NIS-2

Directive (EU) 2022/2555 and the german implementation act NIS2UmsuCG

Abstract

Digital infrastructure is the foundation of the modern economy and society. In Germany, one of Europe's leading industrial nations, the availability and security of this infrastructure is of crucial importance for continued prosperity, growth and economic stability. However, as digitalisation and the closely networked European and global economy continue to grow, so do the challenges. The prevalence of cyberattacks, ransomware and security breaches in the IT supply chain has reached a critical point, with organisations and critical infrastructures such as healthcare and energy supply now facing significant risks.

The European Union has adopted the NIS-2 Directive in order to effectively address these risks. The objective is to guarantee a consistently high level of cybersecurity across the EU and to reinforce resilience in both the economy and public administration. The latest draft legislation from the German government, which is intended to implement the NIS-2 Directive, emphasises the need to protect not only companies but also state institutions from the growing threats of cyberspace. In light of geopolitical tensions and the persistent risk of cyber attacks, the directive marks a crucial step in ensuring Europe's digital future.

Disclaimer

The following article addresses the German national implementation of the EU Directive, with the understanding that the laws of other countries may differ in their implementation.

Central elements in the NIS2UmsuCG

The draft law on the implementation of the NIS2 Directive (NIS2UmsuCG) contains provisions that affect companies and state institutions. These are aimed at strengthening cyber security in Germany and the EU, and ensuring a high, common level of security. The following section explains the key elements of the NIS2UmsuCG in relation to risk management, reporting obligations, registration obligations, notification obligations and verification obligations.

Risk management

A key component of the NIS2UmsuCG is the implementation of comprehensive risk management. All affected organizations, especially operators of critical infrastructures, must take strict measures to ensure the security of their network and information systems. This includes:

Risk assessment and mitigation: Organizations are required to regularly identify and assess risks that could threaten their IT infrastructure. Based on this analysis, they must take appropriate security measures to eliminate potential vulnerabilities.
Implementation of security standards: The law ensures that the organizations concerned apply security standards that meet the requirements of the NIS2 Directive. These include technical and organizational measures to ensure the availability, confidentiality and integrity of systems and data.
Crisis management and emergency plans: Companies must also implement preventive measures for crisis management and ensure that emergency plans are in place to deal with security incidents.

Obligation to report

Another innovation under the NIS2UmsuCG concerns the reporting obligations for security incidents. The previous one-stage reporting procedure will be replaced by a three-stage model:

Early warning reports within 24 hours: Companies must submit an initial notification to the competent authority within 24 hours of detecting a security incident. This early warning is intended to enable the authorities to take action quickly and continue monitoring the incident.
Follow-up reports: A detailed analysis of the incident must be carried out within 72 hours of the initial notification, providing further information. This includes an estimate of the affected data and possible effects.
Final report: Once the incident has been fully resolved, a final report must be submitted documenting the measures taken and the success of the problem solution.

Obligation to register

The NIS2UmsuCG also introduces a more rigorous registration process for organisations affected by the directive. In accordance with the directive, companies and public bodies must register with the relevant national authority. This registration allows the authorities to maintain a central database of affected organisations, facilitating more effective monitoring of the cybersecurity landscape.

The registration obligation has a significant impact on operators of critical infrastructures, digital service providers and other essential entities that are central to the functioning of society. It applies not only to new players, but also to existing companies that fall under the new legislation.

Duty to inform

The NIS2 Directive attaches great importance to the information obligations of the companies and institutions concerned. These include:

Duty to inform authorities: Companies must inform the competent authorities immediately as soon as they become aware of security incidents or vulnerabilities in their network and information systems. This information must be precise and complete to enable the authorities to respond quickly.
Internal information obligations: Organizations must ensure that their management and the responsible security officers are regularly informed about cyber security risks and incidents. This should ensure that those responsible in the company can react quickly.

Obligation to provide evidence

Finally, the NIS2UmsuCG obliges the affected institutions to fulfill comprehensive verification obligations:

Regular review and documentation: Companies must prove that they have implemented the necessary security measures in accordance with the legal requirements. This includes both technical precautions and organizational measures, which must be regularly reviewed and documented.
Auditing and certification: In some cases, it may be necessary for organizations to have external audits carried out to confirm compliance. The draft law also provides for the authorities to have the right to review security measures and, if necessary, impose sanctions if companies fail to meet their obligations.
Reporting: Companies must prove to the competent authority on request that they have complied with their reporting and risk management obligations. This requires complete documentation of all relevant incidents and measures.

