German lawmakers do not have much time left: Like all member states of the European Union (EU), they must transpose the new version of Directive (EU) 2022/2555 on measures fora high common level of cybersecurity across the Union (hereafter: NIS 2 Directive) into national law. This means that cybersecurity will soon become a legal requirement for many thousands of companies based in the country, in some cases for the first time. On June 24, 2024, the Federal Ministry of the Interior and for Homeland published the sixth draft bill of a law to implement the NIS 2 Directive ("RefE"). Despite ongoing resistance and disagreement, it seems quite likely that at least the draft's "Part 3" (which contains measures for corporate risk management and, in particular, reporting requirements in the event of significant IT incidents) – which is of critical importance for medium-sized companies – will also find its way into the Federal Law Gazette without any serious changes – is reason enough to take a closer look at the implications for the companies concerned.
I. Personal scope – wide range of economic sectors
Art. 20 (1) NIS 2 Directive requires that Member States ensure that the management bodies of particularly important and important entities approve the cybersecurity risk management measures taken by them and monitor their implementation. Section 38 (1) of the draft bill addresses this. Accordingly, whether a company is affected depends, at the outset, on who is included in the category of "particularly important and important institutions", which at first glance seems somewhat ominous.
Section 28 of the draft bill, which, however, with a total of nine paragraphs containing exceptions, references and definitions, appears (rather) unwieldy and is therefore likely to present certain challenges in practice.
1. According to § 28 (1) and (2) RefE, the following are included among the particularly important and important institutions (regardless of their size): companies that operate critical facilities, providers and operators of publicly accessible telecommunications services or public telecommunications networks, (qualified) trust service providers, top level domain name registries or DNS service providers are
The draft bill (RefE) (like the NIS 2 Directive) also contains two annexes listing the affected sectors and types of entities individually. However, the draft bill provides for the entities mentioned above to be covered regardless of whether they are mentioned in the two annexesmentions and thus goes beyond the NIS 2-RL (cf. Art. 2 para. 1), which is not subject to any concerns due to the minimum harmonization content of the directive (Art. 5). As a result of the lack of a minimum size and other conceptual limitations, even the smallest "providers of public telecommunications services or operators of public telecommunications networks" could be included. Thus, under certain circumstances, providers of public WLAN hotspots could already become affected parties. It remains to be seen how this will develop and be received in practice.
2. However, small and medium-sized companies in particular should keep an eye on § 28 (1) no. 4, (2) no. 3 RefE:
This now affects – particularly extensively – all companies that exceed the so-called threshold for medium-sized companies and are listed in one of the two mentioned annexes as particularly important or important sectoral institutions.
These include, by way of example , companies in the energy, air, rail, road and water transport, finance, health, water, information technology and telecommunications, transportation and logistics, waste management, chemical products or food, manufacturing industries or the production of goods, digital or IT services sectors. The broad range of economic sectors is not without some amazement, going well beyond a pure provision of public services and including a large number of medium-sized companies ("across the economy"). It is prudent for the SME (among others) to verify the extent to which it is affected.
This will not always be quick and easy to determine, especially at the beginning. The two annexes to the directive, with their cross-references to further EU regulations, make it anything but easy for companies to do so. Those who lose sight of the bigger picture when examining the extent to which their business is affected should not shy away from legal assistance in order to avoid being overwhelmed by the effects of NIS 2.
For the determination of the size of the company, Art. 2 para. 1 NIS 2-RL refers to the recommendation of the EU Commission on the definition of micro, small and medium-sized enterprises of 06.05.2003 (in short: "SME definition"). This is adopted by § 28 (3) RefE. All companies that employ 50 or more persons or generate an annual turnover of more than EUR 10 million and have an annual balance sheet total of more than EUR 10 million are to be included among the institutions in question.
3. It becomes opaque when several companies act jointly (see also Hessel/Callewaert/Schneider, RDi 2024, 208, 209 et seq. for more details on the following).
