Categories
Liability of the management Technology- & IT-Law

Cybersecurity in Germany: Implementation of the NIS2 Directive in Germany

Implementation of the NIS2 Directive in Germany: There are now draft laws on the implementation of the NIS2 Directive in Germany, and a clear line can be seen. In Germany, the NIS2 Directive is implemented by the “Act on the Implementation of the NIS-2 Directive and on the Regulation of Essential Principles of Information Security Management in the Federal Administration”. It is also known as the “NIS-2 Implementation and Cybersecurity Strengthening Act” or “NIS2UmsuCG” for short.

At the heart of it all is the German “BSI Act”: this law was originally created to regulate the competencies and measures of the Federal Office for Information Security (BSI). However, this law is increasingly being transformed into a set of cyber security regulations. This was already foreseeable with the German IT Security Act and has been enhanced with the IT Security Act 2.0. IT security in Germany – and Europe – is thus being raised to a completely new level and the economy in particular will have to dress warmly.

Note on the current status of the legislative process: The NIS2 Directive must actually be implemented by mid-October. However, draft bills have only been available since May 2024, which already raises doubts as to whether this will happen in time. With this in mind, a paragraph has been added on what delayed implementation means. The article has been updated to the status of the second draft bill (processing status: 24.06.2024).

NIS-2 Implementation and Cybersecurity Strengthening Act: Expansion of the BSI Act

The BSI Act is currently numbered up to §15, although some paragraphs have several letters, so there are slightly more standards in total. Nevertheless, it says something when you see that the numbering is to go beyond Section 60 of the BSIG in future – it is obvious that such a scope also has an impact on everyday life.

What is the NIS2 directive?

The NIS2 Directive is a European Union initiative aimed at ensuring a high common level of network and information security in all Member States. It is the successor to the first NIS Directive and brings with it significant changes and extensions. The NIS2 Directive focuses in particular on critical sectors and services that are of fundamental importance to society and the economy.

Key points of the German transposition law

The German law implementing the NIS2 Directive emphasizes in particular:

  1. Expanded scope: The law refers to “particularly important facilities” and “important facilities”, including operators of critical facilities and federal government facilities. This means that a larger number of companies and organizations will fall under the new regulations.
  2. Strengthened risk management: Companies are obliged to implement appropriate and effective measures to minimize risks and handle security incidents (Section 30 BSIG-E). This includes the development of risk management plans and the regular review of security measures.
  3. Reporting obligations: There is an extended reporting obligation for security incidents (Section 32 BSIG-E), which ensures that these incidents are reported promptly and processed accordingly.
  4. Registration obligations: Particularly important facilities must register with the Federal Office for Information Security and provide relevant data (Section 33 BSIG-E).
Fachanwalt für IT-Recht Jens Ferner zum NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz

Micro-enterprises are (currently) very much privileged – everyone else has to watch out. At the moment, cyber security is often “on the agenda”, but spending is still stingy – this could soon take bitter revenge. And many digital business models will reach their limits with this law. And rightly so.

Categorization of operators

The draft bill contains the following classification:

  • Operator of critical facilities: natural or legal persons or a legally dependent organizational unit of a local authority that exercises decisive influence over a critical facility in designated sectors, taking into account the legal, economic and factual circumstances.
  • Particularly important institutions (Section 28 BSIG-E): Large companies in selected sectors if they belong to a specific type of institution (Annex 1), as well as qualified trust service providers, top-level domain name registries or DNS service providers (regardless of size); also included are medium-sized companies that are providers of telecommunications services (Section 3 No. 44 TKG) or publicly accessible telecommunications networks;
  • Important institutions (§28 BSIG-E): medium-sized companies in certain sectors if they belong to a specific type of institution (Annex 1 or 2), which is probably to be understood broadly, as digital infrastructure, management of ICT services (business-to-business) and providers of digital services are expressly mentioned, among other things.

As always, micro-entrepreneurs and micro-enterprises are privileged; nevertheless, an expansion of the scope of application can be observed, medium-sized companies within the meaning of the BSIG-E are in the range of 50 to 249 employees, with turnover being a further criterion. In this area in particular, it will be necessary to take a very close look, as the scope of application is likely to be greatly expanded.