Through these elements, the NIS2UmsuCG creates clear and binding guidelines that aim to raise cyber security in Germany and the EU to a new level and strengthen companies and state institutions in order to be prepared for the constantly growing threats from cyberspace.

Companies affected

The sectors affected by the NIS2 Directive and the NIS2UmsuCG can be roughly divided into two groups:

Sectors of essential and important entities, such as energy, health, transportation, digital infrastructure, water/wastewater and space.
Sectors of important entities, such as postal/courier services, chemicals, manufacturing, food and digital services.

This categorisation provides a clear definition of the scope of the law, ensuring that companies particularly affected by an outage or cyberattack take adequate protective measures to ensure the security and resilience of the German and European economy.

Operators of critical infrastructures (KRITIS)

The legislation in question pertains to a specific category of entities, namely, operators of critical infrastructures. These companies are vital to the security of supply in sectors such as energy, water, transportation, healthcare and telecommunications. KRITIS operators are responsible for ensuring the security and functionality of their infrastructure, with the aim of minimising the risk of outages or attacks. In particular, critical infrastructures are those that meet the threshold regulation, for example, those supplying services to at least 500,000 people.

Essential entities

These typically comprise major corporations in pivotal sectors that are obliged to comply with exacting security standards due to their substantial size and significance to the economy and public safety. Please refer to Annex 1 of the Act for a list of the entities covered, which include those in sectors such as energy, transport, finance, healthcare, water/wastewater and digital infrastructure. It is imperative that these facilities implement comprehensive safety measures to guarantee the uninterrupted provision of their services, as any failure could have a significant adverse impact on society. In order to be classified as essential, companies must meet one of two criteria: they must employ more than 250 people or have a turnover of more than 50 million euros and a balance sheet total of more than 43 million euros. Furthermore, there are specific companies that are classified as essential regardless of their size, including qualified trust services, TLD registries, DNS services and telecommunications providers.

Important entities

In addition to the particularly important entities, the NIS2UmsuCG also provides for specific requirements for important entities. This group includes medium-sized companies that are also active in sectors of high criticality, such as energy, transport and traffic, finance, health, water and digital infrastructures. Although the requirements for these companies are somewhat lower than for essential entities, they too must implement comprehensive risk prevention and crisis management measures to prevent cyberattacks and outages. A company is classified as important if it has at least 50 employees or a turnover of more than 10 million euros and a balance sheet total of more than 10 million euros. Important entities also include operators of public telecommunications networks and companies operating in the postal and courier services, chemicals, food production and manufacturing sectors.

Facilities of the Federal Administration

A further area of significant regulation by the NIS2UmsuCG is that of federal government bodies. These fall under the specific provisions of Section 29 of the Act and are subject to certain obligations that apply to essential entities. This is particularly relevant for public IT service providers, who are responsible for the operation of IT infrastructures within the federal administration. It is the responsibility of these institutions to implement robust cyber security standards in order to protect government systems and data from attacks. It should be noted, however, that certain state actors, such as the Federal Foreign Office and the defence and intelligence services, which are subject to separate regulation, are exempt from these regulations.

Elimination of companies in the special public interest (UBI)

One notable change in the legal framework is the removal of the special public interest (UBI) classification for companies. These entities are now incorporated into the categories of essential or important entities. For instance, companies in the defence industry primarily fall within the NIS2 manufacturing sector, while those with significant economic impact are aligned with the NIS2UmsuCG sectors. Companies engaged in hazardous substance handling are designated to the chemicals sector.

Why we need this law

The implementation of the NIS2 Directive in Germany through the NIS2UmsuCG is a crucial step in addressing the heightened demands on cyber security and the protection of critical infrastructures. In the context of accelerating digitalisation, global networking and the persistent threat of cyber attacks, it is imperative for companies and public institutions to enhance their preparedness for security incidents. The key reasons and benefits of the law are outlined below.

Response to the growing threat situation

The number of cyberattacks has increased dramatically in recent years, and the attacks are becoming increasingly complex and dangerous. Companies in Germany and throughout the EU are facing major challenges:

Ransomware attacks
Increasing encryption of data and systems where a ransom is demanded for release. This is facilitated by business models such as "ransomware as a service" and the use of cryptocurrencies for payment.
Supply chain attacks
Increasing cyberattacks on service providers and suppliers to compromise companies through supply chain vulnerabilities, which can have far-reaching effects on multiple organizations.
Phishing and social engineering
Attackers use fraudulent emails and communication channels to obtain sensitive data such as passwords or access rights. These attacks are often the starting point for larger incidents.
Increased use of malware
Malicious software that is deliberately infiltrated into networks to steal data, sabotage systems or enable unauthorized access. Malware attacks can paralyze entire IT systems.
Distributed Denial of Service (DDoS) attacks
By overloading networks or services with a flood of requests, attackers cause systems to fail and become inaccessible.
Attacks on critical infrastructure
Cybercriminals and state-sponsored actors are increasingly targeting energy supply, healthcare, transportation and communications. These sectors are of particular importance and failures would have a devastating impact.
Industrial espionage
Cyberattacks on companies to obtain trade secrets, intellectual property or confidential information. This type of espionage often results in considerable economic damage.
Attacks on IoT devices and networked systems
As more and more devices are connected, they increasingly offer a target for cybercriminals. Inadequately secured devices are often used as a gateway for major attacks.