The rigid link to the concept of an organization (cf. Art. 6 No. 38 NIS 2 Directive) is reaching its limits. Within a corporate group, only the company that (demonstrably) carries out its own activities can actually be obliged as a legal entity. In the future, this will raise difficult questions of demarcation that have not been clarified in detail.
The original German concept of a joint operator has not been adopted by either the NIS 2 Directive or the draft bill. Thus, only the sole proprietorship is likely to be held legally responsible, but not the corporate group. It will be interesting to see how this "loophole" is addressed in practice.
4. Based on the reasoning of the German RefE, the Federal Ministry for Economic Affairs and Climate Protection (BMWK) assumes that an estimated 8,250 companies in Germany will be affected by the law as particularly important institutions and 21,600 companies as important institutions. This will include not only large listed companies but also a large number of medium-sized companies. The annual compliance costs for businesses are expected to increase by around 2.3 billion euros.
Individual questions and sectoral uncertainties in detail will remain, at least for the time being.
II. Effects for the affected companies
The starting point for the cybersecurity obligations of the affected entities, which is essentially based on Article 21(1) of the NIS 2 Directive and is thus part of the national transposition requirement, can be found in Section 30(1) of the draft bill: The companies must ensure that they implement appropriate, proportionateand effective technical and organizational measures to avoid disruptions to the availability, integrity and confidentiality of the information technology systems, components and processes that they use to provide their services, and to minimize the impact of security incidents. In doing so, the extent of risk exposure, the size of the organization, the costs of implementation, and the probability of occurrence and severity of security incidents, as well as their social and economic impact, must be taken into account.
In any case, this includes the three well-known essential cornerstones of information security: availability, integrity and confidentiality. In addition, § 30 para. 1 RefE does not shed much light on specific further corporate obligations at present, but it is in line with the broad legislative approach. This will have to be dealt with.
The institutions must document their compliance with the obligations.
1. However, the legislator wants to be more specific in § 30 (2) of the draft bill, with the minimum measures for corporate risk management listed there.
Accordingly, a concept for risk analysis, backup management in an emergency, basic procedures for cyber hygiene and training, as well as training on aspects of cyber security, access control concepts or the use of cryptography and encryption, for example, will henceforth be required. In this respect, too, it should be checked whether the requirements already correspond to one's own business practice.
It is interesting to note that, from the perspective of the individual company, the security in the supply chain is also included among the listed minimum measures according to § 30 para. 2 p. 2 no. 4 RefE (in this respect congruent with Art. 21 para. 2 lit. d) NIS 2-RL). In this context, the idea of interdependency and thus, at the same time, the mutual risk potential is clearly taken into account. No matter how high the protection standards are in company "X", this is of limited use if this company is exposed to the inadequate standards of company "Y" in the supply chain.
On the other hand, it remains unclear which measures are now required in the supply chain. As can be seen from Recital 54 of the NIS 2 Directive, the regulation takes into account increased "attacks on the supply chain" in the recent past, without, however, substantiating the program of obligations. The standards should be made more precise at this point (are certain contracts sufficient?; evidence of measures taken by the company in the supply chain?; scope of the influence and control obligations of the third-party service providers used by the individual company?; other information and education obligations?). This seems to be fundamental not least because these requirements within the supply chain will also have a de facto impact on the smaller companies (not actually covered by NIS 2) below the thresholds (fewer than 50 employees, see above), which, as suppliers, for example, will suddenly be "on board". If the legislator leaves this open, there is a risk that small companies will be completely overwhelmed if they are unable to meet the (possibly overly) strict contractual requirements of the NIS 2 companies.
2. However, a range of reporting obligations to a state-run joint reporting office, which is particularly critical for medium-sized companies and is in need of explanation, is multi-layered and currently still completely foreign to many companies. These obligations will come into effect in the event of so-called significant security incidents (see § 32 RefE).
