NIS2 Directive: scope of application, requirements & required actions

What is the NIS2 Directive?

The NIS2 Directive is an evolution of the first NIS Directive from 2016. The NIS Directive established measures to ensure a high common and harmonised level of security of cyber and information security systems across the EU.

The NIS2 Directive builds on this. On the one hand, the existing cyber and information security requirements have been extended and strengthened. On the other hand, the personal scope has been significantly extended.

The aim of the NIS2 Directive is to improve and standardise the level of cyber security in the Member States. It not only strengthens the security requirements as such, but also extends the sanctions for breaches and the liability rules.

What is the status of the implementation of the NIS2 Directive in Germany?

In Germany, the NIS2 Directive is implemented by the NIS2 Implementation and Cyber Security Strengthening Act (NIS2UmsuCG). The corresponding government bill was approved and adopted by the Federal Cabinet on 24 July 2024.

The NIS2UmsuCG has not yet been promulgated and is therefore not yet in force. The NIS2UmsuCG essentially amends the law on the Federal Office for Information Security and on the Security of Information Technology of Institutions (BSIG) in accordance with the guidelines. The draft of the (new) BSIG will be referred to as BSIG-E in the following. [EU Member States are required to transpose the NIS2 Directive into national law by 17 October 2024.

It is currently not foreseeable whether the German legislator will meet this deadline. In view of the remaining steps in the legislative process (readings in the Bundestag, involvement of the committees, etc.), it now seems rather unlikely that the deadline will be met.

When do companies have to comply with the requirements of the NIS2 Directive?

The NIS2 Directive requires Member States to apply their respective implementing legislation from 18 October. However, this obligation applies to individual Member States and not directly to companies. Against this background, the following applies to companies: the NIS2 Directive does not apply directly to the (future) companies concerned.

This means that if the NIS2UmsuCG has not entered into force by 18 October 2024, companies are not obliged to implement the requirements. In this case, companies need not fear any sanctions. This is because the sanctions provisions can only be applied once the law has entered into force. Of course, this only applies to Germany for the time being.

If companies also operate in other member states, have branches or even legally independent units there, it would always be necessary to check whether a national NIS2 implementation law is already in force and what consequences this could have for the company in question.

Which businesses are affected by the NIS2 EU Directive?

The implementation of the NIS2 Directive is relevant to a significant number of companies. According to current estimates, around 30,000 to 40,000 companies in Germany alone will be directly affected. This high number is due to the very broad scope of the NIS2 Directive.

Section 28 (1) and (2) BSIG-E determines whether a company will be subject to the regulations in the future. A distinction is made between critical facilities and important facilities. The classification into these categories is not merely theoretical, but has an impact on the requirements and obligations to be met.

• Critical organisations: Critical organisations include, in the first instance, operators of critical facilities, qualified trust service providers, top level domain name registries or DNS service providers, and providers of publicly available telecommunications services or operators of public telecommunications networks with at least 50 employees or an annual turnover or balance sheet total of more than EUR 10 million.
• Important organisations: These include (ordinary) trust service providers and providers of publicly available telecommunications services or operators of public telecommunications networks with fewer than 50 employees and an annual turnover or balance sheet total of less than EUR 10 million.

In addition to these specific areas, enterprises operating in certain sectors are also included. The sectors are listed in Annexes 1 and 2 of the BSIG-E. Particularly important organisations are companies that operate in one of the following sectors and have at least 250 employees or an annual turnover of more than 50 million euros and an annual balance sheet total of more than 43 million euros.

The following sectors are considered to be major organisations:

Major organisations are those whose activities can be classified in one of the following sectors and which have at least 50 employees or an annual turnover and balance sheet total of more than 10 million euros.

This category in particular is of great importance for a large number of companies. The regulation is intended to cover as many companies as possible in order to ensure the desired harmonisation with regard to a uniform level of cyber and information security.

What do organisations need to do now to be NIS2 compliant?

At this stage, there is no immediate or specific requirement for businesses to take action. This is because it is not yet clear whether the NIS2 Directive will come into force on time on 18 October. As the NIS2 Directive as such has no direct impact on companies, they are not yet obliged to implement it.

However, companies should prepare for the upcoming changes and not wait and see. Although the implementation date is still unknown, companies should continue to prepare for 18 October 2024 to be on the safe side. It is also possible that the NIS2UmsuCG will be amended and adapted during the ongoing legislative process. However, fundamental changes (especially to the measures to be taken) are not expected.

