On July 24th, the German Federal Cabinet approved the government draft for the NIS2 Implementation and Cybersecurity Strengthening Act. This marks a significant step towards implementing the NIS2 Directive into German law. Something similar is expected to be implemented in other European countries as well.
The parliamentary legislative process has begun with the publication of the government draft. While no significant changes are expected, the process is anticipated to last until spring 2025. Although the new obligations will only apply in Germany once the NIS2UmsuCG comes into force, affected organisations should familiarise themselves with the requirements and take steps towards implementation.
This document will provide you with:
With the rapid digitisation of daily life, protection against cyber threats has become essential for the smooth functioning of society. The European Parliament has therefore updated EU law with a series of new cybersecurity regulations. Cybersecurity encompasses all activities necessary to protect network and information systems, their users, and others affected by cyber threats.
The most far-reaching regulation in the European Union is the revised Directive on Security of Network and Information Systems (NIS2 Directive), which replaces the 2016 directive. Having been in force since January 16, 2023, the NIS2 Directive must be implemented in all EU member states by October 17, 2024. It applies to an expanded number of organisations across a wide range of sectors.
The directive aims to increase the level of cybersecurity within the EU, strengthening resilience against cyberattacks. The German Federal Minister of the Interior, Nancy Faeser, has summarised the goals of the NIS2UmsuCG in Germany:
"The threat situation in the area of cybersecurity remains high... With our law, we are increasing protection against cyberattacks, regardless of whether they are state-directed or criminally motivated. In the future, more companies in more sectors will have to meet minimum cybersecurity standards and reporting obligations for cyber incidents."
Nancy Faeser
Compliance with the minimum legal requirements of NIS2 and accompanying standards is an important starting point for many organisations. These requirements and standards provide a broad framework that often brings previously neglected areas outside of IT (so-called ‘blind spots’) into the focus of information security management for the first time. After all, cybersecurity is no longer just a technical IT issue, but an issue that requires the active participation of the entire organisation – from technology to production, and sales to management.
However, those who want to use resources effectively in the long term are well advised to not just meet compliance laws and standards from the outset but exceed them. Compliance does not automatically equate to security against theft, manipulation, and the publication of business-critical information or negative headlines with a wide media reach. For this reason, the legislator has based the NIS2 requirements on a risk-based approach. Accordingly, affected organisations can decide on appropriate and proportionate technical, operational, and organisational measures, taking into account the likelihood of security incidents and their severity (including social and economic impacts).
This approach aims to promote the effective development of resilient systems rather than the efficient compliance with rigid requirements. Rather than slowing down business, effective information security controls enables organisations to move faster into a digital future.
The NIS2 Directive expands the scope of its 2016 predecessor to eleven ‘highly critical’ sectors, including energy, transport, banking, public administration, and healthcare. It also affects other ‘critical’ sectors such as postal and courier services, food production, processing, distribution, and digital services.
Even organisations that do not directly fall into these sectors but act as suppliers or partners can be indirectly affected by the NIS2 Directive. They, too, can represent potential gateways for cyberattacks.
Affected organisations must fulfil extensive cybersecurity requirements. These include, in particular, the responsibility of management bodies and regular cybersecurity training for all employees (Article 20), risk management measures including regular risk analyses, the management of security incidents and the maintenance of operations (Article 21), specific reporting (Article 23) and documentation obligations (Recital 122).
Management bodies must approve the risk management measures taken, monitor their implementation and be personally liable in the event of breaches of their obligations. In the event of significant security incidents, companies must issue an early warning within 24 hours, submit an initial assessment within 72 hours and submit a detailed final report no later than one month after the assessment. However, the directive also emphasises the importance of security in the supply chain. Companies should scrutinise their supplier relationships and carry out risk assessments.
To promote cyber resilience and combat cybercrime, the EU legislator has enacted additional cybersecurity regulations alongside the NIS2 Directive. These include:
The NIS2 Directive presents significant challenges for affected organisations but also offers an opportunity to significantly improve their cybersecurity. A holistic approach that goes beyond IT and provides risk-based decision-making bases enables organisations to not only meet the requirements of the NIS2 Directive but also strengthen their overall resilience.
The resolution of the German Bundestag on the so called NIS2-Umsetzungs-und Cybersicherheitsstärkungsgesetz (NIS2UmsuCG) is still pending. However, the BSI has already published initial helpful guidance, which we can support you in implementing. We believe that something similar will appear in the other European countries as well.
A1 Digital sees the NIS2 Directive as an important step towards increasing the overall level of cybersecurity in the EU. We help organisations understand their risks and actively drive their risk management measures. To this end, we develop solutions tailored to the individual needs of each organisation.
Furthermore, we offer our customers our expertise in operational technology security to support organisations in protecting their industrial systems and critical infrastructures. We consider the risk-based approach to information security and the corresponding assessment to be the most effective in protecting critical infrastructures.