According to § 2 para. 1 no. 11 RefE, these are events a.) that have caused or could cause serious operational disruptions to the services or financial losses for the institution concerned; or b.) have adversely affected or may adversely affect other natural or legal persons as a result of substantial material or immaterial damage.
If such an IT incident has occurred, the affected company must, according to § 32 para. 1 no. 1 RefE, immediately, but no later than 24 hours after becoming aware of it, make a so-called initial report as to whether there is any suspicion that the security incident is the result of illegal or malicious actions and could also have cross-border implications. According to § 32 (1) no. 2 RefE, a second notification must be submitted at the latest within 72 hours of becoming known, which confirms or updates this information and at the same time contains an initial assessment of the significant security incident, including its severity and impact, and, if applicable, indicates the indicators of compromise. According to § 32 Abs. 1 Nr. 4 RefE, a third report with a detailed description of the incident must then be submitted to the reporting office no later than one month later. This must also include information about the type of threat and the underlying cause that is likely to have triggered the security incident, details of the preventive measures taken and in place, and, if applicable, the cross-border effects of the security incident.
It seems not only advisable but essential for the companies concerned to internalize these new graduated reporting requirements in advance and test them internally so as not to be overwhelmed by the tight time frames in the event of such a cyber incident. Processes should be designed and on-call services (necessarily) set up. Not only should you be aware of your respective corporate obligations, but you should also be able to implement them at any time. For many companies, this will be completely new territory.
In addition, the above IT reporting requirements for significant security incidents do not in any way preclude existing reporting requirements under other legal provisions. Not least, the reporting obligation of the controller to the data protection authority under Art. 33 GDPR, which is also laid down at the European level, should be borne in mind here if the incident – as will often be the case – involves a personal data breach. Consequently, there may be simultaneous reporting obligations to different bodies. And particularly unfortunate for the company concerned: according to Art. 33 (1) of the GDPR, the report must also be made immediately, but if possible within 72 hours. This makes it particularly challenging.
3. Section 33 (1) of the draft bill additionally requires the companies concerned to register with the Federal Office for Information Security (BSI), providing the data listed in the provision. Section 34 of the draft bill provides for a special registration requirement for certain types of facility. Sections 31 and 39 of the draft bill contain special requirements for risk management measures and active obligations for operators of critical installations to provide evidence. According to § 28, para. 6 of the draft bill, these are natural or legal persons or legally dependent organizational units of a regional authority that, taking into account the legal, economic and factual circumstances, exercise a decisive influence on one or more critical facilities. Which plants are considered critical plants within the meaning of this law are to be determined by ordinance pursuant to § 58 (4) RefE.
4. Section 38 of the draft bill, which sets out the obligations of managing directors, is also not without controversy.
Section 38 (1) of the draft bill requires the management of particularly important institutions and important institutions to approve the risk management measures to be taken by these institutions in accordance with Section 30 of the draft bill in the area of cyber security and to monitor their implementation. The fundamental legislative reconnection to § 30 para. 1 RefE is unmistakable here (see above).
As a consequence of the liability under the applicable rules of corporate law, the management of companies shall be held liable for NIS 2 violations (Section 30 (2) RefE).
The discussion is largely moderate. Art. 20 para. 1 and Art. 32 para. 6 NIS 2-RL prescribe here a cross-institutional liability of the management. Section 38 (2) of the draft bill is required in accordance with the EU law obligation to implement the directive. Regardless of this, the NIS 2 Directive requires prudent risk management measures in the area of cybersecurity, and senior management (managing directors and board members) aremonitoring are the management (managing directors and board members) at the forefront, should not be seriously disputed either. The management bodies' program of duties pursuant to Section 38 (1) of the RefE, which according to Section 38 (3) of the RefE also includes regular participation in training, will be incorporated into the company law requirements (e.g. § 43 of the German Limited Liability Companies Act (GmbHG) and § 93 of the German Stock Corporation Act (AktG)) in an interpretation that is consistent with the guidelines.