Impact on affected companies

For companies that fall into the categories of “particularly important facilities” and “important facilities”, this law results in new obligations and challenges:

  1. Increased documentation effort: Companies must comprehensively document compliance with legal requirements. This certainly requires additional resources and processes.
  2. Investing in IT security: Companies will probably have to invest in their IT infrastructure and security systems in order to meet the increased requirements.
  3. Regular reviews and updates: Risk management processes and safety systems must be regularly reviewed and updated to ensure that they remain effective and comply with legal requirements.

Systematic overview

Part 3 provides companies with an initial useful overview of classification, duties and tasks. The following is therefore a brief overview for orientation:

  • § 28 Particularly important facilities and important facilities, Definition and categorization: Determines which facilities are considered particularly important and important and which safety requirements they must meet.
  • § 29 Institutions of the Federal Administration, Federal Administration: Specifies that the law also applies to institutions of the Federal Administration and that they must implement corresponding security measures.
  • § 30 Risk management measures of particularly important institutions and important institutions, Risk management: Requires that particularly important and important institutions take risk management measures to ensure their information security.
  • § 31 Special requirements for the risk management measures of operators of critical installations, Critical installations: Sets out specific requirements for operators of critical installations in order to protect their particular importance for society.
  • § 32 Reporting obligations, Report security incidents: Obliges facilities to report security incidents to the responsible authorities.
  • § 33 Registration obligation, Registration: Requires certain entities to register with the competent authorities.
  • § 34 Special registration obligation for certain types of facilities, Extended registration: Special registration obligations for specific types of facilities that pose particular risks.
  • § 35 Duty to inform, Duty to inform: Obligates facilities to regularly inform the authorities about security measures and incidents.
  • § 36 Feedback from the Federal Office to reporting facilities, Feedback on reports: The Federal Office provides feedback on the security incidents reported by the facilities.
  • § 37 Exemption notice, Exceptions: Enables the issuing of exemption notices under certain conditions.
  • § 38 Duty of approval, monitoring and training for management of particularly important facilities and important facilities, Training and monitoring: Management is obliged to approve and monitor safety measures and ensure appropriate training.
  • § 39 Obligation to provide evidence for operators of critical installations, Proof: Operators of critical installations must provide evidence of compliance with the safety requirements.
  • § 40 National liaison office and central reporting and contact point for particularly important and important facilities, Central contact point: Establishes a national liaison office for the communication and coordination of security issues.
  • § 41 Prohibition of the use of critical components, Prohibition of critical components: Enables the prohibition of the use of ICT components that are considered unsafe.
  • § 42 Request for information, Duty to provide information: Obliges institutions to provide information to the authorities on request.

Minimum security to be provided

According to §30 of the NIS-2 Implementation and Cyber Security Strengthening Act (this implements Article 21 of the NIS2 Directive), particularly important and significant institutions must take various measures to minimize information security risks. These measures are aimed at protecting the confidentiality, integrity and availability of their data and systems. The intensity of the measures to be taken is graded according to the type of facility.

Risk management measures initially include identifying potential threats and vulnerabilities in your own IT systems and processes. This can be done through regular security checks and vulnerability analyses. Suitable security precautions must then be taken to eliminate these vulnerabilities and ward off threats. These include technical measures such as the implementation of firewalls, antivirus software and encryption techniques as well as organizational measures such as security guidelines and training for employees.

