Following the adoption of the Network and Information Security Directive 2.0 (NIS 2 Directive) at the end of 2022, companies in certain economic sectors and above a certain size will be obliged to take measures to ensure cyber security. This also creates a considerable liability risk for managing directors personally.
The NIS 2 Directive is now being implemented via the German Cybersecurity Strengthening Act. We explain the need for action for your company and provide practical recommendations.
Implementation status and aim of the law
After much discussion of the draft bill for the Cybersecurity Strengthening Act, the government bill was passed on July 24, 2024. This implements the European requirements of the NIS 2 Directive. The law has yet to be promulgated. However, it must be implemented by October 2024.
The law extends obligations to implement cyber security measures and report cyber attacks. The Federal Office for Information Security (BSI) has been given more extensive powers.
In future, companies in a larger number of sectors will have to meet minimum cyber security requirements and comply with reporting obligations in the event of cyber incidents. This is intended to increase the level of security and reduce the risk of companies falling victim to cyber attacks. At the same time, this results in a greater need for companies to adapt.
Important regulations at a glance
The following regulations are the core components of the Cybersecurity Strengthening Act:
- The scope of application is extended to “essential entities” and “particularly important entities” and replaces the previous reference to operators of critical infrastructure, providers of digital services and companies in the special public interest.
Even without operating in essential infrastructure areas, companies with 50 or more employees or an annual turnover of more than 10 million euros may be affected.
You can find out whether you fall within the scope of the legal requirements via the BSI’s affectedness check.
There you can also see which requirements apply to you.
- Affected companies must register with the competent authority.
The support of an expert is helpful due to the legal classifications to be created.
- The law requires the implementation of measures as part of cyber security risk management.
It adopts the catalog of minimum security requirements of the NIS 2 Directive, which must be applied depending on the company’s categorization.
It includes risk analysis concepts, measures to maintain operations, backup management and concepts for the use of encryption.
The approval, monitoring and training obligations for management are also significant.
- Relevant security incidents relating to cyber and information security must be reported. A three-stage reporting system must be observed: the initial report within 24 hours, an update within 72 hours and a final report within one month.
There is also a new range of fines for the Federal Office for Information Security to make violations of the legal requirements noticeably less attractive. The draft bill provides for fines of up to 10 million euros or 2% of annual turnover. Companies should therefore already be looking at the expected legal requirements.
Implementation in practice
As an affected company, you can prepare yourself to better distribute the implementation effort from the time the Cyber Security Strengthening Act comes into force – possibly as early as October 2024:
- Check that you are affected.
- Define responsibilities and ensure professional support.
- Analyze risks and need for action with regard to the requirements of the NIS 2 catalog.
- Take the necessary adaptation measures now.
- Set up processes to fulfill your reporting obligations.
- Ensure a continuously high level of cyber security.
The management is legally obliged to participate in the implementation of these processes. Failure to do so also raises personal liability issues.
Further details can also be found in the BSI’s recommendations for action.