On January 16, 2023, the Network and Information Security 2 (NIS2) directive on improving IT security came into force. The German government wants to implement it by spring 2024 through the NIS2 Implementation and Cybersecurity Strengthening Act (NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz NIS2UmsuCG). Approximately 30,000 companies and federal agencies will be affected. NIS2 replaces the current NIS directive and significantly expands the scope of application, the duties to be fulfilled and the sanctions for breaches of duty. Above all, this adapts and expands the BSI Act. All requirements must be fulfilled by 17.10.2024 at the latest.
Expansion of the Scope of Application (§ 28)
The number of affected entities could increase sixfold as a result of the expanded scope. The following entities are affected:
"Particularly Important Facilities"
Large companies in the sectors:
- Energy
- Traffic and transportation
- Banking
- Financial market infrastructure
- Healthcare
- Drinking water
- Waste water
- Food
- Digital Infrastructure
- Waste
- Administration of information and communication technology services
- Public administration
- Space
Medium-sized enterprises:
- Telecommunication services
- Providers of public telecommunication networks
Regardless of company size, are considered particularly important:
- Qualified trusted service providers
- Top Level Domain Name Registries
- DNS service providers
"Important Entities"
These include companies in the special public interest (UBI), trust providers, defense companies, medium and large companies in the following sectors:
- Logistics
- Waste
- Production
- Chemicals
- Nutrition
- Manufacturing industry
- Digital Service Providers
- Research
Duties (§ 30-39)
In the course of implementing NIS2, the duties to be fulfilled under the BSI Act are restructured and include:
- Implementation of risk management measures (identification of risks and vulnerabilities, training in IT security, etc.)
- Incident reporting to the BSI
- Identification and notification to the BSI
- Verification for implementation and proof to the BSI
- Communication with authorities
- Binding requirements for the management
- Additional requirements for critical facilities
Sanctions (§ 60)
Fines are significantly increased and are at the level of the GDPR: up to 10 million euros or 2% of the previous year's turnover (lack of IT security measures).
Personal Liability (§ 38)
In addition to the high fines for companies, the NIS2 Implementation Act also provides personal liability of the management. The latter is obliged to approve the risk management measures and monitor their implementation. They must also attend regular training sessions. Managers who violate these obligations are personally liable for the damage incurred. This includes both recourse claims and claims for fines. In addition, the BSI can prohibit the management from performing management duties.
What to do now
Given the impact of NIS2 on a wide range of businesses, the obligations that need to be fulfilled and the penalties that can be expected, companies should consider now whether and how they will be affected by the new legislation. With a very high demand for IT specialists expected – similar to the application of the GDPR in 2018 – it is critical for companies to take action now.
We are happy to advise you on the identification and risk assessment of vulnerabilities and their mitigation. In our workshops and webinars, we sensitize and empower your employees in information security. Regarding the European compliance regulations (Digital Operational Resilience Act), softScheck offers webinars and workshops – also in-house and on executive board level.