Bill to Transpose the NIS2 Directive
a Turning Point for IT Security in Germany?
The Network and Information Security Directive 2.0 (NIS2 Directive, full text), passed in December 2022, is currently the subject of debate almost as heated as that regarding the General Data Protection Regulation in its day. The Directive sets minimum harmonising standards for the Member States, which in turn must each transpose them into national law.
Companies are therefore observing the national transposition acts closely. In Germany, a very early draft of the bill to transpose the NIS2 Directive and to regulate essential features of information security management in the federal administration (NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz) has now become public. The bill completely revises and extends Germany’s Act on the Federal Office for Information Security.
As part of the bill to comprehensively reform this Act (the “Bill”), the number of sections will increase more than fourfold. Many provisions are aimed at private companies. In addition, the Bill contains numerous specifications and requirements for the federal government’s information security management. A law that was originally only intended to regulate the tasks and powers of an authority is thus increasingly becoming a comprehensive legal code for cybersecurity in Germany. The following article provides an overview of the requirements that could be imposed on private companies.
What will change for those concerned?
The Bill takes over the full list of minimum security requirements from Article 21 NIS2 Directive. The intensity of the required measures will vary between the categories of entities for reasons of proportionality. Operators of critical facilities will be subject to the strictest requirements (Article 30(3) of the Bill).
Although the Federal Office for Information Security has comprehensively supported the fairly concise requirements of the Act to date with publications (such as on the use of systems for attack detection), the list of requirements is now clearly defined:
- Concepts related to risk analysis and security for information systems
- Managing security incidents
- Business continuity such as backup management and disaster recovery, as well as crisis management
- Security measures in the acquisition, development and maintenance of information technology systems, components and processes, including vulnerability management and disclosure
- Concepts and procedures for evaluating the effectiveness of cyber security risk management measures
- Basic cyber hygiene procedures and cyber security training,
- Concepts and procedures for the use of cryptography and encryption
- Staff security, access control concepts and asset management
- Use of multi-factor authentication or continuous authentication solutions, secure voice, video and text communications and, where appropriate, secure emergency communication systems within the facility
Key topic: Supply chain
This list is supplemented by another controversial aspect, demanding “supply chain security, including security-related aspects of the relationships between individual entities and their direct providers or service providers”.
This makes it clear that entities subject to the Act on the Federal Office for Information Security will have to enter into concise contractual agreements with their service providers in future in order to comprehensively implement cyber security.
Management’s responsibility for cyber risk management
These legal requirements for cyber risk management must be approved by the management and implementation of the requirements must be monitored by the management (section 38(1) of the Bill). This provision once again emphasises what has long been recognised in the German law on limited companies and stock corporations, namely that cyber security is the management’s job.
If the managing directors of the entities concerned do not comply with this obligation, they are liable to the entity for any resulting damage (section 38(2) of the Bill). The German legislator is thus meeting the European legislators’ demand for personal liability of the managing directors to the company, which tallies with the system of internal liability of the corporate bodies under German stock corporation and limited liability company law even without a special legal standardisation in the Bill.
It is also noteworthy that the Bill’s explanatory memorandum clarifies that both claims for recourse and fines will be covered by the concept of damage in the liability rule of section 38(2) of the Bill. The ability to seek recourse against executive board members in the form of corporate fines is highly controversial in the legal literature and, where published case law exists, has thus far been rejected by the courts with reference to the penalising nature of the fine.
But the Bill provides for further penalty instruments to encourage management to comply with the legally required risk-management measures. In the case of especially important entities, the Bill even goes so far as to allow the Federal Office for Information Security to temporarily ban directors from performing their managerial duties if they disregard the Office’s orders (section 64(6) no. 2 of the Bill).
Procedure for reporting security incidents
In the case of security incidents, there will be a four-stage reporting process in future: (i) early initial report within 24 hours, (ii) an update within 72 hours, (iii) ad-hoc responses to enquiries from the Federal Office, and (iv) a final report within one month.
Finally, the Bill sets out a significant extension of the scope of application. See below for more details.
Completely revised entity categories
To date, the Act on the Federal Office for Information Security has used knows “operators of critical infrastructure”, “providers of digital services” and “companies of special public interest”.
The Bill greatly expands the list of those potentially concerned. Although the Federal Ministry of the Interior obviously tried to simplify the complex definitions in the NIS2 Directive when drafting the Bill, legal practitioners now face a new level of definitions that are hard to understand. Accordingly, the Bill will have the following categories of entities in future (see section 28):
- Operators of critical facilities: What constitutes a critical facility will be defined in a future ordinance. Thus, it is clear the German legislator will base its definitions very closely on the previous critical infrastructure.
- Operators of especially important entities: Firstly, these are large companies according to the European Commission’s definition of SMEs from specific sectors (such as traffic and transport, banking or healthcare). Here, too, a statutory instrument will specify more details, which will presumably be largely based on Annex I of the NIS2 Directive.
Regardless of size, specialist companies such as DNS service providers also fall into this category, as well as midsize companies providing telecommunications services or publicly accessible telecommunications networks. Operators of critical facilities are also assigned to this category.
- Operators of important entities: This is to initially include medium-sized enterprises according to the European Commission’s definition of SMEs from the sectors mentioned above.
It also includes medium-sized and large enterprises in other sectors (such as logistics, manufacturing or production). This list will probably be largely based on Annex II of the NIS2 Directive. The previous companies of special public interest in categories 1 and 3 (known as the foreign trade and incident regulation special public interest companies) also fall into this category. Interestingly, companies due to be given this status because of their power to add value (called value-added special public interest companies or special public interest companies 2) will be removed from the Bill.
These lists are just examples. The Bill contains exceptions and also some specific entities that are to be assigned in the same way.
There is a range of fines, as there has been to date (see section 60 of the Bill). Fines of up to €20 million can be imposed for breaches of enforceable orders. In the case of important entities, the fine is €7 million or up to 1.4% of the company’s total worldwide turnover in the previous financial year. For operators of especially important entities and critical facilities, the fine is up to €10 million or up to 2% of the previous year’s turnover.
What else is planned?
The European legislator has given the Member States time until 17 October 2024 to transpose the NIS2 Directive into national law. In view of the current state of threats in cyberspace, it is hard to imagine the German legislator will actually take all that time. The current draft assumes the amending act in question will be passed in spring 2024.
In addition, the European Union has given the Member States more homework to do in the form of the CER Directive. This act of law aims to increase the physical security of critical entities, albeit the exact scope of application is still to be defined. Since the end of last year, the key points of an umbrella act on critical infrastructure have been available. A first glance at the draft paper suggests there will also be stricter legal obligations in this area.