AreaNIS2UmsuCGNIS2 DirectiveISO/IEC 27001
Risk Management§ Section 30 (1): Appropriate, proportionate and effective technical and organizational measures.Article 21(2), point (a): Risk analysis and security policies for information systems and networks.Section 6.1: Measures for dealing with risks and opportunities.
Manage security incidents§ Section 30 (2) no. 2: Measures to deal with security incidents.Article 21, paragraph 2, letter b: Arrangements for the prevention and management of security incidents.Section 16: Management of information security incidents.
Continuation of operations and crisis management§ Section 30 (2) no. 3: Maintenance of operations, backup management and crisis management.Article 21(2), point (c): Continuity plans and procedures for crisis management.Section 17: Information security aspects of business continuity management.
Security of the supply chain§ Section 30 (2) no. 4: Security measures for the supply chain, including security-related aspects of relationships.Article 21(5): Measures for supply chain security.Section A.15: Supplier relationships.
Training and sensitization§ Section 38 (3): Regular training for management and all employees and Section 30 (2) no. 7: Basic procedures in the area of cyber hygiene and training in the area of information technology security.Article 21(2)(e): Training and awareness-raising of employees.Section 7.2.2: Awareness, training and competence.
Technical and organizational measures§ Section 30 (1): Take appropriate, proportionate and effective technical and organizational measures to prevent disruptions.Article 21(2): Measures to prevent and mitigate security incidents.Section 6.2: Information security objectives and planning to achieve them.
Cryptography and encryption§ Section 30 (2) No. 8: Concepts and procedures for the use of cryptography and encryption.Not explicitly mentioned.Section A.10: Cryptographic measures.
Attack detection§ Section 31 (2): Use systems for attack detection.Not explicitly mentioned.Section A.12: Operational safety (including monitoring measures).
Multifactor authentication§ Section 30 (2) no. 10: Use of solutions for multi-factor authentication or continuous authentication.Not explicitly mentioned.Section A.9: Access control.
Personnel safety§ Section 30 (2) no. 9: Security of personnel, concepts for access control and for the management of facilities.Not explicitly mentioned.Section A.7: Personnel safety.

Another important point is the continuous monitoring of IT systems in order to detect and respond to unusual activities at an early stage. This includes setting up a system for detecting attacks and defining emergency plans in order to be able to act quickly and effectively in the event of a security incident. In addition, the facilities concerned are obliged to submit regular reports on their security measures and any incidents to the relevant authorities. This ensures that security measures are always up to date and can be adapted if necessary:

  1. Concepts for risk analysis and IT security: Every institution must develop detailed concepts that describe how risks to IT security are identified and analyzed. This includes the assessment of threats and vulnerabilities as well as the definition of measures to minimize risks.
  2. Security incident response: Clear procedures and strategies must be in place to respond to security incidents. This includes incident detection, immediate response and mitigation measures.
  3. Maintaining operations: Institutions must ensure that their services can continue to operate even in the event of an IT security incident. This includes measures such as backup management and disaster recovery to minimize data loss and downtime.
  4. Supply chain security: Measures must be taken to ensure the security of the entire supply chain. This includes contractual agreements with suppliers and service providers, which must also meet high security standards.
  5. Security measures during acquisition, development and maintenance: Security aspects must be taken into account during the acquisition, development and maintenance of IT systems. This also includes the management and disclosure of vulnerabilities in order to identify and close security gaps at an early stage.
  6. Evaluation of the effectiveness of security measures: Regular reviews and evaluations of existing security measures must be carried out to ensure and continuously improve their effectiveness.
  7. Basic cyber hygiene and training: Basic cyber hygiene procedures, such as regular software updates (patch management) and secure password practices, need to be implemented. Training for employees is also required to raise awareness of IT security.
  8. Concepts and procedures for cryptography and encryption: The use of cryptography and encryption must be regulated in order to protect the confidentiality and integrity of data.
  9. Personnel security and access control: Concepts must be developed for personnel security and for controlling access to IT systems and facilities. This also includes measures to protect against insider threats.
  10. Multi-factor authentication and secure communication: Multi-factor authentication or continuous authentication solutions must be used. In addition, secure communication systems for voice, video and text must be in place within the facility to ensure the security of internal communications.

Cybersecurity and NIS2: Management liability

Liability of the management

Firstly, Section 38 (1) BSIG-E stipulates that directors of particularly important institutions and important companies are obliged to approve the risk management measures taken by these institutions (see above, Section 30) in the area of cyber security and to monitor their implementation. Even if auxiliary persons are involved, the management body remains ultimately responsible. Managing directors who violate their duties in this respect are liable to the institution for the damage incurred, cf. section 38 para. 2 BSIG-E. According to the explanatory memorandum to the law, damage includes both recourse claims and fines!

The second paragraph is and remains exciting: until the second version of the draft bill, a “sharp formulation” was envisaged here, which meant that a waiver of compensation claims by the institution was just as ineffective as a blanket settlement of such claims by the institution. This meant that any breach of duty would lead directly to a personal, non-waivable liability of the managing director that could not be settled. With the second draft bill (status: 24.06.2024), this is a thing of the past. It is now to apply:

Management boards that breach their duties under paragraph 1 shall be liable to their institution for culpably caused damage in accordance with the rules of company law applicable to the legal form of the institution. Under this Act, they shall only be liable if the provisions of company law applicable to the institution do not contain a liability provision pursuant to sentence 1.