Against this background, companies should already now assess whether they fall within the scope of the NIS2 Directive.

It is also advisable to carry out risk analyses, identify vulnerabilities and develop concepts for measures to be taken and coping strategies. Companies should also work closely with suppliers and service providers to ensure security in the supply chain.

Companies should therefore act now and start implementing risk management measures.

What are the cyber security requirements of NIS2 for covered entities?

The NIS2 Directive requires covered entities to implement comprehensive cyber security risk management measures. The future obligations to be met are set out in Sections 30 to 42 BSIG-E.

Pursuant to section 30 para. 1 sentence 1 BSIG-E requires particularly important institutions and important institutions to take appropriate, proportionate and effective technical and organisational measures to avoid disruptions to the availability, integrity and confidentiality of the information technology systems, components and processes they use to provide their services and to minimise the impact of security incidents.

The measures to be taken are detailed in Section 30 (2) BSIG-E. It should be noted that the list is not exhaustive and only defines the minimum standard. In addition, the measures will be further specified by implementing acts of the European Commission.

Risk management measures (Art. 30 BSIG-E)

Concerns:

• Particularly critical facilities
• Important facilities

Measures:

• Risk analysis policies and procedures Information technology security
• Management of security incidents
• Business continuity (backup management; disaster recovery, crisis management)
• Supply chain security
• Security measures for the acquisition, development and maintenance of information technology systems, components and processes
• Evaluation policies and procedures for the effectiveness of risk management measures
• Cyber hygiene and training in information technology security
• Policies and procedures for the use of cryptography and encryption
• Personnel security
• Access control
• Use of multi-factor authentication
• Secure voice, video and text communications
• Secure emergency communications within the facility as required

Reporting obligations (§ 32 BSIG-E)

Concerns:

• Particularly critical facilities
• Important facilities

Measures:

• Immediate notification (maximum 24 hours) after becoming aware of a significant security incident. The report must include information on whether there is a suspicion of illegal/malicious behaviour or whether the incident has a cross-border impact.
• Submit a full report within 72 hours of becoming aware of the incident. The report must confirm or update the information in the initial report and provide an initial assessment of the incident.
• If applicable (on request) submission of an interim report
• Submit a detailed final report after one month, or an interim report if the incident is still ongoing.

Obligation to register (§ 33 BSIG-E)

Concerns:

• Particularly critical facilities
• Important facilities
• Domain name registry service provider

Measures:

• Registration with the BSI upon initial or renewed categorisation as one of the affected institutions.

The registration must contain the following information:

• Name and legal form of the organisation and (if applicable) commercial register number
• Address and contact details Identification of the sector and the relevant industry
• List of EU Member States in which the company provides its services
• Competent supervisory authorities at federal and state level

Duty to inform (Section 35 BSIG-E)

Concerns:

• Particularly critical facilities
• Important facilities

Measures:

• In the event of a significant security incident, the company is required by the BSI to inform the recipients of the services. The notification may also be made by publication on the website.
• For organisations in the financial sector, social security institutions, basic security for job seekers, digital infrastructure, management of ICT services and digital services, the notification must also include the remedial measures.

Duty to inform the public (Section 36 (2) BSIG-E)

Concerns:

• Particularly critical facilities
• Important facilities

Measures:

• After hearing the organisation concerned, the BSI may require it to inform the public about the security incident.
• This requires that the disclosure is in the public interest or contributes to raising public awareness.

For operators of critical installations, these obligations are sometimes even more stringent and additional obligations are imposed. These enhanced and additional obligations include:

• Special risk management measures (Art. 31 BSIG-E): The regular measures according to Art. 30 (2) BSIG-E are tightened. Operators must take all measures that are not disproportionate to the consequences of a failure or impairment. In addition, they are obliged to use systems to detect attacks.
• In addition to the information required under Section 32 (1) BSIG-E, operators of critical installations must also provide information on the type of installation and the critical service affected, as well as the impact of the security incident on this service.
• Additional information when registering according to Section 33 BSIG-E: When registering, operators must also provide the public IP address ranges of the facilities they operate, as well as the identified facility category, the identified supply indicators, the location of the facility and a contact point. Operators must ensure that the contact point can be reached at all times.
• Duty to provide evidence (Section 39 BSIG-E): Operators must provide evidence of the implementation of risk management measures by means of safety audits, inspections or certifications at the earliest three years after they are deemed to be operators of critical installations for the first time or again. This obligation to provide evidence is due every three years after the first inspection.

