NIS-2: Federal government adopts NIS2UmsuCG

On 24 July 2024, the German government passed the NIS-2 Implementation and Cyber Security Strengthening Act (NIS2UmsuCG). Around 30,000 companies in Germany will thus be subject to stricter IT security precautions.

The Directive on measures for a high common level of cybersecurity across the EU (Network and Information Security 2, or NIS-2 for short) came into force on 16 January 2023. As this is a directive, it must be transposed into national law; this will be done in Germany by the NIS2UmsuCG. According to the German government, this will comprehensively modernise and restructure German IT security law. The two categories of "important organisations" and "particularly important organisations" will be introduced, which will be accompanied by a significant expansion of the scope of application previously limited to operators of critical infrastructures, providers of digital services and companies in the special public interest. This includes a catalogue of minimum security requirements, including mandatory risk analysis concepts, measures to maintain operations, backup management and concepts for the use of encryption. The previous one-stage reporting obligation for cyber security incidents will be replaced by a three-stage reporting system; an initial report is to be submitted within 24 hours, an update within 72 hours and a final report within one month. Section 38 NIS2UmsuCG harbours particular risks. According to this, the management of companies must approve the specific measures to be taken as suitable and continuously monitor their implementation; even if auxiliary persons are involved, the management body remains ultimately responsible and can be held personally liable for breaches of duty.

In order to inform potentially affected companies, the Federal Office for Information Security (BSI) has published support services. An impact assessment contains specific yes/no questions based on NIS-2 in order to categorise companies into four categories: Critical Infrastructure Operators, Particularly Important Organisations, Important Organisations and Unaffected Companies. A FAQ catalogue was also presented; it includes questions and answers on the most important NIS-2 topics, such as affectedness, contact points and legal obligations. "The threat level in the area of cyber security remains high," said Federal Minister of the Interior Nancy Faeser. "With our law, we are increasing protection against cyber attacks, regardless of whether they are state-directed or criminally motivated. In future, more companies in more sectors will have to fulfil minimum requirements for cyber security and reporting obligations in the event of cyber incidents." According to BSI President Claudia Plattner, around 29,500 companies in Germany will be obliged to implement cyber security measures in future. "They guarantee the security of supply for the population and form the backbone of Germany as a cyber nation. The BSI will therefore provide them with the best possible support and make the implementation of the legal requirements as smooth as possible." However, the NIS2UmsuCG will not be a sure-fire success within the traffic light government. According to heise.de, Konstantin von Notz, deputy leader of the Green parliamentary group, criticised the draft and announced that parliament would now deal with the law "very intensively" in the further process.

Meanwhile, the lawyer Fabricio Vayra from the international law firm Perkins Coie LLP called on the internet administration ICANN once again to harmonise the WHOIS system with Article 28 of NIS-2. Although the provisions of NIS-2 will come into force in most EU member states on 18 October 2024, it is still unclear what is required of registries and registrars. However, it is time to tackle the implementation of Article 28 with the same passion with which ICANN drove the harmonisation of the GDPR and WHOIS in 2018. It is not enough to place the responsibility solely on the registries and registrars.

You can find the federal government's draft law at:
https://www.bmi.bund.de/SharedDocs/gese ... onFile&v=1

You can find the article by Fabricio Vayra at:
https://circleid.com/posts/20240725-har ... article-28

An open secret has been confirmed: the NIS 2 Directive will not be transposed into national law in the Federal Republic of Germany by 17 October 2024 as planned. Spring 2025 is currently considered realistic.

The Directive on measures for a high common level of cybersecurity across the EU (Network and Information Security 2, or NIS-2 for short) came into force on 16 January 2023. As this is a directive, it must be transposed into national law. This is to be done in Germany through the NIS-2 Implementation and Cyber Security Strengthening Act (NIS2UmsuCG); the implementation deadline set by the EU ends on 17 October 2024. The NIS2UmsuCG extends the regulatory framework created by the IT Security Act to the area of certain companies in accordance with EU law. The changes provided for in the draft law include the introduction of the categories of organisations specified by NIS-2, which is accompanied by a significant expansion of the scope of application previously limited to operators of critical infrastructures, providers of digital services and companies in the special public interest. Furthermore, with the draft law, the Federal Government wants to expand the instruments of the Federal Office for Information Security (BSI) with regard to the supervisory measures specified by NIS-2 and incorporate the catalogue of minimum security requirements of Article 21 (2) of the Directive into the BSI Act. In addition, the previous one-stage incident reporting obligation is to be replaced by the three-stage reporting regime of NIS-2. Even though much of the draft law is already known, details and thus, above all, binding specifications are reserved for the final version of the NIS2UmsuCG once the parliamentary procedure has been completed.

