The EU legislator is working on a comprehensive set of regulations that will make Member States and their businesses resilient to cyber threats in line with the EU Digital Strategy. The aim of the European Network and Information 2.0 Directive (NIS2 Directive) is to establish improved cyber security throughout the EU. It entered into force on 16 January 2023 and must be implemented into national law by 17 October 2024.
In Germany, the previous NIS1 Directive has so far in particular been implemented by the Gesetz über das Bundesamt für Sicherheit in der Informationstechnik (Act on the Federal Office for Information Security / “BSIG”). The draft NIS2 implementation act is called NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz (Act for implementation of NIS2 and strengthening of cybersecurity / “NIS2UmsuCG”) and is colloquially also known as “IT Security Act 3.0”. It includes a comprehensive redraft of the BSIG, hereinafter “New Draft BSIG”.
1. Scope of BSIG to expand considerably
The current BSIG contains compliance obligations for three categories of companies:
- Critical infrastructure operators
- Providers of digital services
- Companies of special public interest
In the New Draft BSIG, these are replaced by the following three categories:
a) Critical Facilities: similar to critical infrastructures under the current BSIG.
b) Particularly Important Entities: corresponds to "Essential Entities" under NIS2. The Particularly Important Entities include:
Operators of Critical Facilities
Large companies from the energy, transport and traffic, finance and insurance, healthcare, drinking water, waste water, information technology and telecommunications, ICT services management (B2B) or space sectors
Medium-sized companies that are providers of telecommunications services or networks
Companies of any size that are qualified trust service providers, top-level domain name registries or DNS service providers
Entities that are part of "central government"
c) Important Entities: This category incorporates the companies of special public interest under the current BSIG. It is significantly broader than the previous categories of the BSIG, which means that, according to the New Draft BSIG, many companies will fall under the BSIG which are currently out of scope:
Medium-sized companies from the energy, transport and traffic, finance and insurance, healthcare, drinking water, waste water, information technology and telecommunications, ICT services management (B2B) or space sectors
Medium-sized or large companies from the logistics, municipal waste management, production, chemical, food, manufacturing, digital service provider or research sectors
Trust service providers, etc.
As before, operators of critical infrastructure (now “Critical Facilities”) will have to be determined based on threshold values related to their relevance (e.g. certain number of subscribers for telecoms services providers). The thresholds will be set out in an ordinance. Important Entities and Particularly Important Entities will be determined in future in accordance with the NIS2 Directive solely according to a size cap rule in relation to their number of employees and turnover.
Institutions already covered by the special provisions of the Regulation on Digital Operational Resilience in the Financial Sector (DORA), the German Telecommunications Act or the Social Code V are excluded from the three categories.
2. Key objectives
Obligations include risk management, registration, reporting & notification
Companies’ obligations under the New Draft BSIG are similar to those under the current BSIG, but have been significantly extended.
a) Risk management:
Companies in scope of the BSIG will have to fulfil extensive risk management measures, similar to the obligations under the current BSIG.
In particular, they are required to take proportionate and effective technical and organisational measures (TOMs) that reflect the state of the art. The TOMs should enable companies to avoid disruptions to the availability, integrity, authenticity and confidentiality of the information technology systems, components and processes they use to provide their services and thus prevent or minimise the impact of security incidents on their or other services.
Particularly Important Entities must demonstrate compliance with their preventive obligations. This proof must be provided no later than 4 years after the new BSIG comes into force.
b) Registration: Facilities in scope will have to register with the Bundesamt für Sicherheit in der Informationstechnik (Federal Office for Information Security / “BSI”).
c) Obligations to report significant safety incidents:
Definition of “significant safety incident” broader than under the current BSIG
Initial notification of BSI to be made within 24 hours
If entities are instructed to do so by the BSI, customers/users to be informed of incident, and, in some cases, of remedial measures users can take themselves
In addition, public to be informed, as the case may be
BSIG compliance to be ensured by management, to be enforced by BSI
The New Draft BSIG makes compliance with cybersecurity obligations a priority for senior management. Under the New Draft BSIG, managers must attend regular cyber security training and must approve and monitor risk management measures. In the event of infringements regarding the latter, managers are liable to the company for the damage incurred – waivers of compensation claims or a settlement are declared void by the New Draft BSIG (except in case of manager’s insolvency). It will be a matter for debate whether a company can take out insurance for the manager and whether (and to what extent) managers will be able to delegate their obligations under the BSIG.
3. Recipients
BSIG-draft is aimed at the Important Entities and Particularly Important Entities mentioned at the beginning. The specifications will be set out in a new ordinance which will be harmonised with the new KRITIS-Dachgesetz (KRITIS, i.e. “critical infrastructures”, “umbrella” act) implementing the EU Critical Entities Resilience (CER) Directive.
4. Penalties
According to the New Draft BSIG, the BSI will have extensive enforcement powers (somewhat reduced for Important Entities). In case of Particularly Important Entities, the BSI will be able to check compliance with BSIG requirements even without suspicion; and the BSI can issue instructions and appoint a monitoring officer. In the event of non-compliance, the BSI may suspend the activities of the entity concerned or temporarily prohibit management staff from performing management duties. Further, the BSI may levy administrative fines of up to 2% of the company's worldwide turnover or up to EUR 20 million, depending on circumstances (compared to EUR 2 million max under the current BSIG).
5. Outlook: Companies’ cybersecurity budgets to increase significantly
So far, the New Draft BSIG is still in its unofficial draft state. The next step will be the release of an official draft.
According to EU Commission estimates, companies that fall under NIS2 for the first time will have to increase their budget for cybersecurity measures by 22%, companies that have already fallen under NIS1 by 12% (NIS2 Impact Assessment Report SWD(2020) 344 final). Every company in one of the sectors mentioned above should check whether it falls under the extended scope of application of the New Draft BSIG. The earlier this is identified, the more efficiently and cost-effectively the necessary compliance steps can be taken.
Further new legislation: While the NIS2 Directive and thus the New Draft BSIG concern digital cyber security, the EU Critical Entities Resilience Directive (CER) focuses on physical security. CER covers, for example, natural disasters or terrorist attacks. This set of regulations must also be transposed into national law, which is being done in Germany with the KRITIS Umbrella Act.
.jpg?crop=300,495&format=webply&auto=webp)
