The NIS-2 Directive ("The Networkand Information Security[NIS] Directive") came into force at the beginning of 2023 and must actually be transposed into national law by October 17, 2024. This redefines the requirements for cyber and information security and makes it a legal obligation for many thousands of companies for the first time. Among other things, the NIS 2 Directive prescribes minimum measures for corporate risk management and reporting obligations to government agencies in the event of IT security incidents, as well as stricter sanctions and liability regimes for company management. The aim is to raise and harmonize the level of cybersecurity in the member states. The special feature is that NIS 2 is not limited to larger institutions, but also targets the broad mass of medium-sized companies.
Affected companies
The scope of NIS 2 goes far beyond critical infrastructure and includes a wide range of sectors. The relevant particularly important and important entities include, by way of example, companies in the energy, air, rail, road and water transport, finance, health, water, information technology and telecommunications, transport and traffic, waste management, chemical products or food, manufacturing industries or the production of goods, digital or IT services. The law provides for a broad listing of the affected branches in two appendices, which includes extensive parts of the economy. It is prudent for medium-sized companies to ensure their own entrepreneurial impact as far as possible before the law comes into force.
The legislator creates a certain restriction of the scope of application by means of certain threshold values for medium-sized companies. Accordingly, the extent to which the institution in question is affected depends on whether 50 or more people are employed by the company (250 or more employees in the case of a particularly important institution) or whether the company has an annual turnover of more than 10 million EUR and an annual balance sheet total of more than EUR 10 million (for a particularly important institution, an annual turnover of EUR 50 million and an annual balance sheet total of more than EUR 43 million). The sixth German draft law, which has now been issued, contains deviations for providers and operators of publicly accessible telecommunications services or public telecommunications networks.
This includes all companies that are listed in one of the appendices in question as particularly important or important institutions and exceed the minimum thresholds.
Apart from that, special rules apply to companies that operate critical facilities or are (qualified) trust service providers, top-level domain name registries or DNS service providers. No thresholds apply to these. The relevant companies are therefore covered by the law regardless of their size in the respective areas.
The Federal Ministry for Economic Affairs and Climate Protection (BMWi) estimates that 8,250 companies in this country will be affected by the law as particularly important institutions and 21,600 as important institutions. This makes a total of almost 30,000 companies. The annual compliance costs for businesses are expected to increase by around EUR 2.3 billion.
Impact and obligations
Organisations must ensure that appropriate, proportionate and effective technical and organisational measures are implemented to avoid disruptions to the availability, integrity and confidentiality of information technology systems, components and processes, and to minimize the impact of security incidents. The legislator chooses an open, rather general approach, which in any case includes the three well-known essential pillars of information security: availability, integrity and confidentiality. Compliance with this obligation must also be documented by the company.
1.
In addition, further minimum measures for corporate risk management are to be implemented. These include, for example, a corporate concept for risk analysis, backup management in the event of an emergency, basic procedures for cyber hygiene and training on cyber security topics, access control concepts and the use of cryptography and encryption. Details can be found in § 30 para. 2 of the latest draft law. Here, it should be checked whether the requirements already correspond to one's own business practice.
It is interesting to note that, in addition to the perspective of the individual company, these legal minimum measures also include security in the supply chain. In this context, the idea of interdependency and thus also the mutual risk potential should be taken into account. No matter how high the standards of protection in company "X" may be, they are of limited use if the company is exposed to inadequate standards in company "Y" in the supply chain. However, the statutory program of duties is not specifically outlined. There is a risk here that the "larger companies" will pass on their contracts within the supply chain and impose them on other companies. This then also affects, not least, "small companies" below the threshold values shown, on which NIS 2 in the supply chain will also have an impact.
2.
If significant IT security incidents occur, NIS 2 in particular requires a multi-level system of reporting obligations for the company to a joint reporting office to be set up by the Federal Office of Civil Protection and Disaster Assistance:
In a first step, the company must submit a so-called initial report no later than 24 hours after becoming aware of whether there is a suspicion that the security incident is the result of illegal or malicious actions and could also have cross-border effects. Within 72 hours of becoming aware of it, the company must then submit a further report confirming or updating this information and providing an initial assessment of the significant IT security incident. No later than one month later, the company must submit a final report to the reporting office with a detailed description of the incident. This must also include information on the type of threat and the underlying cause that is likely to have triggered the security incident, as well as details of the remedial measures taken and in progress.
It seems not only advisable but essential for the companies concerned to internalize these new graduated reporting requirements in advance and test them internally to avoid being overwhelmed by the tight reporting deadlines in the event of IT incidents. Procedures should be designed and on-call services set up. For some companies, this may be completely new territory.
3.
Finally, NIS 2 also requires affected companies to register with the Federal Office for Information Security (BSI).
Impending sanctions and measures against management
This is where the legal distinction between "particularly important" and "important" facilities comes into play. This distinction means that in the case of "important facilities", lower fines are imposed for violations and these are only subject to subsequent(reactive) supervisory measures, while the Federal Office also has the power to carry out preventive (proactive) supervision at any time in the case of "particularly important institutions".
1.
In the case of "particularly important" facilities, the Federal Office may carry out preventive controls (e.g. in the form of on-site inspections). The company concerned must allow the Federal Office and the persons acting on its behalf to enter the business and operating premises during normal operating hours for the purpose of inspection and, upon request, to present the relevant records, written material and other documents in a suitable manner, provide information and the necessary support. If the Federal Office had justified doubts in advance as to whether the respective company would comply with the NIS 2 requirements, it can bill the company for its fees and expenses here.
In the case of "important" facilities, there are no advance checks without cause. Here, measures can only be taken (after the fact) if facts justify the assumption that an important facility is not implementing the requirements of NIS 2 or is not implementing them correctly.
2.
Violations of the NIS 2 requirements should be subject to fines. The details of the grounds for fines can be found in § 67 of the latest German draft bill.
For "particularly important" institutions, the amount of the fine is to be up to 10 million euros or, in the case of an annual turnover of more than 500 million euros, up to 2 percent of the annual turnover. For "important" organizations, maximum amounts of seven million euros or 1.4 percent of annual sales are planned. The decisive factor in each case is the company's worldwide annual turnover in the fiscal year preceding the infringement.
3.
Finally, the focus is on measures against management. NIS 2 provides for the holding of management (managing directors/board of directors) liable across all institutions.
The background to this is that it is precisely the management that should be obliged to approve the risk management measures to be taken by the company for cyber security and to monitor their implementation. These are legally identified as the responsible bodies.
Furthermore, the management of "particularly important" institutions may even be temporarily prohibited from exercising their management functions if the companies fail to comply with the Federal Office's orders despite being given a deadline to do so. This prohibition will remain in place until the necessary measures have been taken and the company's violation has been remedied.
Conclusion and outlook
The NIS 2 Directive and its implementation are not limited to large (listed) companies. In particular, the effects for the medium-sized companies that are also included are not yet fully foreseeable in some cases. The existing uncertainties of many companies are quite understandable here, but fear or panic is the wrong way to react. Rather, SMEs in particular should prepare themselves as best they can for the new law. It remains to be seen whether German lawmakers can meet the European implementation deadline of October 17, 2024, and as things stand now, it is doubtful.
My article entitled "Sixth draft bill specifies the new corporate cybersecurity requirements under NIS 2" also addresses this topic.
The statements represent initial information that was current for the law applicable in Germany at the time of initial publication. The legal situation may have changed since then. Furthermore, the information provided cannot replace individual advice on a specific matter. Please contact us for this purpose.