The EU Network and Information Security Directive (NIS-2) must be transposed into German law by the end of 2024. In other words, a German law implementing the directive is needed by then.
The second draft of the NIS-2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG) is now available from the Ministry of the Interior – with far-reaching powers of intervention for the German Federal Office for Information Security (BSI).
29,000 instead of 4,500 companies affected
The new directive will increase the number of affected German companies sixfold: 29,000 companies will have to comply with strict cyber security requirements under the NIS-2 directive.
Until now, “only” 4,500 German companies were required to report to the BSI. The obligations include reporting security incidents, risk management and technical measures.
The bill divides companies into two main groups:
- operators of critical facilities and
- “particularly important” and “important” companies, which are further differentiated by size.
- Mid-sized companies
up to 249 employees and revenue < € 50 million resp.
up to 249 employees and balance < € 43 million
up to 49 employees and revenue € 10–50 million resp.
up to 49 employees and balance < € 43 million
- Large companies
more than 250 employees
revenue > € 50 million and balance > € 43 million
- Mid-sized companies
Companies include, for example, water and energy utilities, logistics companies, insurance companies, banks and telecommunications providers. Also included are “qualified trust services,” top-level domain registries, and DNS services; for major companies, transportation and traffic, healthcare, manufacturing, digital services, defense contractors, and research facilities.
Extended powers for the BSI
For the intended protection of critical enterprises, the amendment provides for far-reaching powers of the BSI.
Management of “particularly important facilities” can be deposed and held liable
For example, in the case of “supervisory and enforcement measures for particularly important institutions” (Section 64), the draft provides that the BSI may not only verify compliance with the provisions, but is also authorized to issue binding instructions with regard to preventive and repressive measures.
Not only that, but the BSI can also direct that, in the event of cyber threats, it not only notify the affected customers, but also publish them (§ 64 (4)).
Paragraph 6 even stipulates that management can be deprived of its power if it fails to comply with BSI orders in a timely manner:
“If particularly important institutions fail to comply with the orders of the Federal Office under this Act despite being given a deadline, the Federal Office may request the relevant competent Federal supervisory authority [first] to temporarily suspend the authorization for some or all of the services or activities of that institution [and second] to temporarily prohibit the natural persons who, as management or legal representatives, are responsible for management duties in the particularly important institution from performing the management duties.”NIS2UmsuCG draft (July 2023), § 64 (6)
The EU directive also stipulates that executives can be held personally liable for violations with fines of up to two percent of annual sales.
Companies should prepare now for NIS-2
In order to prevent the BSI from interfering with business activities in this way, it is strongly recommended that you prepare for the requirements of the NIS-2 directive in good time.
The costs for implementing the corresponding measures are estimated at around 1.65 billion euros per year for the aforementioned 29,000 companies in Germany. For the introduction and adaptation of the corresponding processes, the Ministry of the Interior expects additional one-time costs of around 1.37 billion euros.
- Full text of the draft bill (in German)