The traditional rules now apply, although the last sentence is incomprehensible to me, as the transposition law does stipulate obligations for management boards – but no liability rules. The explanatory memorandum to the draft does not elaborate on this either, leaving me somewhat puzzled at the moment. However, as I have already explained with regard to the existing legal situation, there is already a liability situation. And even if, at first glance, waivers and settlements are now possible again, problems arise here too – because if economically incomprehensible settlements are made to the detriment of the company, there is a possibility of criminal liability.

The decision to simply no longer regulate the liability, which was initially extended excessively, will have bitter repercussions; the consulting costs will explode due to the inadequate wording: It is true that settlements are possible for damages between the company and its management. However, as no regulations have been agreed, it must be examined in each individual case to determine the extent to which a settlement or waiver is conceivable in order to prevent criminal liability. The reference to liability under the BSI-G for companies not otherwise regulated is also highly misleading – in the end, every company management will be liable if it fails to meet its obligations under the BSIG and thereby causes damage.

In the end, it is annoying that the ministry has cowered so excessively in front of the trade associations: If no means of coercion are established, cyber security in this country will continue to develop in the same way as before, even with the NIS2 Implementation Act: sluggishly.

Management control

If a management does not comply with the orders of the Federal Office for Information Security (BSI), the BSI has various measures at its disposal to ensure compliance with security requirements.

First of all, the BSI, in consultation with the competent supervisory authority, can issue binding instructions to remedy security deficiencies or prevent incidents. These instructions must be implemented by the affected organization within a set deadline. If there is imminent danger, the BSI can also order such measures without prior consultation with the supervisory authority.

If a company management fails to comply with these instructions, the BSI can inform the responsible supervisory authority. The latter then has the option of taking more drastic measures, which are also a novelty in this form:

  1. Suspension of services: The supervisory authority may temporarily suspend the authorization for certain or all services of the institution concerned.
  2. Prohibition of management duties (now §63 VI): The supervisory authority may prohibit natural persons who are in managerial positions, such as management or board members, from performing their duties.
  3. The previously planned appointment of a “monitoring officer” (Section 64 (9) BSI-G E3) has now disappeared from the draft bill.

These measures then remain in force until the institution concerned has complied with the BSI’s instructions and implemented the corresponding security measures.

Liability for IT security

Business management without data protection and cyber security does not work – period. And not yet, but in the near future, it will be existentially costly for managing directors and board members who do not perform their duties adequately – personally! Liability may already be incurred.

Domain data

With §§51 et seq. BSIG-E something new, a new “treasure trove of data” for investigators – at least in this form: In order to contribute to the security, stability and robustness of the Domain Name System, Top Level Domain Name Registries and Domain Name Registry Service Providers are obliged to collect accurate and complete registration data on domain names in their own database.

This database contains the information required to identify and contact the holders of the domain names and the contact points that manage the domain names within the TLD. According to the law, these are at least name, e-mail address and telephone number, but not yet a postal address.

Documentation requirements with the NIS2 implementation

Documentation obligations and the resulting consequences are intended to ensure that companies proactively improve cyber security and react effectively and transparently in the event of security incidents. At the same time, it is of course an effective way for the supervisory authority to check what has been implemented by means of simple inspections.

Companies that do not comply with their documentation obligations can be subject to substantial fines. The amount of the fines depends on the severity of the breach and can be severe. In the case of serious violations, the BSI can also – as described above – suspend the approval for certain or all of a company’s services. This can go as far as prohibiting responsible persons from performing management tasks. In extreme cases, companies may even lose their operating license if they repeatedly violate documentation obligations and fail to implement the required security measures. Finally, management is personally responsible for implementing and monitoring safety measures. Insufficient documentation can lead to liability claims against the management (see above).

Risk management

Companies must document measures to minimize risk, including the performance of risk analyses and the implementation of IT security concepts. This also includes measures to maintain operations and crisis management.

Security incidents

Companies are obliged to document security incidents, record the responses taken and the lessons learned. This also includes communication with the relevant authorities.