The German Federal Office for Information Security (BSI) has identified an intensification of cyber threats since Russia's war of aggression against Ukraine, which violates international law. In light of evolving circumstances, known threats must be adapted. Cyber sabotage attacks can also result in collateral damage, with critical infrastructures particularly affected. The potential failure of these infrastructures could have significant consequences for society.

The NIS2UmsuCG aims to counter these risks by obliging companies and institutions to implement robust protective measures. Clear specifications for risk management and reporting obligations ensure that incidents can be quickly identified, reported and rectified.

Protection of national and European infrastructure

Digital and physical infrastructure is the backbone of the modern economy. A failure of critical systems in areas such as energy supply, healthcare or telecommunications could have catastrophic consequences, both for society and the economy. The NIS2UmsuCG offers the following advantages:

Improving resilience: The introduction of strict security requirements strengthens the ability of companies and government institutions to ward off cyber attacks and ensure the continuity of their services.
Protection of security of supply: Particularly in sectors that are central to public supply, such as energy, water and healthcare, the law ensures protection against potential attacks that could disrupt vital services.

Uniform safety standards in the EU

A central objective of the NIS2 Directive is the harmonization of cybersecurity standards throughout the European Union. Until now, there have been considerable differences between the individual member states when it comes to the security of network and information systems. the NIS2UmsuCG creates a uniform basis for companies and public institutions in Germany that contributes to this:

A level playing field: companies and institutions across the EU must adhere to the same high security standards. This creates a stable and secure environment for the internal market and reduces the risk of vulnerabilities in one country being used to launch attacks in another.
Promoting cross-border cooperation: Improved reporting obligations and cooperation between national authorities will significantly increase the ability to respond to cyberattacks at European level.

Improving corporate responsibility and cyber security culture

A key element of the NIS2UmsuCG is the enhanced engagement of company management in cyber security matters. It is becoming increasingly important for companies to ensure that they have appropriate protective measures in place and that they can effectively manage any security incidents that may arise. Managers are required to address the security risks of their companies and to take appropriate measures to mitigate them. This leads to better risk management and a stronger ability to react in the event of a crisis. The law also raises awareness of cyber security in companies, which helps to create a corporate culture in which cyber security is seen as a fundamental part of business operations.

Prevention of financial and economic damage

The NIS2 Directive provides a clear benefit to businesses and government institutions by creating a preventative framework that helps to reduce financial and economic losses resulting from cyber-attacks. With the ever-increasing threat of cybercrime, it is crucial for companies to take effective security measures to minimize long-term financial losses.

Business downtime due to cyber attacks is one of the most serious financial risks to which companies are exposed. The industry association Bitkom e. V. estimated that cyber attacks in Germany caused a total loss of 223.5 billion euros in 2021. A significant proportion of this damage resulted from operational downtime, stolen data, destroyed systems and expensive recovery measures.

The NIS2 directive requires companies to implement preventive measures to prevent such failures or, where this is not possible, to minimise their impact. In addition, risk management enables companies to identify potential vulnerabilities at an early stage and implement appropriate countermeasures through regular risk assessments and the implementation of technical and organisational security measures. Contingency plans and rapid response mechanisms as part of crisis management ensure that companies are able to continue operating in the event of an attack and minimise the impact on business operations.

Implementing the NIS2 requirements may seem costly at first glance, especially in terms of the necessary investment in cyber security measures, training and technology. However, these costs are in direct proportion to the potential savings that can be achieved by preventing cyber attacks.

According to Bitkom, an average cyberattack causes damage of 500,000 euros per year for companies with at least 10 employees. Assuming that the NIS2 measures could help prevent half of this damage, companies would avert an average of 250,000 euros in potential damage per year. Extrapolated to the approximately 14,500 companies that are likely to be affected by the NIS2 directive, this results in damage avoidance of around 3.6 billion euros per year for the German economy. These savings also result from a reduction in system failures and a more efficient use of resources.

