NIS2 Implementation Act– Need for action for affected companies despite many unanswered questions

published on 7 October 2024 | Reading time approx. 4 minutes

October 17, 2024 is the deadline for the German legislator to transpose the NIS2 Directive into national law. In view of the current status of the legislative process, it is unlikely that the directive will be implemented on time, but the federal government's draft bill has been available since October 2, 2024. Despite the delay in legislation, companies should act now and examine what direct or indirect consequences the German implementation law will have for them. This article presents open questions and the upcoming need for action, taking into account the current draft legislation of the German government.

Overview

Despite the constantly increasing threat situation, public and private bodies still have considerable deficits in the area of cyber security. What is reflected in theory in statistics and reports often has serious consequences in practice. In recent years, media coverage of cyber attacks on public institutions and companies of all sectors and sizes has increased. The EU has responded to this development by introducing various regulations to strengthen resilience in the area of cyber security. These include, in particular, the Directive on measures to ensure a high common level of security of network and information systems across the Union (“NIS-2”). This is intended to ensure compliance with a high level of cybersecurity by public bodies and companies throughout the EU. The member states have until October 17, 2024 to transpose the directive into national law. In Germany, the federal government's draft bill for the transposition law has been available since October 2. The further schedule of the Federal Ministry of the Interior and for Home Affairs is as follows (subject to change):

Timetable for legislative procedure NIS2 implementation
Bundestag 1st reading	October 10/11, 2024
Committees, hearings	Decision Hearing: October 16, 2024 Hearing: November 4, 2024 Conclusion IA: November 13, 2024
Bundestag 2nd/3rd reading	December 5/6, 2024
Federal Council 2nd round	February 14, 2025
Entry into force	March 2025

Even if it comes into force later, companies should already be looking at the requirements resulting from the planned amendments to the BSIG, among others.

Affectedness and unanswered questions

The first question for many organizations is how they are affected. At first glance, the impact analysis based on the threshold values and the sectors listed in the annexes to the draft may seem trivial. Depending on the business activity and the number of employees or turnover, affected facilities are classified as important or particularly important. KRITIS operators that already fall under the current BSIG are in the category of particularly important operators. Only a closer look at the sector affiliation and calculation of the threshold values (“size cap”) reveals a handful of follow-up questions for many potentially affected parties. The automatic NIS 2 impact assessment published by the BSI can at best provide initial guidance here. The tool and comparable “NIS2 checkers” do not relieve users of the specific assignment of their own business activities to the affected sectors. To set the decisive course for the impact analysis, many companies are therefore still faced with the challenge of assessing the extent to which they fall under the often difficult to grasp definitions of the annexes to the draft or categorizations of the statistical classification of economic sectors.

Various unanswered questions relating to the impact analysis contribute to further legal uncertainty.

According to the draft, when calculating the number of employees, annual turnover and annual balance sheet total, only those parts of the institution that fall within one of the regulated sectors are to be taken into account. This is intended to ensure that entities that exceed the thresholds overall, but are not primarily active in the regulated sectors, are not disproportionately covered by the scope of application. Cross-sector activities such as personnel, accounting etc. are to be taken into account proportionately in the calculation. However, it remains unclear how a pro rata calculation for these cross-divisional tasks is to be carried out. It is not sufficiently clear which activities are to be counted as cross-divisional tasks in addition to the examples mentioned. Furthermore, the basis for calculation is not specified. Both an average and an actual consideration of the employee ratio are conceivable here.

Irrespective of the specific method of calculation, it is also not yet clear to what extent the restriction of the scope of application will be maintained. As a comparable limitation is not provided for in the NIS2 Directive itself, the German draft falls short of the implementation of the Directive and is in conflict with higher-ranking EU law in this respect. It is not yet clear how this conflict will be resolved. In this respect, it cannot be ruled out that the restriction will have to be dropped as part of an interpretation and application of the national law in line with European law. In view of these open questions, all companies that are active in the regulated sectors and reach the overall thresholds should consider how they are affected and the new requirements.

Requirements for affected companies

The NIS2 legislation obliges affected companies to take appropriate, proportionate and effective technical and organizational measures to protect the IT and processes of the services they provide, to avoid disruptions to availability, integrity and confidentiality and to minimize the impact of security incidents. It must be emphasized that these measures must comply with the state of the art and take into account the relevant European and international standards. The measures include at least

Risk analysis and security for information systems
Management of security incidents
Maintenance and recovery, backup management, crisis management
Supply chain security, inter-facility security, service provider security
Security in development, procurement and maintenance
Vulnerability management
Evaluation of the effectiveness of cyber security and risk management
Cybersecurity and cyber hygiene training
Cryptography and encryption
Personnel security, access control and asset management
Multi-factor authentication and continuous authentication
Secure communication (voice, video and text) and secure emergency communication

In addition, there are further requirements such as the implementation of attack detection systems for critical operators. For certain sectors (e.g. operators of public telecommunications networks and telecommunications services, energy suppliers and financial service providers), the requirements of the regulatory laws (e.g. TKG, EnWG, BNetzA security catalog, DORA) continue to apply.

What specific action is needed?

If organizations determine that they are affected, they must first determine the scope in which the above-mentioned measures must be implemented. Furthermore, the organization must register with the BSI (Federal Office for Information Security) by the deadline and designate a contact point. This is to ensure that the reporting obligations can be fulfilled. The implementation of cybersecurity measures must be documented and, depending on the type of organization (operator of critical facilities | important or particularly important facilities), verified to the BSI. Managers must also regularly attend training courses to ensure they have sufficient knowledge and skills to assess risks and measures.

How can Rödl & Partner support you? Our NIS2 Readiness Check assesses your organization with regard to the requirements of the NIS2 directive. We check whether your security measures comply with the regulations and help you to be prepared for implementation. We identify quick wins for increasing your security level and show you the fields of action for achieving NIS2 compliance.

Conclusion

With the implementation of the NIS2 Directive in Germany, the scope of application of the existing cyber security requirements will be significantly expanded. Once the extent to which you are affected by the regulations has been clarified, your own status quo should be evaluated as part of an as-is assessment. A gap analysis can then show which gaps need to be closed in order to meet the legal requirements. The implementation of cybersecurity measures should not be seen merely as a necessary evil to meet new compliance obligations. Rather, the requirements reflect sensible and sometimes overdue measures to protect against the real threat of cyber incidents.

NIS2-Roadshow

Im Rahmen unserer NIS2-Roadshow geben Falk Hofmann und Frederik Kopp einen Überblick über die neuen Bestimmungen und stehen für Fragen sowie einen Austausch gerne zur Verfügung. Terminübersicht und (kostenlose) Anmeldung finden Sie auf unserer » Eventseite.