Risk management measures include not only those that directly affect the company's own operations. As Section 30(2)(4) of the BSIG-E shows, the companies concerned must also ensure the security of the supply chain. In addition to the security measures to be observed, the explanatory memorandum to the NIS2UmsuCG specifies, for example, contractual agreements with suppliers and service providers on the handling of cyber security incidents and the consideration of recommendations from the BSI with regard to products and services.

Companies should also remind or require their suppliers to adhere to basic principles such as security by design or security by default. In this respect, the implementation of the NIS2 Directive means that companies must not only adapt and improve their own processes. They will also need to review the processes and systems of their suppliers and service providers, and work closely with them to address potential security gaps.

What are the penalties for non-compliance with the NIS2 Directive?

Violations of the requirements of the NIS2 Directive are punishable as administrative offences. Section 65 (5) to (7) BSIG-E provides for substantial fines as a form of sanction. The amount of the fine depends on which obligation the company has violated and whether it is a particularly important organisation or an important organisation.

• Particularly critical organisations: Fines of up to €10 million can be imposed on companies that are very important organisations. If the company has an annual turnover of more than €500 million, the fine can be up to 2% of the previous year's turnover.
• Important organisations: Companies classified as important organisations can be fined up to €7 million or (if the company has an annual turnover of more than €500 million) up to 1.4% of the previous year's turnover.

It should be noted that the annual turnover is not the national turnover. Annual turnover is measured on the basis of the company's total worldwide turnover.

Who in the organisation is responsible for implementing the NIS2 requirements?

According to Section 38 (1) BSIG-E, the implementation, compliance and monitoring of risk management measures is the responsibility of the management of the respective organisation. If the management breaches this obligation, it shall be liable to the company for culpably caused damage in accordance with the provisions of company law applicable to the legal form of the organisation pursuant to Section 38 (2) Sentence 1 BSIG-E. If the management breaches this obligation, it shall be liable to the company for culpably caused damage in accordance with the provisions of company law applicable to the legal form of the organisation.

This liability provision is not special in itself, but essentially corresponds to the existing liability provisions. In this respect, the provision has more of a clarifying function. Only if there is no internal liability for the organisation does the liability provision of section 38 (2) sentence 1 BSIG-E apply. In previous versions of the NIS2UmsuCG, Section 38 BSIG-E also prohibited the organisation from waiving claims for damages against the management.

This provision is no longer included in the current draft. In this respect, waivers should now be permitted. However, how such waivers are handled in practice and whether they are effective will have to be determined by case law. Pursuant to Section 38 (3) BSIG-E, the management is also obliged to regularly attend training courses. In summary, NIS2 makes cybersecurity a top priority.

How does NIS2 relate to other legislation such as KRITIS, CER and CRA?

It is not only the NIS2 Directive that aims to improve the protection and resilience of critical infrastructure. The Critical Entities Resilience (CER) Directive also came into force on the same day as NIS2.

The Cyber Resilience Act (CRA), another product-related piece of legislation, will also come into force, imposing higher security requirements on the manufacture and design of products with digital elements (hardware and software).

Although the different pieces of legislation cover different areas, they are closely linked.

What are the benefits of implementing the NIS2 requirements?

Although the implementation of NIS2 represents a significant effort for affected organisations, the associated benefits for organisations should not be overlooked.

The increased security requirements reduce the risk of a cybersecurity incident and the consequences of such an incident. Firstly, systems will be more resilient. Secondly, threats can be identified more quickly. This should enable companies that are fully compliant with their NIS2 obligations to quickly address existing risks.

Collaboration and sharing with relevant authorities and, where appropriate, other companies will also strengthen system security and raise awareness of cyber threats.

Finally, the impact on customer relationships and competition should not be underestimated. Risk management will play an important role in the future of business collaboration. A company that complies with the requirements of the NIS2 Directive will be more attractive to work with and will enjoy greater trust. Compliance can also have a positive impact on the public perception of the company.

What does ISiCO's NIS2 consultancy and support include?

We offer comprehensive consultancy, training and support services to help you implement the NIS2 Directive. This includes the analysis of specific requirements, the development and implementation of appropriate security measures, and the training and awareness of staff.

Our expertise and tailored services not only bridge the gap to compliance, but also provide a competitive advantage through enhanced security measures and business process optimisation. From the initial analysis to the final implementation of the necessary measures, we are by your side to ensure that your organisation is not only compliant, but also future-proofed.

Frequently asked questions about NIS2