NIS-2: Federal government adopts NIS2UmsuCG

On 24 July 2024, the German government passed the NIS-2 Implementation and Cyber Security Strengthening Act (NIS2UmsuCG). Around 30,000 companies in Germany will thus be subject to stricter IT security precautions.

The Directive on measures for a high common level of cybersecurity across the EU (Network and Information Security 2, or NIS-2 for short) came into force on 16 January 2023. As this is a directive, it must be transposed into national law; this will be done in Germany by the NIS2UmsuCG. According to the German government, this will comprehensively modernise and restructure German IT security law. The two categories of "important organisations" and "particularly important organisations" will be introduced, which will be accompanied by a significant expansion of the scope of application previously limited to operators of critical infrastructures, providers of digital services and companies in the special public interest. This includes a catalogue of minimum security requirements, including mandatory risk analysis concepts, measures to maintain operations, backup management and concepts for the use of encryption. The previous one-stage reporting obligation for cyber security incidents will be replaced by a three-stage reporting system; an initial report is to be submitted within 24 hours, an update within 72 hours and a final report within one month. Section 38 NIS2UmsuCG harbours particular risks. According to this, the management of companies must approve the specific measures to be taken as suitable and continuously monitor their implementation; even if auxiliary persons are involved, the management body remains ultimately responsible and can be held personally liable for breaches of duty.

In order to inform potentially affected companies, the Federal Office for Information Security (BSI) has published support services. An impact assessment contains specific yes/no questions based on NIS-2 in order to categorise companies into four categories: Critical Infrastructure Operators, Particularly Important Organisations, Important Organisations and Unaffected Companies. A FAQ catalogue was also presented; it includes questions and answers on the most important NIS-2 topics, such as affectedness, contact points and legal obligations. "The threat level in the area of cyber security remains high," said Federal Minister of the Interior Nancy Faeser. "With our law, we are increasing protection against cyber attacks, regardless of whether they are state-directed or criminally motivated. In future, more companies in more sectors will have to fulfil minimum requirements for cyber security and reporting obligations in the event of cyber incidents." According to BSI President Claudia Plattner, around 29,500 companies in Germany will be obliged to implement cyber security measures in future. "They guarantee the security of supply for the population and form the backbone of Germany as a cyber nation. The BSI will therefore provide them with the best possible support and make the implementation of the legal requirements as smooth as possible." However, the NIS2UmsuCG will not be a sure-fire success within the traffic light government. According to heise.de, Konstantin von Notz, deputy leader of the Green parliamentary group, criticised the draft and announced that parliament would now deal with the law "very intensively" in the further process.

Meanwhile, the lawyer Fabricio Vayra from the international law firm Perkins Coie LLP called on the internet administration ICANN once again to harmonise the WHOIS system with Article 28 of NIS-2. Although the provisions of NIS-2 will come into force in most EU member states on 18 October 2024, it is still unclear what is required of registries and registrars. However, it is time to tackle the implementation of Article 28 with the same passion with which ICANN drove the harmonisation of the GDPR and WHOIS in 2018. It is not enough to place the responsibility solely on the registries and registrars.

You can find the federal government's draft law at:
https://www.bmi.bund.de/SharedDocs/gese ... onFile&v=1

You can find the article by Fabricio Vayra at:
https://circleid.com/posts/20240725-har ... article-28

An open secret has been confirmed: the NIS 2 Directive will not be transposed into national law in the Federal Republic of Germany by 17 October 2024 as planned. Spring 2025 is currently considered realistic.

The Directive on measures for a high common level of cybersecurity across the EU (Network and Information Security 2, or NIS-2 for short) came into force on 16 January 2023. As this is a directive, it must be transposed into national law. This is to be done in Germany through the NIS-2 Implementation and Cyber Security Strengthening Act (NIS2UmsuCG); the implementation deadline set by the EU ends on 17 October 2024. The NIS2UmsuCG extends the regulatory framework created by the IT Security Act to the area of certain companies in accordance with EU law. The changes provided for in the draft law include the introduction of the categories of organisations specified by NIS-2, which is accompanied by a significant expansion of the scope of application previously limited to operators of critical infrastructures, providers of digital services and companies in the special public interest. Furthermore, with the draft law, the Federal Government wants to expand the instruments of the Federal Office for Information Security (BSI) with regard to the supervisory measures specified by NIS-2 and incorporate the catalogue of minimum security requirements of Article 21 (2) of the Directive into the BSI Act. In addition, the previous one-stage incident reporting obligation is to be replaced by the three-stage reporting regime of NIS-2. Even though much of the draft law is already known, details and thus, above all, binding specifications are reserved for the final version of the NIS2UmsuCG once the parliamentary procedure has been completed.

On Friday, 11 October 2024, the Bundestag then debated the Federal Government's draft bill (printed matter 20/13184) at first reading in sparse attendance. As expected, the CDU/CSU parliamentary group criticised the fact that the German government had not yet implemented NIS-2 despite the increasing number of high-impact cybersecurity incidents; this places a burden on operators of critical infrastructure and exposes German infrastructure to incalculable security risks. Bengt Bergt (SPD), on the other hand, emphasised that the legislative process is ongoing: ‘I would always prefer a thorough traffic light law than a botched Union law.’ At the same time, he conceded that swift action was necessary. Dr Silke Launert (CDU/CSU) criticised in particular the fact that only EUR 400,000 had been earmarked in the 2025 budget for the protection of critical infrastructure. In contrast, the NIS2UmsuCG has far-reaching effects on the economy. For them, the annual compliance costs are expected to increase by around EUR 2.2 billion; in total, one-off costs of around EUR 2.1 billion are expected to be incurred, almost exclusively in the category of introducing or adapting digital processes. However, it did not get much more specific than that. Following the first reading, the federal government's bill on the NIS2UmsuCG was referred to the Committee on Internal Affairs for a lead debate. It is not yet clear when the consultation in the committees will be completed; it is currently considered realistic that the NIS2UmsuCG will come into force in spring 2025.

Anyone who wants to know whether a company is covered by the NIS2UmsuCG can now carry out the BSI's ‘NIS-2 Affectedness Test’. Based on the current draft law, the online check asks specific questions orientated towards the draft in order to categorise a company. The questions are kept short and precise and are explained in more detail in small print if required. The result is an automated initial assessment of whether a company is affected by the NIS2UmsuCG and explains what this status means and what obligations are stipulated by the legislator.

You can find the federal government's draft law (in German) at:
https://www.bmi.bund.de/SharedDocs/gese ... onFile&v=1

You can find the plenary minutes of 11 October 2024 (in German) at:
https://dserver.bundestag.de/btp/20/20190.pdf#P.24737

You can complete the ‘NIS-2 Affectedness Test’ (in German) here:
https://www.bsi.bund.de/DE/Themen/Regul ... _node.html