future, around 29,500 companies will need to implement measures for cybersecurity. These ensure the security of the population's supply and form the backbone of Germany's cyber nation. The BSI will therefore provide the best possible support and make the implementation of legal requirements as easy as possible.”
To inform companies that might be affected by the new legal obligations during the ongoing legislative process, the BSI has now published support offerings: The impact assessment provided online by the BSI includes specific yes/no questions based on the NIS2 directive to classify companies into four categories: operators of critical infrastructures, particularly important facilities, essential facilities, and unaffected companies. Once the amended BSI law is passed, the BSI will update the assessment.