On Friday, 11 October 2024, the Bundestag then debated the Federal Government's draft bill (printed matter 20/13184) at first reading in sparse attendance. As expected, the CDU/CSU parliamentary group criticised the fact that the German government had not yet implemented NIS-2 despite the increasing number of high-impact cybersecurity incidents; this places a burden on operators of critical infrastructure and exposes German infrastructure to incalculable security risks. Bengt Bergt (SPD), on the other hand, emphasised that the legislative process is ongoing: ‘I would always prefer a thorough traffic light law than a botched Union law.’ At the same time, he conceded that swift action was necessary. Dr Silke Launert (CDU/CSU) criticised in particular the fact that only EUR 400,000 had been earmarked in the 2025 budget for the protection of critical infrastructure. In contrast, the NIS2UmsuCG has far-reaching effects on the economy. For them, the annual compliance costs are expected to increase by around EUR 2.2 billion; in total, one-off costs of around EUR 2.1 billion are expected to be incurred, almost exclusively in the category of introducing or adapting digital processes. However, it did not get much more specific than that. Following the first reading, the federal government's bill on the NIS2UmsuCG was referred to the Committee on Internal Affairs for a lead debate. It is not yet clear when the consultation in the committees will be completed; it is currently considered realistic that the NIS2UmsuCG will come into force in spring 2025.

Anyone who wants to know whether a company is covered by the NIS2UmsuCG can now carry out the BSI's ‘NIS-2 Affectedness Test’. Based on the current draft law, the online check asks specific questions orientated towards the draft in order to categorise a company. The questions are kept short and precise and are explained in more detail in small print if required. The result is an automated initial assessment of whether a company is affected by the NIS2UmsuCG and explains what this status means and what obligations are stipulated by the legislator.

You can find the federal government's draft law (in German) at:
https://www.bmi.bund.de/SharedDocs/gese ... onFile&v=1

You can find the plenary minutes of 11 October 2024 (in German) at:
https://dserver.bundestag.de/btp/20/20190.pdf#P.24737

You can complete the ‘NIS-2 Affectedness Test’ (in German) here:
https://www.bsi.bund.de/DE/Themen/Regul ... _node.html

NIS-2 casts its shadow ahead: the .de registry DENIC eG has announced how it will react to the planned legal changes, which are expected to apply in Germany from the second quarter of 2025.

By 17 October 2024, each of the 27 EU member states would have had to transpose the Directive on measures for a high common level of cybersecurity across the EU (Network and Information Security 2, or NIS-2 for short) into national law. Article 28 NIS-2 in particular has a significant impact on the domain name industry, as it sets out requirements for the ‘database of domain name registration data’. However, Germany was not the only country to miss this hurdle; only Belgium and Croatia met the deadline. The situation is unclear in other EU member states, where a gradual approach to implementation has been chosen. In the Netherlands, for example, a cybersecurity law is not expected until the third quarter of 2025. According to the .nl registry SIDN, progress is slow mainly because the directive gives member states a great deal of discretion in transposing it into national law, which has led to time-consuming debates. Despite all the confusion and delays, the companies and institutions affected by the directive have no choice but to act, as compliance with the new regulations requires considerable preparation in many cases.

DENIC has therefore already faced up to the challenges posed by NIS-2 and announced how its business processes will change. This affects the data to be recorded during domain registration, including the checking of this data and the WHOIS information. In future, the registration data of legal entities will be issued in full via the WHOIS domain query. This includes the name and address of the domain holder as well as their e-mail address and telephone number. It also shows when the domain was registered, as well as the name and contact details of the responsible registrar. Owner data is still not displayed via the WHOIS if the domain owner is a natural person and their data is therefore personal data within the meaning of the General Data Protection Regulation (GDPR). In these cases, only the date when the domain was registered and the name and contact details of the responsible registrar are displayed. In addition, domain holders can still retrieve their data stored with DENIC via the WHOIS. To do this, they legitimise themselves by entering the postcode or e-mail address they have registered with DENIC and then receive a time-limited retrieval link to this address.

The provisions of the GDPR remain unaffected by NIS-2. Therefore, no personal data on domain holders will be accessible via the WHOIS on DENIC's website. In individual cases, however, DENIC may, upon proof of a legitimate interest, release the data of domain holders, for example to the holders of name and trademark rights, insolvency administrators and claimants in possession of an enforceable title. DENIC provides specialised forms for these groups, which can be used to request information about the domain holder.

DENIC's information can be found at:
https://blog.denic.de/en/new-legislatio ... is-lookup/

The last word has not yet been spoken on the NIS-2 Implementation and Cyber Security Strengthening Act (NIS2UmsuCG): the federal government's draft bill was heavily criticised at an expert hearing in the Bundestag's Committee on Internal Affairs. With the end of the traffic light coalition, the law is also at risk of being completely cancelled.

The EU member states had until 17 October 2024 to transpose the Directive on measures for a high common level of cybersecurity across the EU (Network and Information Security 2, or NIS-2 for short) into national law. However, only Belgium and Croatia met the deadline. In Germany, at least the first hearing on NIS2UmsuCG took place in the Committee on Internal Affairs on 4 November 2024. Bundestag document 20/13184 was discussed with several experts for around 105 minutes under the chairmanship of Petra Pau (Die Linke). The experts agreed that the NIS 2 Directive must be implemented quickly. However, the exemptions for state administrations in particular met with opposition. At the same time, there were calls for better dovetailing of the NIS2UmsuCG with the KRITIS Umbrella Act and clarification of the role of the Federal Office for Information Security (BSI). But there was also plenty of other criticism. Boris Eisengräber, Head of Cyber Security at software company Schwarz Digits, noted that different implementations of NIS-2 in the member states would pose challenges for companies operating across the EU, making it more difficult to respond effectively to cyber attacks. Representatives of the domain name industry have been pointing out this risk for months. For example, Nic.at Managing Director Richard Wein warned at the Domain pulse that registries and registrars working across borders could end up facing 27 different sets of requirements.

