NIS2 takes effect in Germany

The NIS2 Directive has had a bumpy path to adoption with many countries yet to transpose it into their national laws. However, Germany finally passed its long-delayed NIS2 law on 13th November. It is expected to come into force in the next couple of months.

Affected companies need to be prepared because the German legislation makes no allowance for a transition period. Companies need to comply from day 1. So, what does this mean for you?

Sectors covered by the new legislation

NIS2 marks a significant expansion of the previous NIS Directive. It now applies to a wide range of sectors right across the economy, affecting more than 30,000 German companies. Key sectors include:

• Healthcare
• Utilities
• Transportation
• Public administration
• Digital infrastructure
• Manufacturing

Additionally, NIS2 automatically applies to all operators of critical infrastructures (KRITIS).

NIS2 requirements

The German version of NIS2 sees updates to several existing laws and largely mirrors the Directive. Here are some key aspects to be aware of.

A focus on risk management

NIS2 takes a risk management approach to protecting critical infrastructure. The law requires the Critical, Particularly Important, and Important institutions to take “appropriate, proportionate, and effective” measures to protect their infrastructure. These measures must take account of the likely risk, size of the facility, and likelihood of any security incident. This is then balanced against the costs and likely impact of any incident. The overarching aim is to avoid any disruptions to the availability and integrity of the facility/service, and to avoid any loss of confidentiality of data.

Technical and organisational measures

All security measures must be “state of the art” and should cover these areas as a minimum.

Technical measures

• Maintenance and recovery, backup management, crisis management
• Encryption
• Access control and ICT management
• Multi-factor authentication and continuous authentication
• Secure communication (voice, video and text)
• Secure emergency communication
• Secure development
• Vulnerability management

Organisational measures

• Risk analysis and security for information systems
• Handling of security incidents
• Supply chain security, supplier and service provider security
• Personnel security
• Secure procurement
• Maintenance
• Evaluation of the effectiveness of cybersecurity and risk management
• Cybersecurity and awareness training

Documentation

Affected companies must document their processes, technical and organisational measures, and risk assessments. When requested, they must provide BSI or any auditors with access to all the documentation.

Strict deadlines for incident reporting

Any suspected security incident must be officially reported to BSI within 24 hours. The company then has up to 1 month to provide a complete final report on the incident. However, BSI is also allowed to request an interim report on the incident, which must be provided promptly. This reporting requirement will be especially hard for the smaller companies that now fall under the scope of the law.

Notification of users

Covered companies in certain sectors must always notify their users of any significant security incident and provide advice on how to respond. These sectors are:

• Financial and insurance
• Information technology and telecommunications
• ICT services
• Digital services (marketplaces, search engines and social networks)

This notification must be sent immediately.

Additionally, the BSI can instruct companies classed as Particularly Important or Critical to inform their users about any serious security incident.

NIS2 enforcement

NIS2 introduces tough enforcement measures including fines and potential legal ramifications for company bosses.

An enhanced role for BSI

The German Federal Office for Information Security (BSI) has an enhanced role in monitoring and enforcing the new law. This significantly extends their powers and allows them to audit companies for compliance. In the event of any suspected security incident, BSI must be notified (see above) and will be responsible for assessing whether any enforcement action is needed.

Significant fines and corporate responsibility

The new law allows companies in the highest category of critical infrastructure to be fined up to €10M or 2% of their annual turnover (whichever is higher). There’s then a cascading set of lower fine limits for companies in the lower categories.

Under §61 of NIS2, companies that are classed as Particularly Important must undergo inspections and audits, and BSI can issue guidelines to be implemented. They must also provide evidence of compliance with all requirements and prove they have taken decisions based on risk. BSI can also:

• Verify compliance with requirements at individual institutions
• Give institutions instructions on the prevention or rectification of incidents
• Give institutions binding instructions on the implementation of obligations
• Require institutions to inform customers about measures against cyber threats
• Inform supervisory authorities, suspend licences and prohibit management from conducting business
• Withdraw the licence of institutions that fail to comply with requirements and prohibit management from performing management tasks

For Important institutions, the BSI may, in justified cases, verify compliance with the appropriate sections of NIS2 and take measures in accordance with §61

‍

Check out our full blog post on NIS2.

‍

Need help figuring it out? We’re here to help!

Chino.io is the one-stop shop for solving all privacy and security compliance aspects.

As a partner of our clients, we combine regulatory and technical expertise with a modular IT platform that allows digital applications to eliminate compliance risks and save costs and time.

Chino.io makes compliant-by-design innovation happen faster, combining legal know-how and data security technology for innovators.

To learn more, book a call with our experts.