III. Powers of intervention and impending sanctions
This is where the distinction between "particularly important" and "important" institutions comes into play.
This manifests itself in the fact that "important" institutions are subject to lower fines for violations and are only exposed to retrospective (reactive) supervisory measures in suspicious cases, while the Federal Office for "particularly important" institutions, the Federal Office also has the power to carry out preventive (proactive) supervision at any time.
1. In the case of particularly important installations, the Federal Office may carry out so-called preventive controls (e.g. in the form of on-site inspections) and may use a qualified independent third party for this purpose (Art. 63 para. 5 RefE, Art. 32 para. 2 NIS 2-RL). For the purposes of inspection, the affected company mustinspect the business and operating premises during normal operating hours and, upon request, to present the relevant records, written documents and other records in a suitable manner, to provide information and to provide the necessary support overall. The Federal Office shall charge the company concerned fees and expenses for this inspection if it has taken action on the basis of specific indications that gave rise to justified doubts regarding compliance with the requirements of Section 30 (1) RefE.
However, in the case of "important" institutions, advance checks without cause cannot be carried out. In these cases, measures pursuant to § 64 RefE can only be taken retrospectively if concrete "facts" justify the assumption that the "important" facility is not implementing the NIS 2 requirements or is not implementing them correctly.
The intervention powers, which vary depending on the institution, are laid down in Art. 32 para. 1, 33 para. 1 NIS-2-RL European. The legislator would like to comply with this.
2. Violations of the NIS 2 regulations will be subject to fines. The individual cases of fines can be found in detail in § 67 RefE. As with the powers of intervention, the amount of the fine will also be graded differently for "particularly important" and "important" institutions.
For "particularly important" institutions, the amount of the fine can – e.g. if the risk management measures to be taken are not taken or if the relevant reporting obligations are not, not correctly, not completely or not timely fulfilled (see above) – according to Section 67 (5) no. 1 a), (6) RefE – up to 10 million EUR or, in the case of an annual turnover of more than 500 million EUR, up to 2 percent of this annual turnover.
For "important" institutions, maximum amounts of seven million euros or 1.4 percent of annual turnover are envisaged here according to Section 67 (5) no. 1 b), (7) RefE.
According to § 67 (8) of the draft bill, the decisive factor in each case is the company's worldwide annual turnover in the fiscal year preceding the infringement.
The system of sanctions is based on Art. 34 (4), (5) NIS 2 Directive.
3. In addition, the management of "particularly important" facilities may, under the conditions of § 63 para. 9 no. 2 RefE (non-compliance with the respective orders of the Federal Office despite the setting of a deadline) even be prohibited by the competent supervisory authority from continuing to exercise representation and management functions until the institution complies with the orders of the Federal Office. In this context, the legislator speaks of "unreliable" management. It remains to be seen whether this is appropriate in view of the considerable range of obligations that NIS 2 imposes on companies.
Section 63 (9) no. 2 of the draft bill serves to implement Article 32 (5) (b) of the NIS 2 Directive.
IV. Conclusion and outlook
The E-NI Directive and its implementation are not limited to listed large companies in the personal scope of application. Especially for medium-sized companies, which are also included by law, the exact effects are not yet foreseeable in some cases. The German draft is "bulky" in more than a few places and is difficult to penetrate due to the many paragraphs and references in the respective provisions. This is particularly unfortunate in view of the far-reaching corporate implications and significant sanctions. In some cases, the duties themselves also remain (too) unspecific. In this respect, the German legislator should, in the opinion of the author, "readjust". Whether this will happen is just as doubtful as meeting the national implementation deadline.
The statements represent initial information that was current for the law applicable in Germany at the time of initial publication. The legal situation may have changed since then. Furthermore, the information provided cannot replace individual advice on a specific matter. Please contact us for this purpose.