According to Prof Dr Dennis-Kenji Kipker from the University of Bremen, the draft law still contains too many weaknesses and ambiguities, including some provisions ‘that are not conducive to increasing the general level of cybersecurity’. The main points of criticism concern the still unclear role of the BSI in the national administrative structure, which has not been touched. This is despite the fact that the BSI is not only to undergo a massive expansion in its role as the central office for cyber security, but will also receive numerous additional powers with NIS-2. According to Kipker, the draft contains further significant and noteworthy weaknesses with regard to data protection, ‘some of which may even be in breach of EU law’. From the perspective of the German economy, communication and support for regulated organisations could also be improved, according to Felix Kuhlenkamp from the IT industry association Bitkom. In other countries, the affected companies are actively informed by the government; in Germany, on the other hand, 30,000 companies have to find out for themselves ‘whether they are affected by NIS-2’. Meanwhile, the threat level in cyberspace remains high, said BSI President Claudia Plattner. There is a very high risk for critical infrastructures, federal administrations and political institutions. ‘Cyber security is now national security. And the law urgently needs it,’ said Plattner.

Despite all the urgency, however, new uncertainty arose around the NIS2UmsuCG last week with the end of the traffic light coalition. Federal Chancellor Olaf Scholz has emphasised that he intends to put all bills to the vote in the remaining weeks of the Bundestag session until Christmas that he believes ‘cannot tolerate any delay’. For Scholz, these include tax relief, spending on security and stabilising pensions; however, it is doubtful that the NIS2UmsuCG is one of them. If new elections are held in February 2025, it could be well into next year before the fate of the NIS2UmsuCG is finalised.

You can find a video (in German) of the NIS-2 hearing here:
https://www.bundestag.de/ausschuesse/a0 ... 72-1026172

You can find the Federal Government's draft bill (in German) at:
https://www.bmi.bund.de/SharedDocs/gese ... onFile&v=1

The non-profit European Cyber Security Organization (ECSO) has published a white paper entitled “NIS2 Implementation: challenges and priorities”. It is intended to provide a quick overview of the implementation of NIS-2 in the EU member states.

The EU member states had until October 17, 2024 to transpose the Directive on measures for a high common level of cybersecurity across the EU (Network and Information Security 2, or NIS-2 for short) into national law. However, it was not only the failed traffic light coalition in Berlin that failed to fulfill this obligation in time with the NIS-2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG), which is only available in draft form so far. For ECSO, a pan-European organization with over 320 members from more than 30 countries, including companies such as Accenture, Airbus, Deloitte, SAP and Siemens, as well as Bundesdruckerei GmbH, this is unacceptable. By December 2, 2024, only four countries - Croatia, Italy, Belgium and Lithuania - will have fully implemented the directive. Most other EU countries are aiming to introduce it in the first quarter of 2025. According to ECSO, this fragmented implementation has created significant challenges, particularly for companies and organizations operating across borders. They are due to the fact that EU Member States have taken or are taking different approaches to the classification of companies (ranging from one-tier to three-tier systems), the inclusion of sectors and the thresholds for company size; there are also different classifications for incident reporting, different compliance deadlines and different international security frameworks. In the domain name industry, registries and registrars are among those affected.

This leads to worrying gaps, according to an ECSO survey of 155 participants from 23 countries, the results of which have now been published in a 42-page white paper that can be downloaded free of charge. Almost three quarters of the participants had no implementation budgets and a third reported no involvement of management, although their liability is at the heart of NIS-2. According to the paper, the biggest problems include unclear implementation requirements, supply chain security concerns, the complexity of incident reporting and embedding NIS-2 into existing security protocols. The financial impact of implementation is considered to be particularly serious when taking into account both the necessary investment in the technology and the required process changes; in addition, many companies lack experience with NIS-1, for example. As a result, small and medium-sized companies in particular, but also multinational companies, face disproportionate challenges. The results underline the urgent need for EU member states to harmonize their approaches.

However, the ECSO white paper also provides practical help, as it gives concrete recommendations for NIS2 implementation. These include cooperation with interest groups, the designation of a single point for reporting all cyber security incidents and the standardization of templates and data formats. Existing standards can - after all - be relied upon as sufficient proof of compliance. However, the white paper cannot eliminate one weakness: as long as there is uncertainty about the future government in this country, there will also be uncertainty about the content of the NIS 2 Implementation Act - until then, everyone is in the dark.

You can find the ECSO white paper at:
https://ecs-org.eu/ecso-publishes-white ... mentation/