In addition to preventing damage, compliance with the NIS2 directive enables companies to establish themselves as reliable partners. There is a growing expectation among customers, business partners and investors for organisations to demonstrate robust cybersecurity measures to protect digital systems and data. By implementing robust cybersecurity measures, companies can not only reduce the risk of cyberattacks but also strengthen the trust of their stakeholders. This can result in enhanced market positioning and long-term business stability.

Another financial aspect of NIS2 implementation is the avoidance of penalties and sanctions that can be imposed for non-compliance with the directive. Companies that violate the reporting obligations or cybersecurity requirements must expect high fines and legal consequences. By investing in the implementation of the NIS2 requirements at an early stage, companies can not only protect themselves from potential cyber attacks, but also avoid the additional costs associated with sanctions.

An important step for the digital future

The implementation of the NIS2 Directive not only entails legal obligations, but also offers significant economic benefits. Compliance with the directive helps to strengthen customer confidence, minimize legal risks and make companies more competitive in an increasingly digital world.

The NIS2UmsuCG is an essential building block in preparing Germany and the EU for the growing challenges of the digital world. It strengthens the resilience of companies and state institutions against cyber attacks and at the same time promotes cooperation at European level. This law is a significant step towards ensuring economic stability and security in an increasingly networked and digitalized world.

Impact and challenges

The NIS2UmsuCG entails extensive changes for companies and government institutions in Germany. The main effects on the economy and the associated challenges are outlined below.

Compliance costs and additional expenses

The implementation of the NIS2UmsuCG requirements entails significant compliance costs for the affected companies. In particular, the costs associated with adapting IT systems, training personnel and implementing new security measures represent a significant challenge. Companies must make corresponding investments in their IT infrastructures to meet the required security standards. This primarily includes expenditure on software solutions, the implementation of monitoring and attack detection systems and measures to strengthen network security.

In addition to the initial investment, there are long-term ongoing costs for maintaining and updating the systems, regular employee training and compliance with the prescribed reporting and documentation obligations. The draft law assumes additional annual compliance costs of around 2.2 billion euros for the German economy.

Adoption of existing standards such as ISO27001

Many companies have already implemented cyber security standards in the past, including internationally recognized standards such as ISO/IEC 27001. The NIS2UmsuCG offers these companies the opportunity to integrate existing practices and certifications into their security measures.

Companies that are already ISO27001 certified can adopt and adapt many of the required security measures from the NIS2UmsuCG. The focus on risk management, continuous improvement and the review of security measures largely corresponds to the requirements of the law.

Companies that already use established standards such as ISO27001 have a competitive advantage as they have already implemented many of the legally required measures. The integration of existing certifications reduces the effort required to adapt to the new requirements and reduces potential costs.

Risk management measures

The NIS2UmsuCG places particular emphasis on risk management and the implementation of security measures that address the specific threats to network and information systems. Companies must set up comprehensive risk management systems to identify and manage threats.

Companies are obliged to carry out regular risk analyses in order to identify potential weaknesses in their IT infrastructure. These analyses must not only cover technical risks, but also organizational risks.

Based on the risk assessment, affected companies must take preventive and reactive security measures. This includes technical measures such as the encryption of data and the use of firewalls, but also organizational measures such as training for employees and the introduction of emergency plans.

Companies must also be prepared for security incidents. This means that effective emergency plans and crisis management processes must be established in order to be able to react quickly in the event of an emergency.

Requirements and reporting obligations

One of the biggest challenges of the NIS2UmsuCG are the strict reporting requirements that apply to security incidents. Companies must ensure that they are able to quickly identify, assess and report incidents.

As described above, the law provides for a three-stage reporting system in which companies must submit an initial report to the competent authorities within 24 hours as soon as a significant security incident is detected. This must be followed within 72 hours by a comprehensive report with detailed information on the nature of the incident, the systems affected and the countermeasures taken. Finally, a final report documenting the response to the incident must be produced once the incident is closed.

In order to comply with these reporting obligations, companies must implement suitable technical solutions that monitor security incidents in real time and automatically record the necessary information. This requires the use of attack detection systems (IDS/IPS) as well as logging and monitoring tools that can report incidents in good time.

Finally, companies must comprehensively document every incident and ensure that the measures taken to deal with incidents are traceable. This ensures that authorities can check compliance with legal requirements at any time.

Schedule

The path to implementing the NIS2 Directive in Germany is a gradual one and is characterized by several stages of development that have been implemented at both European and national level in recent years. The original goal of bringing the NIS2 Implementation Act into force by October 17, 2024 in order to meet the EU deadline no longer seems feasible (as of September 2024). The timetable to date and the next steps are described below.

