NIS-2: German "Federal Office for Information Security" may depose CEOs in future
09/01/2023
09/01/2023
Author: Robert Nagel
Robert writes for Everphone on all topics related to company, product and devices.
Table of contents

The EU Network and Information Security Directive (NIS-2) must be transposed into German law by the end of 2024. In other words, a German law implementing the directive is needed by then.

The second draft of the NIS-2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG) is now available from the Ministry of the Interior – with far-reaching powers of intervention for the German Federal Office for Information Security (BSI).

29,000 instead of 4,500 companies affected

The new directive will increase the number of affected German companies sixfold: 29,000 companies will have to comply with strict cyber security requirements under the NIS-2 directive.

Until now, “only” 4,500 German companies were required to report to the BSI. The obligations include reporting security incidents, risk management and technical measures.

The bill divides companies into two main groups:

  1. operators of critical facilities and
  2. “particularly important” and “important” companies, which are further differentiated by size.
    • Mid-sized companies
      up to 249 employees and revenue < € 50 million resp.
      up to 249 employees and balance < € 43 million
      or
      up to 49 employees and revenue € 10–50 million resp.
      up to 49 employees and balance < € 43 million
    • Large companies
      more than 250 employees
      or
      revenue > € 50 million and balance > € 43 million

Companies include, for example, water and energy utilities, logistics companies, insurance companies, banks and telecommunications providers. Also included are “qualified trust services,” top-level domain registries, and DNS services; for major companies, transportation and traffic, healthcare, manufacturing, digital services, defense contractors, and research facilities.

Extended powers for the BSI

For the intended protection of critical enterprises, the amendment provides for far-reaching powers of the BSI.

Management of “particularly important facilities” can be deposed and held liable

For example, in the case of “supervisory and enforcement measures for particularly important institutions” (Section 64), the draft provides that the BSI may not only verify compliance with the provisions, but is also authorized to issue binding instructions with regard to preventive and repressive measures.

Not only that, but the BSI can also direct that, in the event of cyber threats, it not only notify the affected customers, but also publish them (§ 64 (4)).

Paragraph 6 even stipulates that management can be deprived of its power if it fails to comply with BSI orders in a timely manner:

“If particularly important institutions fail to comply with the orders of the Federal Office under this Act despite being given a deadline, the Federal Office may request the relevant competent Federal supervisory authority [first] to temporarily suspend the authorization for some or all of the services or activities of that institution [and second] to temporarily prohibit the natural persons who, as management or legal representatives, are responsible for management duties in the particularly important institution from performing the management duties.”

NIS2UmsuCG draft (July 2023), § 64 (6)

The EU directive also stipulates that executives can be held personally liable for violations with fines of up to two percent of annual sales.

Companies should prepare now for NIS-2

In order to prevent the BSI from interfering with business activities in this way, it is strongly recommended that you prepare for the requirements of the NIS-2 directive in good time.

The costs for implementing the corresponding measures are estimated at around 1.65 billion euros per year for the aforementioned 29,000 companies in Germany. For the introduction and adaptation of the corresponding processes, the Ministry of the Interior expects additional one-time costs of around 1.37 billion euros.

Weblinks

Stay informed

Our newsletter will deliver the latest info on mobile work and mobile devices to your inbox. Subscribe here and we’ll keep you posted. You can also follow us on our social channels for more Everphone insights and updates.

EU regulations: the end of Lightning Apple devices in 2025
New portal feature: prolong rentals
Undress Circularity: first report published

Our most read articles

Telecoms expense management (TEM): Three critical cost drivers

mdm gdpr

“I don’t give a damn about the GDPR!”

Bring Your Own Device 2022 – a model with a future?

Everphone – the founding story

Everphone becomes Samsung’s official Device-as-a-Service partner

Impressions from ‘Digital X’ 2022