Reporting obligations

All incidents that could affect information security must be documented and reported. The documentation must be detailed and contain all relevant information about the incident.

Registration and proof

Companies must regularly review and document their safety measures and their effectiveness. This evidence must be presented to the competent authorities on request.

Employee training

Companies are obliged to carry out and document information security training. This includes regularly sensitizing employees to risks such as phishing and social engineering.

Security of the supply chain

Contracts and agreements with suppliers and service providers must be documented to ensure that they also comply with high safety standards.


What does a delayed implementation of the NIS2 Directive mean?

If the NIS 2 Directive (EU) 2022/2555 is not transposed into German national law in time, this will have several legal consequences. Even then, direct applicability to companies is expressly out of the question! If you sometimes read otherwise, this is due to a misunderstanding: Where an EU directive obliges the state or its authorities to do something, this can nevertheless have an effect if it is not transposed into national law. However, this does not apply to the economy and citizens.

Furthermore, the European Commission (EU Commission) would initiate infringement proceedings against the Federal Republic of Germany. Such proceedings take place in several stages:

Infringement proceedings

  1. Letter of formal notice: The EU Commission sends a letter of formal notice to Germany in which the Commission points out the infringement and sets a deadline for remedying the deficiencies.
  2. Reasoned opinion: If Germany does not act within the set deadline, a reasoned opinion follows. This formal request sets out in detail how the EU Commission views the infringement and sets a new deadline for rectification.
  3. Complaint decision and filing of action: If Germany continues to fail to respond, the EU Commission may decide to file a complaint and refer the matter to the European Court of Justice (ECJ). At the same time, the Commission can request that financial sanctions be imposed on Germany.

But: Most infringement proceedings are discontinued before being referred to the CJEU. In 2022, around 96% of all proceedings across Europe were discontinued before being referred to the Court of Justice.

Possible sanctions?

In the event of continued failure to implement the directive, the ECJ can impose financial sanctions on Germany at the request of the Commission. These sanctions may include both a one-off fine and periodic penalty payments for each day of non-implementation.


Conclusion

It was too long overdue, and now it’s coming: for decades, the costs of “digitalization” in Germany have been glossed over by inappropriate stinginess when it comes to IT security and data protection.

The latter has already been tackled by the GDPR, albeit half-heartedly enforced in practice – now cyber security is being added. Personal liability will lead to a rethink on the part of many, as well as a massive increase in the costs of traditional digital solutions. Managing directors and board members are running out of time: the law will continue to take time, but so will its implementation in companies. In summary, affected companies should be prepared for this:

  1. Duty to provide information:
    • Proof of compliance with a minimum level of IT security: Section 34 in conjunction with Sections 28 and 30 BSIG-E
    • Reporting of significant security incidents: Section 31 in conjunction with Section 28 BSIG-E
  2. Risk management measures:
    • Appropriate, proportionate and effective technical and organizational measures to prevent disruptions and minimize the impact of security incidents must be taken – and documented: Section 30 (1) and (2) BSIG-E
  3. Duty of approval, monitoring and training for management:
    • Management boards are obliged to approve the risk management measures and monitor their implementation: Section 38 BSIG-E
  4. Special requirements for operators of critical systems:
    • Use of systems for attack detection: Section 31 (2) BSIG-E
  5. Reporting obligations:
    • Obligation to report security incidents: Section 32 BSIG-E
  6. Registration requirement:
    • Special registration obligation for certain types of facilities: Section 34 BSIG-E
  7. Instruction obligations:
    • In the event of a significant security incident, the Federal Office may issue instructions to inform the recipients of its services about the incident: Section 35 BSIG-E
  8. Supervisory and enforcement measures:
    • The Federal Office may order audits, inspections or certifications to verify compliance with the requirements: § SECTION 64 BSIG-E
German Lawyer at Law Firm Ferner Alsdorf
I am a specialist lawyer for criminal law + specialist lawyer for IT law and dedicate myself professionally entirely to criminal defence and IT law, especially software law. Before becoming a lawyer, I was a software developer. I am an author in a renowned commentary on the German Code of Criminal Procedure (StPO) as well as in professional journals.

Our law firm specialises in criminal defence, white-collar crime and IT law / technology law. Note our activity in digital evidence in IT security and software law.
German Lawyer Jens Ferner (Criminal Defense & IT-Law)