Earlier stages of the NIS Directive and the IT Security Act

The first NIS Directive was adopted in 2016 and set a deadline of May 2018 for national implementation. Germany responded by introducing the IT Security Act and later expanded the requirements with the IT Security Act 2.0, which came into force in May 2021 and tightened cybersecurity requirements. It laid down stricter security requirements for critical infrastructures and digital services and was a precursor to the implementation of the NIS2 Directive that followed later.

Development of the NIS2 Directive and national steps

The NIS2 Directive (EU 2022/2555) was published in the Official Journal of the European Union in December 2022. This directive provides for a uniform legal framework for cybersecurity across the EU and extends the requirements to a larger number of companies and sectors.

In spring 2023, the Ministry of the Interior presented the first drafts of the NIS2UmsuCG in order to transpose the requirements of the NIS2 Directive into German law. Further rounds of discussion and adjustments to the draft followed over the course of the year, including in July and December 2023. With a discussion paper in September 2023, the Ministry of the Interior continued the dialog with relevant stakeholders in order to clarify open questions regarding the practical implementation and potential impact of the law.

The current status and upcoming milestones

Decision in the Federal Cabinet (July 2024): In summer 2024, the draft bill was passed by the Federal Cabinet.
1st passage in the Federal Council (September 2024): On September 27, 2024, the NIS2UmsuCG was submitted to the Federal Council at first reading and adopted. This marks the start of parliamentary deliberations on the law.
1st reading in the Bundestag (Friday, October 11, 2024): The law was dealt with at first reading in the Bundestag and referred to the Committee on Internal Affairs for consultation.

Despite the progress made so far, it is doubtful that the original EU implementation deadline of October 2024 will be met. Various delays in the drafting and coordination of the law make it unlikely that the NIS2UmsuCG will be fully adopted in 2024. The current timetable envisages that the law will not be published in the Federal Law Gazette and thus enter into force until March 2025.

2nd and 3rd readings in the Bundestag (December 2024): The final readings in the Bundestag are scheduled to take place in December 2024. This would allow the law to be passed in the Bundestag before it is submitted to the Bundesrat again for final approval.
Passage in the Bundesrat (February 2025): Following the deliberations and readings in the Bundestag, the second round in the Bundesrat is scheduled for February 2025. Here, final adjustments could be made and the law finally confirmed.
Entry into force of the law (March 2025): Following publication in the Federal Law Gazette, the NIS2UmsuCG is due to come into force in March 2025. This would make the new cybersecurity requirements binding and repeal the previous BSI Act (BSIG).
Legal ordinances (thereafter, 2025): Some specific regulations, for example on reporting procedures and technical standards, are to be specified by statutory instruments. However, these ordinances are still missing and it remains unclear when they will be finalized and enter into force.

While the original deadline for the national implementation of the NIS2 Directive was set for October 2024, the actual adoption of the NIS2UmsuCG is not expected until March 2025 at the earliest. The delays show the challenges involved in transposing complex European directives into national law. Companies and government institutions should prepare for an extended transition phase during which they can already prepare for the new requirements before the law finally comes into force.

Conclusion

The NIS2 Implementation Act represents a significant step forward in enhancing the cybersecurity landscape in Germany and the EU as a whole. Although the law is anticipated to be postponed until March 2025, undertaking preliminary preparations for the forthcoming requirements is already proving advantageous. Organisations that have already implemented established security standards, such as ISO/IEC 27001, will find that the additional effort required to meet the NIS2 requirements is less onerous. Integrating and optimising existing measures will be to their advantage

The NIS2 directive has two main objectives: to minimise the risk of cyber incidents and to prevent long-term economic damage. By enhancing their cyber security measures, companies can achieve significant cost savings by avoiding operational downtime and financial losses. According to the industry association Bitkom, cybercrime causes billions of euros in damage in Germany every year. The implementation of the NIS2 requirements could potentially avert an estimated loss of up to 3.6 billion euros annually, which clearly demonstrates that investing in cyber security is a profitable long-term strategy.

It is therefore recommended that companies begin adapting to the NIS2 requirements without delay. Implementing robust risk management, adhering to reporting obligations and integrating security-relevant technologies not only ensures compliance with legal requirements but also reinforces customer and partner confidence in the company's resilience. The NIS2 directive is not merely a regulatory instrument; it is a strategic advantage in an increasingly digitalised and networked world.

Links

Directive (EU) 2022/2555 on EUR-Lex:

https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:32022L2555

Announcement of the German Bundestag (English version not available):

https://www.bundestag.de/dokumente/textarchiv/2024/kw41-de-nis-2-richtlinie-1023076